From ae4bbb72bbbf85dd321640ac145288f0e6e2255e Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Thu, 27 May 2021 14:35:01 +0900 Subject: [PATCH 1/3] Update Istio latest to 1.10.0 stable to 1.9.3 As per title: BEFORE: latest: 1.9.3 stable: 1.9.1 AFTER: latest: 1.10.0 stabel: 1.9.3 --- .../istio-latest/generate-manifests.sh | 2 +- .../istio-latest/istio-ci-mesh/istio.yaml | 7935 +++++++++++------ .../istio-latest/istio-ci-no-mesh/istio.yaml | 7935 +++++++++++------ .../istio-latest/istio-kind-mesh/istio.yaml | 7935 +++++++++++------ .../istio-kind-no-mesh/istio.yaml | 7935 +++++++++++------ .../istio-stable/generate-manifests.sh | 2 +- .../istio-stable/istio-ci-mesh/istio.yaml | 242 +- .../istio-stable/istio-ci-no-mesh/istio.yaml | 242 +- .../istio-stable/istio-kind-mesh/istio.yaml | 242 +- .../istio-kind-no-mesh/istio.yaml | 242 +- 10 files changed, 21778 insertions(+), 10934 deletions(-) diff --git a/third_party/istio-latest/generate-manifests.sh b/third_party/istio-latest/generate-manifests.sh index 30c8cf6e41..2afe41a2eb 100755 --- a/third_party/istio-latest/generate-manifests.sh +++ b/third_party/istio-latest/generate-manifests.sh @@ -16,6 +16,6 @@ source "$(dirname $0)/../library.sh" -generate "1.9.3" "$(dirname $0)" \ +generate "1.10.0" "$(dirname $0)" \ --set values.pilot.env.PILOT_ENABLE_STATUS=true \ --set values.global.istiod.enableAnalysis=true \ diff --git a/third_party/istio-latest/istio-ci-mesh/istio.yaml b/third_party/istio-latest/istio-ci-mesh/istio.yaml index 0fd8330b4e..6d3187a139 100644 --- a/third_party/istio-latest/istio-ci-mesh/istio.yaml +++ b/third_party/istio-latest/istio-ci-mesh/istio.yaml @@ -146,6 +146,7 @@ rules: - networking.istio.io - authentication.istio.io - rbac.istio.io + - telemetry.istio.io verbs: - get - watch @@ -158,6 +159,7 @@ rules: - networking.istio.io - authentication.istio.io - rbac.istio.io + - telemetry.istio.io verbs: - update resources: @@ -295,6 +297,12 @@ rules: - get - watch - list + - apiGroups: + - networking.x-k8s.io + resources: + - '*' + verbs: + - update - apiGroups: - "" resources: @@ -303,6 +311,16 @@ rules: - get - watch - list + - apiGroups: + - multicluster.x-k8s.io + resources: + - serviceexports + verbs: + - get + - watch + - list + - create + - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -418,7 +436,7 @@ subjects: name: istiod-service-account namespace: istio-system --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -441,215 +459,214 @@ spec: listKind: AuthorizationPolicyList plural: authorizationpolicies singular: authorizationpolicy - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider + versions: + - name: v1beta1 + schema: + openAPIV3Schema: properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. + spec: + description: 'Configuration for access control on workloads. See more details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider properties: - name: - description: Specifies the name of the extension provider. - format: string + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + format: string + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: properties: - ipBlocks: - description: Optional. - items: - format: string - type: string - type: array - namespaces: - description: Optional. - items: - format: string - type: string - type: array - notIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - notNamespaces: - description: Optional. - items: - format: string - type: string - type: array - notPrincipals: - description: Optional. - items: - format: string - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - format: string - type: string - type: array - principals: - description: Optional. - items: - format: string - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - requestPrincipals: - description: Optional. - items: - format: string - type: string - type: array + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + format: string + type: string + type: array + namespaces: + description: Optional. + items: + format: string + type: string + type: array + notIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notNamespaces: + description: Optional. + items: + format: string + type: string + type: array + notPrincipals: + description: Optional. + items: + format: string + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + principals: + description: Optional. + items: + format: string + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + requestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + type: object type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. + type: array + to: + description: Optional. + items: properties: - hosts: - description: Optional. - items: - format: string - type: string - type: array - methods: - description: Optional. - items: - format: string - type: string - type: array - notHosts: - description: Optional. - items: - format: string - type: string - type: array - notMethods: - description: Optional. - items: - format: string - type: string - type: array - notPaths: - description: Optional. - items: - format: string - type: string - type: array - notPorts: - description: Optional. - items: - format: string - type: string - type: array - paths: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + format: string + type: string + type: array + methods: + description: Optional. + items: + format: string + type: string + type: array + notHosts: + description: Optional. + items: + format: string + type: string + type: array + notMethods: + description: Optional. + items: + format: string + type: string + type: array + notPaths: + description: Optional. + items: + format: string + type: string + type: array + notPorts: + description: Optional. + items: + format: string + type: string + type: array + paths: + description: Optional. + items: + format: string + type: string + type: array + ports: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + format: string + type: string + notValues: description: Optional. items: format: string type: string type: array - ports: + values: description: Optional. items: format: string type: string type: array type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - format: string - type: string - notValues: - description: Optional. - items: - format: string - type: string - type: array - values: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - format: string - type: string type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1beta1 served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -662,15 +679,6 @@ metadata: knative.dev/crd-install: "true" name: destinationrules.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.host - description: The name of a service from the service registry - name: Host - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: networking.istio.io names: categories: @@ -682,1314 +690,2385 @@ spec: shortNames: - dr singular: destinationrule - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + versions: + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: properties: - exportTo: - description: A list of namespaces to which this destination rule is exported. - items: - format: string - type: string - type: array - host: - description: The name of a service from the service registry. - format: string - type: string - subsets: - items: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - name: - description: Name of the subset. + spec: + description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is exported. + items: format: string type: string - trafficPolicy: - description: Traffic policies that apply to this subset. + type: array + host: + description: The name of a service from the service registry. + format: string + type: string + subsets: + items: properties: - connectionPool: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: Name of the subset. + format: string + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. properties: - http: - description: HTTP connection pool settings. + connectionPool: properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + http: + description: HTTP connection pool settings. properties: - interval: - description: The time duration between keep-alive probes. + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE type: string - probes: + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 type: integer - time: + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object type: object type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash properties: - httpCookie: - description: Hash based on HTTP cookie. + consistentHash: properties: - name: - description: Name of the cookie. + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. format: string type: string - path: - description: Path to set for the cookie. + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. format: string type: string - ttl: - description: Lifetime of the cookie. - type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - format: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. type: string - minimumRingSize: + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover can be set.' - items: + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: properties: - from: - description: Originating locality, '/' separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic distribution weights. + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object type: object type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can be set.' - items: + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash properties: - from: - description: Originating region. - format: string - type: string - to: - format: string + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. + outlierDetection: properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE + baseEjectionTime: + description: Minimum ejection duration. type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to a destination. - format: int32 + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. + consecutiveErrors: format: int32 type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. + maxEjectionPercent: format: int32 type: integer - maxRetries: + minHealthPercent: format: int32 type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. + port: properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 + number: type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: + tls: + description: TLS related settings for connections to the upstream service. properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. + caCertificates: format: string type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. format: string type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can be set.' + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object + format: string + type: string type: array type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. + type: array + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected from the connection pool. - nullable: true - type: integer + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: interval: - description: Time interval between ejection sweep analysis. + description: The time duration between keep-alive probes. type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: + probes: type: integer + time: + type: string type: object - tls: - description: TLS related settings for connections to the upstream service. + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. + name: + description: Name of the cookie. format: string type: string - credentialName: + path: + description: Path to set for the cookie. format: string type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS handshake. - format: string + ttl: + description: Lifetime of the cookie. type: string - subjectAltNames: - items: - format: string - type: string - type: array type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS handshake. - format: string - type: string - subjectAltNames: - items: + httpHeaderName: + description: Hash based on a specific HTTP header. format: string type: string - type: array - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true type: integer - maxRetries: + consecutiveErrors: format: int32 type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. + maxEjectionPercent: format: int32 type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - format: string - type: string - minimumRingSize: + minHealthPercent: + format: int32 type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover can be set.' - items: + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: properties: - from: - description: Originating locality, '/' separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic distribution weights. + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object type: object type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can be set.' - items: + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash properties: - from: - description: Originating region. - format: string - type: string - to: - format: string + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. + outlierDetection: properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE + baseEjectionTime: + description: Minimum ejection duration. type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to a destination. - format: int32 + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. + consecutiveErrors: format: int32 type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. + maxEjectionPercent: format: int32 type: integer - maxRetries: + minHealthPercent: format: int32 type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. + port: properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 + number: type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: + tls: + description: TLS related settings for connections to the upstream service. properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. + caCertificates: format: string type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. format: string type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can be set.' + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object + format: string + type: string type: array type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS handshake. + type: array + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: + items: format: string type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array + type: array + type: object type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 served: true storage: true - - name: v1beta1 - served: true - storage: false ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - listKind: EnvoyFilterList - plural: envoyfilters - singular: envoyfilter - preserveUnknownFields: true - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG + spec: + description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is exported. + items: + format: string type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster + type: array + host: + description: The name of a service from the service registry. + format: string + type: string + subsets: + items: properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - format: string - type: string - portNumber: - description: The service port for which this cluster was generated. - type: integer - service: - description: The fully qualified service name for this cluster. - format: string - type: string - subset: - description: The subset associated with the service. - format: string - type: string + labels: + additionalProperties: + format: string + type: string type: object - context: - description: The specific config generation context to match on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY + name: + description: Name of the subset. + format: string type: string - listener: - description: Match on envoy listener attributes. + trafficPolicy: + description: Traffic policies that apply to this subset. properties: - filterChain: - description: Match a specific filter chain in a listener. + connectionPool: properties: - applicationProtocols: - description: Applies only to sidecars. - format: string - type: string - destinationPort: - description: The destination_port value used by a filter chain's match condition. - type: integer - filter: - description: The name of a specific filter to apply the patch to. + http: + description: HTTP connection pool settings. properties: - name: - description: The filter name to match on. - format: string + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. type: string - subFilter: + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. properties: name: - description: The filter name to match on. + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. format: string type: string + ttl: + description: Lifetime of the cookie. + type: string type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean type: object - name: - description: The name assigned to the filter chain. - format: string + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string - sni: - description: The SNI value used by a filter chain's match condition. + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. format: string type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. + sni: + description: SNI string to present to the server during TLS handshake. format: string type: string + subjectAltNames: + items: + format: string + type: string + type: array type: object - name: - description: Match a specific listener by its name. - format: string - type: string - portName: - format: string - type: string - portNumber: - type: integer type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. format: string type: string - type: object - proxyVersion: - format: string - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: properties: - gateway: - format: string - type: string - name: - description: Route configuration name to match on. - format: string - type: string - portName: - description: Applicable only for GATEWAY context. - format: string - type: string - portNumber: - type: integer - vhost: + connectionPool: properties: - name: - format: string - type: string - route: - description: Match a specific route within the virtual host. + http: + description: HTTP connection pool settings. properties: - action: - description: Match a route with specific action type. + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE type: string - name: - format: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object type: object type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: Determines the filter insertion order. - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. - type: object - type: object - type: object - type: array - workloadSelector: - properties: - labels: - additionalProperties: - format: string - type: string - type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + scope: Namespaced versions: - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + format: string + type: string + portNumber: + description: The service port for which this cluster was generated. + type: integer + service: + description: The fully qualified service name for this cluster. + format: string + type: string + subset: + description: The subset associated with the service. + format: string + type: string + type: object + context: + description: The specific config generation context to match on. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + format: string + type: string + destinationPort: + description: The destination_port value used by a filter chain's match condition. + type: integer + filter: + description: The name of a specific filter to apply the patch to. + properties: + name: + description: The filter name to match on. + format: string + type: string + subFilter: + properties: + name: + description: The filter name to match on. + format: string + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + format: string + type: string + sni: + description: The SNI value used by a filter chain's match condition. + format: string + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + format: string + type: string + type: object + name: + description: Match a specific listener by its name. + format: string + type: string + portName: + format: string + type: string + portNumber: + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + format: string + type: string + type: object + proxyVersion: + format: string + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + format: string + type: string + name: + description: Route configuration name to match on. + format: string + type: string + portName: + description: Applicable only for GATEWAY context. + format: string + type: string + portNumber: + type: integer + vhost: + properties: + name: + format: string + type: string + route: + description: Match a specific route within the virtual host. + properties: + action: + description: Match a route with specific action type. + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + format: string + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: Determines the filter insertion order. + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: Determines how the patch should be applied. + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -2013,141 +3092,264 @@ spec: shortNames: - gw singular: gateway - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: properties: - selector: - additionalProperties: - format: string - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - format: string - type: string - defaultEndpoint: - format: string - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - format: string - type: string - type: array - name: - description: An optional name of the server, when set must be unique across all servers. + spec: + description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: format: string type: string - port: + type: object + servers: + description: A list of server specifications. + items: properties: - name: - description: Label assigned to the port. + bind: format: string type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. + defaultEndpoint: format: string type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified cipher list.' + hosts: + description: One or more hosts exposed by this gateway. items: format: string type: string type: array - credentialName: + name: + description: An optional name of the server, when set must be unique across all servers. format: string type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + port: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + format: string + type: string + type: array + credentialName: + format: string + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + verifyCertificateHash: + items: + format: string + type: string + type: array + verifyCertificateSpki: + items: + format: string + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + format: string + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: format: string type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + defaultEndpoint: format: string type: string - subjectAltNames: - items: - format: string - type: string - type: array - verifyCertificateHash: - items: - format: string - type: string - type: array - verifyCertificateSpki: + hosts: + description: One or more hosts exposed by this gateway. items: format: string type: string type: array + name: + description: An optional name of the server, when set must be unique across all servers. + format: string + type: string + port: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + format: string + type: string + type: array + credentialName: + format: string + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + verifyCertificateHash: + items: + format: string + type: string + type: array + verifyCertificateSpki: + items: + format: string + type: string + type: array + type: object type: object - type: object - type: array - type: object - status: + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 served: true storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: istiooperators.install.istio.io @@ -2155,51 +3357,43 @@ metadata: release: istio knative.dev/crd-install: "true" spec: - additionalPrinterColumns: - - JSONPath: .spec.revision - description: Istio control plane revision - name: Revision - type: string - - JSONPath: .status.status - description: IOP current state - type: string - name: Status - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date + conversion: + strategy: None group: install.istio.io names: kind: IstioOperator + listKind: IstioOperatorList plural: istiooperators singular: istiooperator shortNames: - iop - io scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources' + versions: + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + - description: IOP current state + jsonPath: .status.status + name: Status type: string - spec: - description: 'Specification of the desired state of the istio control plane resource. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - status: - description: 'Status describes each of istio control plane component status at the current time. 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + name: v1alpha1 + schema: + openAPIV3Schema: type: object - versions: - - name: v1alpha1 + x-kubernetes-preserve-unknown-fields: true served: true storage: true --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -2213,15 +3407,6 @@ metadata: knative.dev/crd-install: "true" name: peerauthentications.security.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.mtls.mode - description: Defines the mTLS mode used for peer authentication. - name: Mode - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: security.istio.io names: categories: @@ -2233,62 +3418,70 @@ spec: shortNames: - pa singular: peerauthentication - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar. + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the ChannelAuthentication on. + spec: + description: PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar. properties: - matchLabels: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: additionalProperties: - format: string - type: string + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the ChannelAuthentication on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1beta1 served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -2313,87 +3506,86 @@ spec: shortNames: - ra singular: requestauthentication - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication methods are supported by a workload. + versions: + - name: v1beta1 + schema: + openAPIV3Schema: properties: - jwtRules: - description: Define the list of JWTs that can be validated at the selected workloads' proxy. - items: - properties: - audiences: - items: - format: string - type: string - type: array - forwardOriginalToken: - description: If set to true, the orginal token will be kept for the ustream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. + spec: + description: RequestAuthentication defines what request authentication methods are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the selected workloads' proxy. + items: + properties: + audiences: + items: format: string type: string - prefix: - description: The prefix that should be stripped before decoding the token. + type: array + forwardOriginalToken: + description: If set to true, the orginal token will be kept for the ustream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + format: string + type: string + prefix: + description: The prefix that should be stripped before decoding the token. + format: string + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: format: string type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + outputPayloadToHeader: + format: string + type: string + type: object + type: array + selector: + description: The selector determines the workloads to apply the RequestAuthentication on. + properties: + matchLabels: + additionalProperties: + format: string + type: string type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - format: string - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - format: string - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature of the JWT. - format: string - type: string - jwks_uri: - format: string - type: string - jwksUri: - format: string - type: string - outputPayloadToHeader: - format: string - type: string - type: object - type: array - selector: - description: The selector determines the workloads to apply the RequestAuthentication on. - properties: - matchLabels: - additionalProperties: - format: string - type: string type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1beta1 served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -2406,23 +3598,6 @@ metadata: knative.dev/crd-install: "true" name: serviceentries.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.hosts - description: The hosts associated with the ServiceEntry - name: Hosts - type: string - - JSONPath: .spec.location - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) - name: Location - type: string - - JSONPath: .spec.resolution - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) - name: Resolution - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: networking.istio.io names: categories: @@ -2434,211 +3609,220 @@ spec: shortNames: - se singular: serviceentry - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - format: string - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: + spec: + description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: format: string type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer type: object - locality: - description: The locality associated with the endpoint. + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: format: string type: string - network: + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: format: string type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - format: string - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - format: string - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service discovery mode for the hosts. - enum: - - NONE - - STATIC - - DNS - type: string - subjectAltNames: - items: - format: string - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: format: string type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + format: string + type: string + type: object type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 served: true storage: true - - name: v1beta1 - served: true - storage: false ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: properties: - egress: - items: - properties: - bind: + spec: + description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: format: string type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - format: string - type: string - type: array - port: - description: The port associated with the listener. + type: array + endpoints: + description: One or more endpoints associated with the service. + items: properties: - name: - description: Label assigned to the port. + address: format: string type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. format: string type: string - targetPort: + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. type: integer type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP to which the listener should be bound. + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: format: string type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: format: string type: string - port: - description: The port associated with the listener. + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: properties: name: description: Label assigned to the port. @@ -2654,56 +3838,39 @@ spec: targetPort: type: integer type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mode: + type: array + resolution: + description: Service discovery mode for the hosts. enum: - - REGISTRY_ONLY - - ALLOW_ANY + - NONE + - STATIC + - DNS type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: + subjectAltNames: + items: format: string type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + format: string + type: string + type: object type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 served: true storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -2714,772 +3881,1914 @@ metadata: heritage: Tiller release: istio knative.dev/crd-install: "true" - name: virtualservices.networking.istio.io + name: sidecars.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.gateways - description: The names of gateways and sidecars that should apply these routes - name: Gateways - type: string - - JSONPath: .spec.hosts - description: The destination hosts to which traffic is being sent - name: Hosts - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: networking.istio.io names: categories: - istio-io - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - preserveUnknownFields: false + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: properties: - exportTo: - description: A list of namespaces to which this virtual service is exported. - items: - format: string - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply these routes. - items: - format: string - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - format: string - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). + spec: + description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: + bind: + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: items: format: string type: string type: array - allowMethods: - description: List of HTTP methods allowed to access the resource. - items: + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + format: string + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. format: string type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform CORS requests. - items: + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. format: string type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + format: string + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + format: string + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: telemetry + release: istio + knative.dev/crd-install: "true" + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: Telemetry defines how the telemetry is generated for workloads within a mesh. + properties: + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment variable to each span. + properties: + defaultValue: + description: Optional. + format: string + type: string + name: + description: Name of the environment variable from which to extract the tag value. + format: string + type: string + type: object + header: + description: RequestHeader adds the value of an header from the request to each span. + properties: + defaultValue: + description: Optional. + format: string + type: string + name: + description: Name of the header from which to extract the tag value. + format: string + type: string + type: object + literal: + description: Literal adds the same, hard-coded value to each span. + properties: + value: + description: The tag value to use. + format: string + type: string + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + providers: + description: Optional. + items: + properties: + name: + description: Required. + format: string + type: string + type: object + type: array + randomSamplingPercentage: + nullable: true + type: number + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is exported. + items: + format: string + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply these routes. + items: + format: string + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + format: string + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + format: string + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the resource. + items: + format: string + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform CORS requests. + items: + format: string + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: array + exposeHeaders: + items: + format: string + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + format: string + type: string + namespace: + description: Namespace specifies the namespace where the delegate VirtualService resides. + format: string + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + format: string + type: string + http2Error: + format: string + type: string + httpStatus: + description: HTTP status code to use to abort the Http request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the request. + type: string + percent: + description: Percentage of requests on which the delay will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + gateways: + description: Names of gateways where the rule should be applied. + items: + format: string + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + name: + description: The name assigned to a match. + format: string + type: string + port: + description: Specifies the ports on the host that is being addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: - exact - required: - prefix - required: - regex - - required: - - exact - - required: - - prefix - - required: - - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. + format: string + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: withoutHeader has the same syntax with the header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + format: string + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) traffic. + properties: + authority: + format: string + type: string + redirectCode: + type: integer + uri: + format: string + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry takes place. + format: string + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this value. + format: string + type: string + uri: + format: string + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: properties: - exact: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being addressed. + type: integer + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. format: string type: string - prefix: + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional subnet. format: string type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: object + type: array + route: + description: The destination to which the connection should be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + format: string + type: string + type: array + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. format: string type: string type: object type: array - exposeHeaders: - items: - format: string - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - format: string - type: string - namespace: - description: Namespace specifies the namespace where the delegate VirtualService resides. - format: string - type: string - type: object - fault: - description: Fault injection policy to apply on HTTP traffic at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - format: string - type: string - http2Error: - format: string - type: string - httpStatus: - description: HTTP status code to use to abort the Http request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the request. - type: string - percent: - description: Percentage of requests on which the delay will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay will be injected. - properties: - value: - format: double - type: number - type: object - type: object + route: + description: The destination to which the connection should be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array type: object - headers: + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is exported. + items: + format: string + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply these routes. + items: + format: string + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + format: string + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: properties: - request: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: + allowCredentials: + nullable: true + type: boolean + allowHeaders: items: format: string type: string type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: + allowMethods: + description: List of HTTP methods allowed to access the resource. + items: format: string type: string - type: object - remove: + type: array + allowOrigin: + description: The list of origins that are allowed to perform CORS requests. items: format: string type: string type: array - set: - additionalProperties: + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: array + exposeHeaders: + items: format: string type: string - type: object + type: array + maxAge: + type: string type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - gateways: - description: Names of gateways where the rule should be applied. - items: + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. format: string type: string - type: array - headers: - additionalProperties: + namespace: + description: Namespace specifies the namespace where the delegate VirtualService resides. + format: string + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic at the client side. + properties: + abort: oneOf: - not: anyOf: - required: - - exact + - httpStatus - required: - - prefix + - grpcStatus - required: - - regex + - http2Error - required: - - exact + - httpStatus - required: - - prefix + - grpcStatus - required: - - regex + - http2Error properties: - exact: - format: string - type: string - prefix: + grpcStatus: format: string type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + http2Error: format: string type: string + httpStatus: + description: HTTP status code to use to abort the Http request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with the error code provided. + properties: + value: + format: double + type: number + type: object type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - name: - description: The name assigned to a match. - format: string - type: string - port: - description: Specifies the ports on the host that is being addressed. - type: integer - queryParams: - additionalProperties: + delay: oneOf: - not: anyOf: - required: - - exact - - required: - - prefix + - fixedDelay - required: - - regex + - exponentialDelay - required: - - exact + - fixedDelay - required: - - prefix - - required: - - regex + - exponentialDelay properties: - exact: - format: string + exponentialDelay: type: string - prefix: - format: string + fixedDelay: + description: Add a fixed delay before forwarding the request. type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + percent: + description: Percentage of requests on which the delay will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + gateways: + description: Names of gateways where the rule should be applied. + items: format: string type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + name: + description: The name assigned to a match. + format: string + type: string + port: + description: Specifies the ports on the host that is being addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex - required: - exact - required: - prefix - required: - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. format: string type: string - type: object - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string - type: string - uri: - oneOf: - - not: - anyOf: + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex - required: - exact - required: - prefix - required: - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: withoutHeader has the same syntax with the header, but has opposite meaning. + type: object type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string + number: + type: integer type: object - description: withoutHeader has the same syntax with the header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. format: string type: string - port: - description: Specifies the port on the host that is being addressed. + redirect: + description: A HTTP rule can either redirect or forward (default) traffic. properties: - number: + authority: + format: string + type: string + redirectCode: type: integer + uri: + format: string + type: string type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - format: string - type: string - redirect: - description: A HTTP rule can either redirect or forward (default) traffic. - properties: - authority: - format: string - type: string - redirectCode: - type: integer - uri: - format: string - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry takes place. - format: string + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry takes place. + format: string + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this value. + format: string + type: string + uri: + format: string + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should retry to other localities. - nullable: true - type: boolean type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: properties: - authority: - description: rewrite the Authority/Host header with this value. - format: string - type: string - uri: - format: string - type: string - type: object - route: - description: A HTTP rule can either redirect or forward (default) traffic. - items: - properties: - destination: + match: + items: properties: - host: - description: The name of a service from the service registry. - format: string - type: string + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + format: string + type: string + type: array port: description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer + type: integer + sourceLabels: + additionalProperties: + format: string + type: string type: object - subset: - description: The name of a subset within the service. + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. + format: string + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional subnet. format: string type: string type: object - headers: + type: array + route: + description: The destination to which the connection should be forwarded to. + items: properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: + destination: properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer type: object + subset: + description: The name of a subset within the service. + format: string + type: string type: object + weight: + format: int32 + type: integer type: object - weight: - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination with optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being addressed. - type: integer - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional subnet. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should be forwarded to. - items: - properties: - destination: + type: array + type: object + type: array + tls: + items: + properties: + match: + items: properties: - host: - description: The name of a service from the service registry. - format: string - type: string + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + format: string + type: string + type: array port: description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + format: string + type: string + type: array + sourceLabels: + additionalProperties: + format: string + type: string type: object - subset: - description: The name of a subset within the service. + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. format: string type: string type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination with optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - format: string - type: string - type: array - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should be forwarded to. - items: - properties: - destination: + type: array + route: + description: The destination to which the connection should be forwarded to. + items: properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being addressed. + destination: properties: - number: - type: integer + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string type: object - subset: - description: The name of a subset within the service. - format: string - type: string + weight: + format: int32 + type: integer type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 served: true storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -3492,15 +5801,6 @@ metadata: knative.dev/crd-install: "true" name: workloadentries.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date - - JSONPath: .spec.address - description: Address associated with the network endpoint. - name: Address - type: string group: networking.istio.io names: categories: @@ -3512,196 +5812,75 @@ spec: shortNames: - we singular: workloadentry - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - format: string - type: string - network: - format: string - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 - served: true - storage: false ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: workloadgroups.networking.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadGroup - listKind: WorkloadGroupList - plural: workloadgroups - shortNames: - - wg - singular: workloadgroup - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details at: https://istio.io/docs/reference/config/networking/workload-group.html' + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1alpha3 + schema: + openAPIV3Schema: properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' properties: - annotations: - additionalProperties: - format: string - type: string - type: object + address: + format: string + type: string labels: additionalProperties: format: string type: string + description: One or more labels associated with the endpoint. type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed exited. - properties: - command: - description: Command to run. - items: - format: string - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. - format: int32 - type: integer - httpGet: - properties: - host: - description: Host name to connect to, defaults to the pod IP. - format: string - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - format: string - type: string - value: - format: string - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - format: string - type: string - port: - description: Port on which the endpoint lives. - type: integer - scheme: - format: string - type: string - type: object - initialDelaySeconds: - description: Number of seconds after the container has started before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - format: string - type: string - port: - type: integer + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. type: integer type: object - template: - description: Template to be used for the generation of `WorkloadEntry` resources that belong to this `WorkloadGroup`. + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' properties: address: format: string @@ -3731,15 +5910,192 @@ spec: description: The load balancing weight associated with the endpoint. type: integer type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: workloadgroups.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + scope: Namespaced versions: - - name: v1alpha3 + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + format: string + type: string + type: object + labels: + additionalProperties: + format: string + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed exited. + properties: + command: + description: Command to run. + items: + format: string + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. + format: int32 + type: integer + httpGet: + properties: + host: + description: Host name to connect to, defaults to the pod IP. + format: string + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + format: string + type: string + value: + format: string + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + format: string + type: string + port: + description: Port on which the endpoint lives. + type: integer + scheme: + format: string + type: string + type: object + initialDelaySeconds: + description: Number of seconds after the container has started before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + format: string + type: string + port: + type: integer + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` resources that belong to this `WorkloadGroup`. + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} --- apiVersion: v1 kind: ConfigMap @@ -3779,11 +6135,6 @@ data: values: |- { "global": { - "arch": { - "amd64": 2, - "ppc64le": 2, - "s390x": 2 - }, "caAddress": "", "configValidation": true, "defaultNodeSelector": {}, @@ -3874,7 +6225,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.9.3", + "tag": "1.10.0", "tracer": { "datadog": { "address": "$(HOST_IP):8126" @@ -3893,7 +6244,6 @@ data: "address": "" } }, - "trustDomain": "", "useMCP": false }, "istio_cni": { @@ -3912,7 +6262,7 @@ data: }, "rewriteAppHTTPProbe": true, "templates": {}, - "useLegacySelectors": true + "useLegacySelectors": false } } config: |- @@ -3938,6 +6288,7 @@ data: annotations: { {{- if eq (len $containers) 1 }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{ end }} {{- if .Values.istio_cni.enabled }} {{- if not .Values.istio_cni.chained }} @@ -4009,7 +6360,7 @@ data: - "--run-validation" - "--skip-rule-apply" {{ end -}} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{- if .ProxyConfig.ProxyMetadata }} env: {{- range $key, $value := .ProxyConfig.ProxyMetadata }} @@ -4078,7 +6429,7 @@ data: {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} resources: {} securityContext: allowPrivilegeEscalation: true @@ -4140,6 +6491,10 @@ data: - wait {{- end }} env: + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} - name: JWT_POLICY value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER @@ -4242,7 +6597,7 @@ data: - name: {{ $key }} value: "{{ $value }}" {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} readinessProbe: httpGet: @@ -4429,6 +6784,7 @@ data: annotations: { {{- if eq (len $containers) 1 }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{ end }} } spec: @@ -4787,6 +7143,10 @@ spec: value: istio-ingressgateway - name: ISTIO_META_OWNER value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway + - name: ISTIO_META_MESH_ID + value: cluster.local + - name: TRUST_DOMAIN + value: cluster.local - name: ISTIO_META_UNPRIVILEGED_POD value: "true" - name: ISTIO_META_ROUTER_MODE @@ -4795,7 +7155,7 @@ spec: value: "20" - name: ISTIO_META_CLUSTER_ID value: Kubernetes - image: docker.io/istio/proxyv2:1.9.3 + image: docker.io/istio/proxyv2:1.10.0 name: istio-proxy ports: - containerPort: 15021 @@ -4804,10 +7164,6 @@ spec: protocol: TCP - containerPort: 8443 protocol: TCP - - containerPort: 15012 - protocol: TCP - - containerPort: 15443 - protocol: TCP - containerPort: 15090 name: http-envoy-prom protocol: TCP @@ -4989,9 +7345,7 @@ spec: value: "true" - name: CLUSTER_ID value: Kubernetes - - name: EXTERNAL_ISTIOD - value: "false" - image: docker.io/istio/pilot:1.9.3 + image: docker.io/istio/pilot:1.10.0 name: discovery ports: - containerPort: 8080 @@ -5019,8 +7373,6 @@ spec: runAsNonRoot: true runAsUser: 1337 volumeMounts: - - mountPath: /etc/istio/config - name: config-volume - mountPath: /var/run/secrets/tokens name: istio-token readOnly: true @@ -5032,9 +7384,6 @@ spec: - mountPath: /var/run/secrets/remote name: istio-kubeconfig readOnly: true - - mountPath: /var/lib/istio/inject - name: inject - readOnly: true securityContext: fsGroup: 1337 serviceAccountName: istiod-service-account @@ -5057,12 +7406,6 @@ spec: secret: optional: true secretName: istio-kubeconfig - - configMap: - name: istio-sidecar-injector - name: inject - - configMap: - name: istio - name: config-volume --- apiVersion: v1 kind: Service @@ -5095,14 +7438,6 @@ spec: port: 443 protocol: TCP targetPort: 8443 - - name: tcp-istiod - port: 15012 - protocol: TCP - targetPort: 15012 - - name: tls - port: 15443 - protocol: TCP - targetPort: 15443 --- apiVersion: v1 kind: Service @@ -5197,7 +7532,7 @@ spec: app: istiod istio: pilot --- -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: istio-sidecar-injector @@ -5208,12 +7543,87 @@ metadata: app: sidecar-injector release: istio webhooks: - - name: sidecar-injector.istio.io + - name: rev.namespace.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: + - CREATE + apiGroups: + - "" + apiVersions: + - v1 + resources: + - pods + failurePolicy: Fail + admissionReviewVersions: + - v1beta1 + - v1 + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - default + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - name: rev.object.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: + - CREATE + apiGroups: + - "" + apiVersions: + - v1 + resources: + - pods + failurePolicy: Fail + admissionReviewVersions: + - v1beta1 + - v1 + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - default + - name: namespace.sidecar-injector.istio.io clientConfig: service: name: istiod namespace: istio-system path: /inject + port: 443 caBundle: "" sideEffects: None rules: @@ -5230,16 +7640,55 @@ webhooks: - v1beta1 - v1 namespaceSelector: - matchLabels: - istio-injection: enabled + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled objectSelector: matchExpressions: - key: sidecar.istio.io/inject operator: NotIn values: - "false" + - name: object.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: + - CREATE + apiGroups: + - "" + apiVersions: + - v1 + resources: + - pods + failurePolicy: Fail + admissionReviewVersions: + - v1beta1 + - v1 + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist --- -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: istiod-istio-system @@ -5275,7 +7724,7 @@ webhooks: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: metadata-exchange-1.8 + name: metadata-exchange-1.10 namespace: istio-system labels: istio.io/rev: default @@ -5287,7 +7736,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5314,7 +7763,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5341,7 +7790,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5461,7 +7910,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: stats-filter-1.8 + name: stats-filter-1.10 namespace: istio-system labels: istio.io/rev: default @@ -5471,7 +7920,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5492,6 +7941,8 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio" } vm_config: vm_id: stats_outbound @@ -5503,7 +7954,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5524,6 +7975,16 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] } vm_config: vm_id: stats_inbound @@ -5535,7 +7996,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5556,6 +8017,8 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio", "disable_host_header_fallback": true } vm_config: @@ -5705,7 +8168,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-metadata-exchange-1.8 + name: tcp-metadata-exchange-1.10 namespace: istio-system labels: istio.io/rev: default @@ -5715,7 +8178,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: {} patch: operation: INSERT_BEFORE @@ -5730,7 +8193,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* cluster: {} patch: operation: MERGE @@ -5746,7 +8209,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* cluster: {} patch: operation: MERGE @@ -5819,7 +8282,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-stats-filter-1.8 + name: tcp-stats-filter-1.10 namespace: istio-system labels: istio.io/rev: default @@ -5829,7 +8292,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5848,6 +8311,16 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] } vm_config: vm_id: tcp_stats_inbound @@ -5859,7 +8332,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5878,6 +8351,8 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio" } vm_config: vm_id: tcp_stats_outbound @@ -5889,7 +8364,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5908,6 +8383,8 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio" } vm_config: vm_id: tcp_stats_outbound diff --git a/third_party/istio-latest/istio-ci-no-mesh/istio.yaml b/third_party/istio-latest/istio-ci-no-mesh/istio.yaml index 2f5cda841b..c572d52e19 100644 --- a/third_party/istio-latest/istio-ci-no-mesh/istio.yaml +++ b/third_party/istio-latest/istio-ci-no-mesh/istio.yaml @@ -146,6 +146,7 @@ rules: - networking.istio.io - authentication.istio.io - rbac.istio.io + - telemetry.istio.io verbs: - get - watch @@ -158,6 +159,7 @@ rules: - networking.istio.io - authentication.istio.io - rbac.istio.io + - telemetry.istio.io verbs: - update resources: @@ -295,6 +297,12 @@ rules: - get - watch - list + - apiGroups: + - networking.x-k8s.io + resources: + - '*' + verbs: + - update - apiGroups: - "" resources: @@ -303,6 +311,16 @@ rules: - get - watch - list + - apiGroups: + - multicluster.x-k8s.io + resources: + - serviceexports + verbs: + - get + - watch + - list + - create + - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -418,7 +436,7 @@ subjects: name: istiod-service-account namespace: istio-system --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -441,215 +459,214 @@ spec: listKind: AuthorizationPolicyList plural: authorizationpolicies singular: authorizationpolicy - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider + versions: + - name: v1beta1 + schema: + openAPIV3Schema: properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. + spec: + description: 'Configuration for access control on workloads. See more details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider properties: - name: - description: Specifies the name of the extension provider. - format: string + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + format: string + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: properties: - ipBlocks: - description: Optional. - items: - format: string - type: string - type: array - namespaces: - description: Optional. - items: - format: string - type: string - type: array - notIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - notNamespaces: - description: Optional. - items: - format: string - type: string - type: array - notPrincipals: - description: Optional. - items: - format: string - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - format: string - type: string - type: array - principals: - description: Optional. - items: - format: string - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - requestPrincipals: - description: Optional. - items: - format: string - type: string - type: array + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + format: string + type: string + type: array + namespaces: + description: Optional. + items: + format: string + type: string + type: array + notIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notNamespaces: + description: Optional. + items: + format: string + type: string + type: array + notPrincipals: + description: Optional. + items: + format: string + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + principals: + description: Optional. + items: + format: string + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + requestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + type: object type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. + type: array + to: + description: Optional. + items: properties: - hosts: - description: Optional. - items: - format: string - type: string - type: array - methods: - description: Optional. - items: - format: string - type: string - type: array - notHosts: - description: Optional. - items: - format: string - type: string - type: array - notMethods: - description: Optional. - items: - format: string - type: string - type: array - notPaths: - description: Optional. - items: - format: string - type: string - type: array - notPorts: - description: Optional. - items: - format: string - type: string - type: array - paths: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + format: string + type: string + type: array + methods: + description: Optional. + items: + format: string + type: string + type: array + notHosts: + description: Optional. + items: + format: string + type: string + type: array + notMethods: + description: Optional. + items: + format: string + type: string + type: array + notPaths: + description: Optional. + items: + format: string + type: string + type: array + notPorts: + description: Optional. + items: + format: string + type: string + type: array + paths: + description: Optional. + items: + format: string + type: string + type: array + ports: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + format: string + type: string + notValues: description: Optional. items: format: string type: string type: array - ports: + values: description: Optional. items: format: string type: string type: array type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - format: string - type: string - notValues: - description: Optional. - items: - format: string - type: string - type: array - values: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - format: string - type: string type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1beta1 served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -662,15 +679,6 @@ metadata: knative.dev/crd-install: "true" name: destinationrules.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.host - description: The name of a service from the service registry - name: Host - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: networking.istio.io names: categories: @@ -682,1314 +690,2385 @@ spec: shortNames: - dr singular: destinationrule - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + versions: + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: properties: - exportTo: - description: A list of namespaces to which this destination rule is exported. - items: - format: string - type: string - type: array - host: - description: The name of a service from the service registry. - format: string - type: string - subsets: - items: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - name: - description: Name of the subset. + spec: + description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is exported. + items: format: string type: string - trafficPolicy: - description: Traffic policies that apply to this subset. + type: array + host: + description: The name of a service from the service registry. + format: string + type: string + subsets: + items: properties: - connectionPool: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: Name of the subset. + format: string + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. properties: - http: - description: HTTP connection pool settings. + connectionPool: properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + http: + description: HTTP connection pool settings. properties: - interval: - description: The time duration between keep-alive probes. + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE type: string - probes: + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 type: integer - time: + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object type: object type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash properties: - httpCookie: - description: Hash based on HTTP cookie. + consistentHash: properties: - name: - description: Name of the cookie. + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. format: string type: string - path: - description: Path to set for the cookie. + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. format: string type: string - ttl: - description: Lifetime of the cookie. - type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - format: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. type: string - minimumRingSize: + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover can be set.' - items: + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: properties: - from: - description: Originating locality, '/' separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic distribution weights. + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object type: object type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can be set.' - items: + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash properties: - from: - description: Originating region. - format: string - type: string - to: - format: string + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. + outlierDetection: properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE + baseEjectionTime: + description: Minimum ejection duration. type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to a destination. - format: int32 + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. + consecutiveErrors: format: int32 type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. + maxEjectionPercent: format: int32 type: integer - maxRetries: + minHealthPercent: format: int32 type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. + port: properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 + number: type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: + tls: + description: TLS related settings for connections to the upstream service. properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. + caCertificates: format: string type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. format: string type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can be set.' + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object + format: string + type: string type: array type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. + type: array + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected from the connection pool. - nullable: true - type: integer + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: interval: - description: Time interval between ejection sweep analysis. + description: The time duration between keep-alive probes. type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: + probes: type: integer + time: + type: string type: object - tls: - description: TLS related settings for connections to the upstream service. + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. + name: + description: Name of the cookie. format: string type: string - credentialName: + path: + description: Path to set for the cookie. format: string type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS handshake. - format: string + ttl: + description: Lifetime of the cookie. type: string - subjectAltNames: - items: - format: string - type: string - type: array type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS handshake. - format: string - type: string - subjectAltNames: - items: + httpHeaderName: + description: Hash based on a specific HTTP header. format: string type: string - type: array - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true type: integer - maxRetries: + consecutiveErrors: format: int32 type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. + maxEjectionPercent: format: int32 type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - format: string - type: string - minimumRingSize: + minHealthPercent: + format: int32 type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover can be set.' - items: + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: properties: - from: - description: Originating locality, '/' separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic distribution weights. + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object type: object type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can be set.' - items: + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash properties: - from: - description: Originating region. - format: string - type: string - to: - format: string + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. + outlierDetection: properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE + baseEjectionTime: + description: Minimum ejection duration. type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to a destination. - format: int32 + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. + consecutiveErrors: format: int32 type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. + maxEjectionPercent: format: int32 type: integer - maxRetries: + minHealthPercent: format: int32 type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. + port: properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 + number: type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: + tls: + description: TLS related settings for connections to the upstream service. properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. + caCertificates: format: string type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. format: string type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can be set.' + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object + format: string + type: string type: array type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS handshake. + type: array + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: + items: format: string type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array + type: array + type: object type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 served: true storage: true - - name: v1beta1 - served: true - storage: false ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - listKind: EnvoyFilterList - plural: envoyfilters - singular: envoyfilter - preserveUnknownFields: true - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG + spec: + description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is exported. + items: + format: string type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster + type: array + host: + description: The name of a service from the service registry. + format: string + type: string + subsets: + items: properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - format: string - type: string - portNumber: - description: The service port for which this cluster was generated. - type: integer - service: - description: The fully qualified service name for this cluster. - format: string - type: string - subset: - description: The subset associated with the service. - format: string - type: string + labels: + additionalProperties: + format: string + type: string type: object - context: - description: The specific config generation context to match on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY + name: + description: Name of the subset. + format: string type: string - listener: - description: Match on envoy listener attributes. + trafficPolicy: + description: Traffic policies that apply to this subset. properties: - filterChain: - description: Match a specific filter chain in a listener. + connectionPool: properties: - applicationProtocols: - description: Applies only to sidecars. - format: string - type: string - destinationPort: - description: The destination_port value used by a filter chain's match condition. - type: integer - filter: - description: The name of a specific filter to apply the patch to. + http: + description: HTTP connection pool settings. properties: - name: - description: The filter name to match on. - format: string + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. type: string - subFilter: + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. properties: name: - description: The filter name to match on. + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. format: string type: string + ttl: + description: Lifetime of the cookie. + type: string type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean type: object - name: - description: The name assigned to the filter chain. - format: string + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string - sni: - description: The SNI value used by a filter chain's match condition. + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. format: string type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. + sni: + description: SNI string to present to the server during TLS handshake. format: string type: string + subjectAltNames: + items: + format: string + type: string + type: array type: object - name: - description: Match a specific listener by its name. - format: string - type: string - portName: - format: string - type: string - portNumber: - type: integer type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. format: string type: string - type: object - proxyVersion: - format: string - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: properties: - gateway: - format: string - type: string - name: - description: Route configuration name to match on. - format: string - type: string - portName: - description: Applicable only for GATEWAY context. - format: string - type: string - portNumber: - type: integer - vhost: + connectionPool: properties: - name: - format: string - type: string - route: - description: Match a specific route within the virtual host. + http: + description: HTTP connection pool settings. properties: - action: - description: Match a route with specific action type. + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE type: string - name: - format: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object type: object type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: Determines the filter insertion order. - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. - type: object - type: object - type: object - type: array - workloadSelector: - properties: - labels: - additionalProperties: - format: string - type: string - type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + scope: Namespaced versions: - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + format: string + type: string + portNumber: + description: The service port for which this cluster was generated. + type: integer + service: + description: The fully qualified service name for this cluster. + format: string + type: string + subset: + description: The subset associated with the service. + format: string + type: string + type: object + context: + description: The specific config generation context to match on. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + format: string + type: string + destinationPort: + description: The destination_port value used by a filter chain's match condition. + type: integer + filter: + description: The name of a specific filter to apply the patch to. + properties: + name: + description: The filter name to match on. + format: string + type: string + subFilter: + properties: + name: + description: The filter name to match on. + format: string + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + format: string + type: string + sni: + description: The SNI value used by a filter chain's match condition. + format: string + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + format: string + type: string + type: object + name: + description: Match a specific listener by its name. + format: string + type: string + portName: + format: string + type: string + portNumber: + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + format: string + type: string + type: object + proxyVersion: + format: string + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + format: string + type: string + name: + description: Route configuration name to match on. + format: string + type: string + portName: + description: Applicable only for GATEWAY context. + format: string + type: string + portNumber: + type: integer + vhost: + properties: + name: + format: string + type: string + route: + description: Match a specific route within the virtual host. + properties: + action: + description: Match a route with specific action type. + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + format: string + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: Determines the filter insertion order. + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: Determines how the patch should be applied. + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -2013,141 +3092,264 @@ spec: shortNames: - gw singular: gateway - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: properties: - selector: - additionalProperties: - format: string - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - format: string - type: string - defaultEndpoint: - format: string - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - format: string - type: string - type: array - name: - description: An optional name of the server, when set must be unique across all servers. + spec: + description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: format: string type: string - port: + type: object + servers: + description: A list of server specifications. + items: properties: - name: - description: Label assigned to the port. + bind: format: string type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. + defaultEndpoint: format: string type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified cipher list.' + hosts: + description: One or more hosts exposed by this gateway. items: format: string type: string type: array - credentialName: + name: + description: An optional name of the server, when set must be unique across all servers. format: string type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + port: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + format: string + type: string + type: array + credentialName: + format: string + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + verifyCertificateHash: + items: + format: string + type: string + type: array + verifyCertificateSpki: + items: + format: string + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + format: string + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: format: string type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + defaultEndpoint: format: string type: string - subjectAltNames: - items: - format: string - type: string - type: array - verifyCertificateHash: - items: - format: string - type: string - type: array - verifyCertificateSpki: + hosts: + description: One or more hosts exposed by this gateway. items: format: string type: string type: array + name: + description: An optional name of the server, when set must be unique across all servers. + format: string + type: string + port: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + format: string + type: string + type: array + credentialName: + format: string + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + verifyCertificateHash: + items: + format: string + type: string + type: array + verifyCertificateSpki: + items: + format: string + type: string + type: array + type: object type: object - type: object - type: array - type: object - status: + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 served: true storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: istiooperators.install.istio.io @@ -2155,51 +3357,43 @@ metadata: release: istio knative.dev/crd-install: "true" spec: - additionalPrinterColumns: - - JSONPath: .spec.revision - description: Istio control plane revision - name: Revision - type: string - - JSONPath: .status.status - description: IOP current state - type: string - name: Status - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date + conversion: + strategy: None group: install.istio.io names: kind: IstioOperator + listKind: IstioOperatorList plural: istiooperators singular: istiooperator shortNames: - iop - io scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources' + versions: + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + - description: IOP current state + jsonPath: .status.status + name: Status type: string - spec: - description: 'Specification of the desired state of the istio control plane resource. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - status: - description: 'Status describes each of istio control plane component status at the current time. 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + name: v1alpha1 + schema: + openAPIV3Schema: type: object - versions: - - name: v1alpha1 + x-kubernetes-preserve-unknown-fields: true served: true storage: true --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -2213,15 +3407,6 @@ metadata: knative.dev/crd-install: "true" name: peerauthentications.security.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.mtls.mode - description: Defines the mTLS mode used for peer authentication. - name: Mode - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: security.istio.io names: categories: @@ -2233,62 +3418,70 @@ spec: shortNames: - pa singular: peerauthentication - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar. + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the ChannelAuthentication on. + spec: + description: PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar. properties: - matchLabels: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: additionalProperties: - format: string - type: string + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the ChannelAuthentication on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1beta1 served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -2313,87 +3506,86 @@ spec: shortNames: - ra singular: requestauthentication - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication methods are supported by a workload. + versions: + - name: v1beta1 + schema: + openAPIV3Schema: properties: - jwtRules: - description: Define the list of JWTs that can be validated at the selected workloads' proxy. - items: - properties: - audiences: - items: - format: string - type: string - type: array - forwardOriginalToken: - description: If set to true, the orginal token will be kept for the ustream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. + spec: + description: RequestAuthentication defines what request authentication methods are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the selected workloads' proxy. + items: + properties: + audiences: + items: format: string type: string - prefix: - description: The prefix that should be stripped before decoding the token. + type: array + forwardOriginalToken: + description: If set to true, the orginal token will be kept for the ustream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + format: string + type: string + prefix: + description: The prefix that should be stripped before decoding the token. + format: string + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: format: string type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + outputPayloadToHeader: + format: string + type: string + type: object + type: array + selector: + description: The selector determines the workloads to apply the RequestAuthentication on. + properties: + matchLabels: + additionalProperties: + format: string + type: string type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - format: string - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - format: string - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature of the JWT. - format: string - type: string - jwks_uri: - format: string - type: string - jwksUri: - format: string - type: string - outputPayloadToHeader: - format: string - type: string - type: object - type: array - selector: - description: The selector determines the workloads to apply the RequestAuthentication on. - properties: - matchLabels: - additionalProperties: - format: string - type: string type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1beta1 served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -2406,23 +3598,6 @@ metadata: knative.dev/crd-install: "true" name: serviceentries.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.hosts - description: The hosts associated with the ServiceEntry - name: Hosts - type: string - - JSONPath: .spec.location - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) - name: Location - type: string - - JSONPath: .spec.resolution - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) - name: Resolution - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: networking.istio.io names: categories: @@ -2434,211 +3609,220 @@ spec: shortNames: - se singular: serviceentry - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - format: string - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: + spec: + description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: format: string type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer type: object - locality: - description: The locality associated with the endpoint. + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: format: string type: string - network: + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: format: string type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - format: string - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - format: string - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service discovery mode for the hosts. - enum: - - NONE - - STATIC - - DNS - type: string - subjectAltNames: - items: - format: string - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: format: string type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + format: string + type: string + type: object type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 served: true storage: true - - name: v1beta1 - served: true - storage: false ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: properties: - egress: - items: - properties: - bind: + spec: + description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: format: string type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - format: string - type: string - type: array - port: - description: The port associated with the listener. + type: array + endpoints: + description: One or more endpoints associated with the service. + items: properties: - name: - description: Label assigned to the port. + address: format: string type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. format: string type: string - targetPort: + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. type: integer type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP to which the listener should be bound. + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: format: string type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: format: string type: string - port: - description: The port associated with the listener. + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: properties: name: description: Label assigned to the port. @@ -2654,56 +3838,39 @@ spec: targetPort: type: integer type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mode: + type: array + resolution: + description: Service discovery mode for the hosts. enum: - - REGISTRY_ONLY - - ALLOW_ANY + - NONE + - STATIC + - DNS type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: + subjectAltNames: + items: format: string type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + format: string + type: string + type: object type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 served: true storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -2714,772 +3881,1914 @@ metadata: heritage: Tiller release: istio knative.dev/crd-install: "true" - name: virtualservices.networking.istio.io + name: sidecars.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.gateways - description: The names of gateways and sidecars that should apply these routes - name: Gateways - type: string - - JSONPath: .spec.hosts - description: The destination hosts to which traffic is being sent - name: Hosts - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: networking.istio.io names: categories: - istio-io - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - preserveUnknownFields: false + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: properties: - exportTo: - description: A list of namespaces to which this virtual service is exported. - items: - format: string - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply these routes. - items: - format: string - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - format: string - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). + spec: + description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: + bind: + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: items: format: string type: string type: array - allowMethods: - description: List of HTTP methods allowed to access the resource. - items: + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + format: string + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. format: string type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform CORS requests. - items: + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. format: string type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + format: string + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + format: string + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: telemetry + release: istio + knative.dev/crd-install: "true" + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: Telemetry defines how the telemetry is generated for workloads within a mesh. + properties: + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment variable to each span. + properties: + defaultValue: + description: Optional. + format: string + type: string + name: + description: Name of the environment variable from which to extract the tag value. + format: string + type: string + type: object + header: + description: RequestHeader adds the value of an header from the request to each span. + properties: + defaultValue: + description: Optional. + format: string + type: string + name: + description: Name of the header from which to extract the tag value. + format: string + type: string + type: object + literal: + description: Literal adds the same, hard-coded value to each span. + properties: + value: + description: The tag value to use. + format: string + type: string + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + providers: + description: Optional. + items: + properties: + name: + description: Required. + format: string + type: string + type: object + type: array + randomSamplingPercentage: + nullable: true + type: number + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is exported. + items: + format: string + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply these routes. + items: + format: string + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + format: string + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + format: string + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the resource. + items: + format: string + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform CORS requests. + items: + format: string + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: array + exposeHeaders: + items: + format: string + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + format: string + type: string + namespace: + description: Namespace specifies the namespace where the delegate VirtualService resides. + format: string + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + format: string + type: string + http2Error: + format: string + type: string + httpStatus: + description: HTTP status code to use to abort the Http request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the request. + type: string + percent: + description: Percentage of requests on which the delay will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + gateways: + description: Names of gateways where the rule should be applied. + items: + format: string + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + name: + description: The name assigned to a match. + format: string + type: string + port: + description: Specifies the ports on the host that is being addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: - exact - required: - prefix - required: - regex - - required: - - exact - - required: - - prefix - - required: - - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. + format: string + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: withoutHeader has the same syntax with the header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + format: string + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) traffic. + properties: + authority: + format: string + type: string + redirectCode: + type: integer + uri: + format: string + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry takes place. + format: string + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this value. + format: string + type: string + uri: + format: string + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: properties: - exact: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being addressed. + type: integer + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. format: string type: string - prefix: + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional subnet. format: string type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: object + type: array + route: + description: The destination to which the connection should be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + format: string + type: string + type: array + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. format: string type: string type: object type: array - exposeHeaders: - items: - format: string - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - format: string - type: string - namespace: - description: Namespace specifies the namespace where the delegate VirtualService resides. - format: string - type: string - type: object - fault: - description: Fault injection policy to apply on HTTP traffic at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - format: string - type: string - http2Error: - format: string - type: string - httpStatus: - description: HTTP status code to use to abort the Http request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the request. - type: string - percent: - description: Percentage of requests on which the delay will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay will be injected. - properties: - value: - format: double - type: number - type: object - type: object + route: + description: The destination to which the connection should be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array type: object - headers: + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is exported. + items: + format: string + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply these routes. + items: + format: string + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + format: string + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: properties: - request: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: + allowCredentials: + nullable: true + type: boolean + allowHeaders: items: format: string type: string type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: + allowMethods: + description: List of HTTP methods allowed to access the resource. + items: format: string type: string - type: object - remove: + type: array + allowOrigin: + description: The list of origins that are allowed to perform CORS requests. items: format: string type: string type: array - set: - additionalProperties: + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: array + exposeHeaders: + items: format: string type: string - type: object + type: array + maxAge: + type: string type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - gateways: - description: Names of gateways where the rule should be applied. - items: + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. format: string type: string - type: array - headers: - additionalProperties: + namespace: + description: Namespace specifies the namespace where the delegate VirtualService resides. + format: string + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic at the client side. + properties: + abort: oneOf: - not: anyOf: - required: - - exact + - httpStatus - required: - - prefix + - grpcStatus - required: - - regex + - http2Error - required: - - exact + - httpStatus - required: - - prefix + - grpcStatus - required: - - regex + - http2Error properties: - exact: - format: string - type: string - prefix: + grpcStatus: format: string type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + http2Error: format: string type: string + httpStatus: + description: HTTP status code to use to abort the Http request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with the error code provided. + properties: + value: + format: double + type: number + type: object type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - name: - description: The name assigned to a match. - format: string - type: string - port: - description: Specifies the ports on the host that is being addressed. - type: integer - queryParams: - additionalProperties: + delay: oneOf: - not: anyOf: - required: - - exact - - required: - - prefix + - fixedDelay - required: - - regex + - exponentialDelay - required: - - exact + - fixedDelay - required: - - prefix - - required: - - regex + - exponentialDelay properties: - exact: - format: string + exponentialDelay: type: string - prefix: - format: string + fixedDelay: + description: Add a fixed delay before forwarding the request. type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + percent: + description: Percentage of requests on which the delay will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + gateways: + description: Names of gateways where the rule should be applied. + items: format: string type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + name: + description: The name assigned to a match. + format: string + type: string + port: + description: Specifies the ports on the host that is being addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex - required: - exact - required: - prefix - required: - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. format: string type: string - type: object - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string - type: string - uri: - oneOf: - - not: - anyOf: + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex - required: - exact - required: - prefix - required: - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: withoutHeader has the same syntax with the header, but has opposite meaning. + type: object type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string + number: + type: integer type: object - description: withoutHeader has the same syntax with the header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. format: string type: string - port: - description: Specifies the port on the host that is being addressed. + redirect: + description: A HTTP rule can either redirect or forward (default) traffic. properties: - number: + authority: + format: string + type: string + redirectCode: type: integer + uri: + format: string + type: string type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - format: string - type: string - redirect: - description: A HTTP rule can either redirect or forward (default) traffic. - properties: - authority: - format: string - type: string - redirectCode: - type: integer - uri: - format: string - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry takes place. - format: string + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry takes place. + format: string + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this value. + format: string + type: string + uri: + format: string + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should retry to other localities. - nullable: true - type: boolean type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: properties: - authority: - description: rewrite the Authority/Host header with this value. - format: string - type: string - uri: - format: string - type: string - type: object - route: - description: A HTTP rule can either redirect or forward (default) traffic. - items: - properties: - destination: + match: + items: properties: - host: - description: The name of a service from the service registry. - format: string - type: string + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + format: string + type: string + type: array port: description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer + type: integer + sourceLabels: + additionalProperties: + format: string + type: string type: object - subset: - description: The name of a subset within the service. + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. + format: string + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional subnet. format: string type: string type: object - headers: + type: array + route: + description: The destination to which the connection should be forwarded to. + items: properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: + destination: properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer type: object + subset: + description: The name of a subset within the service. + format: string + type: string type: object + weight: + format: int32 + type: integer type: object - weight: - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination with optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being addressed. - type: integer - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional subnet. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should be forwarded to. - items: - properties: - destination: + type: array + type: object + type: array + tls: + items: + properties: + match: + items: properties: - host: - description: The name of a service from the service registry. - format: string - type: string + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + format: string + type: string + type: array port: description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + format: string + type: string + type: array + sourceLabels: + additionalProperties: + format: string + type: string type: object - subset: - description: The name of a subset within the service. + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. format: string type: string type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination with optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - format: string - type: string - type: array - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should be forwarded to. - items: - properties: - destination: + type: array + route: + description: The destination to which the connection should be forwarded to. + items: properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being addressed. + destination: properties: - number: - type: integer + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string type: object - subset: - description: The name of a subset within the service. - format: string - type: string + weight: + format: int32 + type: integer type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 served: true storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -3492,15 +5801,6 @@ metadata: knative.dev/crd-install: "true" name: workloadentries.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date - - JSONPath: .spec.address - description: Address associated with the network endpoint. - name: Address - type: string group: networking.istio.io names: categories: @@ -3512,196 +5812,75 @@ spec: shortNames: - we singular: workloadentry - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - format: string - type: string - network: - format: string - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 - served: true - storage: false ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: workloadgroups.networking.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadGroup - listKind: WorkloadGroupList - plural: workloadgroups - shortNames: - - wg - singular: workloadgroup - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details at: https://istio.io/docs/reference/config/networking/workload-group.html' + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1alpha3 + schema: + openAPIV3Schema: properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' properties: - annotations: - additionalProperties: - format: string - type: string - type: object + address: + format: string + type: string labels: additionalProperties: format: string type: string + description: One or more labels associated with the endpoint. type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed exited. - properties: - command: - description: Command to run. - items: - format: string - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. - format: int32 - type: integer - httpGet: - properties: - host: - description: Host name to connect to, defaults to the pod IP. - format: string - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - format: string - type: string - value: - format: string - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - format: string - type: string - port: - description: Port on which the endpoint lives. - type: integer - scheme: - format: string - type: string - type: object - initialDelaySeconds: - description: Number of seconds after the container has started before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - format: string - type: string - port: - type: integer + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. type: integer type: object - template: - description: Template to be used for the generation of `WorkloadEntry` resources that belong to this `WorkloadGroup`. + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' properties: address: format: string @@ -3731,15 +5910,192 @@ spec: description: The load balancing weight associated with the endpoint. type: integer type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: workloadgroups.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + scope: Namespaced versions: - - name: v1alpha3 + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + format: string + type: string + type: object + labels: + additionalProperties: + format: string + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed exited. + properties: + command: + description: Command to run. + items: + format: string + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. + format: int32 + type: integer + httpGet: + properties: + host: + description: Host name to connect to, defaults to the pod IP. + format: string + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + format: string + type: string + value: + format: string + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + format: string + type: string + port: + description: Port on which the endpoint lives. + type: integer + scheme: + format: string + type: string + type: object + initialDelaySeconds: + description: Number of seconds after the container has started before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + format: string + type: string + port: + type: integer + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` resources that belong to this `WorkloadGroup`. + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} --- apiVersion: v1 kind: ConfigMap @@ -3778,11 +6134,6 @@ data: values: |- { "global": { - "arch": { - "amd64": 2, - "ppc64le": 2, - "s390x": 2 - }, "caAddress": "", "configValidation": true, "defaultNodeSelector": {}, @@ -3873,7 +6224,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.9.3", + "tag": "1.10.0", "tracer": { "datadog": { "address": "$(HOST_IP):8126" @@ -3892,7 +6243,6 @@ data: "address": "" } }, - "trustDomain": "", "useMCP": false }, "istio_cni": { @@ -3911,7 +6261,7 @@ data: }, "rewriteAppHTTPProbe": true, "templates": {}, - "useLegacySelectors": true + "useLegacySelectors": false } } config: |- @@ -3937,6 +6287,7 @@ data: annotations: { {{- if eq (len $containers) 1 }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{ end }} {{- if .Values.istio_cni.enabled }} {{- if not .Values.istio_cni.chained }} @@ -4008,7 +6359,7 @@ data: - "--run-validation" - "--skip-rule-apply" {{ end -}} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{- if .ProxyConfig.ProxyMetadata }} env: {{- range $key, $value := .ProxyConfig.ProxyMetadata }} @@ -4077,7 +6428,7 @@ data: {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} resources: {} securityContext: allowPrivilegeEscalation: true @@ -4139,6 +6490,10 @@ data: - wait {{- end }} env: + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} - name: JWT_POLICY value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER @@ -4241,7 +6596,7 @@ data: - name: {{ $key }} value: "{{ $value }}" {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} readinessProbe: httpGet: @@ -4428,6 +6783,7 @@ data: annotations: { {{- if eq (len $containers) 1 }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{ end }} } spec: @@ -4788,13 +7144,17 @@ spec: value: istio-ingressgateway - name: ISTIO_META_OWNER value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway + - name: ISTIO_META_MESH_ID + value: cluster.local + - name: TRUST_DOMAIN + value: cluster.local - name: ISTIO_META_UNPRIVILEGED_POD value: "true" - name: ISTIO_META_ROUTER_MODE value: standard - name: ISTIO_META_CLUSTER_ID value: Kubernetes - image: docker.io/istio/proxyv2:1.9.3 + image: docker.io/istio/proxyv2:1.10.0 name: istio-proxy ports: - containerPort: 15021 @@ -4803,10 +7163,6 @@ spec: protocol: TCP - containerPort: 8443 protocol: TCP - - containerPort: 15012 - protocol: TCP - - containerPort: 15443 - protocol: TCP - containerPort: 15090 name: http-envoy-prom protocol: TCP @@ -4988,9 +7344,7 @@ spec: value: "true" - name: CLUSTER_ID value: Kubernetes - - name: EXTERNAL_ISTIOD - value: "false" - image: docker.io/istio/pilot:1.9.3 + image: docker.io/istio/pilot:1.10.0 name: discovery ports: - containerPort: 8080 @@ -5018,8 +7372,6 @@ spec: runAsNonRoot: true runAsUser: 1337 volumeMounts: - - mountPath: /etc/istio/config - name: config-volume - mountPath: /var/run/secrets/tokens name: istio-token readOnly: true @@ -5031,9 +7383,6 @@ spec: - mountPath: /var/run/secrets/remote name: istio-kubeconfig readOnly: true - - mountPath: /var/lib/istio/inject - name: inject - readOnly: true securityContext: fsGroup: 1337 serviceAccountName: istiod-service-account @@ -5056,12 +7405,6 @@ spec: secret: optional: true secretName: istio-kubeconfig - - configMap: - name: istio-sidecar-injector - name: inject - - configMap: - name: istio - name: config-volume --- apiVersion: v1 kind: Service @@ -5094,14 +7437,6 @@ spec: port: 443 protocol: TCP targetPort: 8443 - - name: tcp-istiod - port: 15012 - protocol: TCP - targetPort: 15012 - - name: tls - port: 15443 - protocol: TCP - targetPort: 15443 --- apiVersion: v1 kind: Service @@ -5196,7 +7531,7 @@ spec: app: istiod istio: pilot --- -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: istio-sidecar-injector @@ -5207,12 +7542,87 @@ metadata: app: sidecar-injector release: istio webhooks: - - name: sidecar-injector.istio.io + - name: rev.namespace.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: + - CREATE + apiGroups: + - "" + apiVersions: + - v1 + resources: + - pods + failurePolicy: Fail + admissionReviewVersions: + - v1beta1 + - v1 + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - default + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - name: rev.object.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: + - CREATE + apiGroups: + - "" + apiVersions: + - v1 + resources: + - pods + failurePolicy: Fail + admissionReviewVersions: + - v1beta1 + - v1 + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - default + - name: namespace.sidecar-injector.istio.io clientConfig: service: name: istiod namespace: istio-system path: /inject + port: 443 caBundle: "" sideEffects: None rules: @@ -5229,16 +7639,55 @@ webhooks: - v1beta1 - v1 namespaceSelector: - matchLabels: - istio-injection: enabled + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled objectSelector: matchExpressions: - key: sidecar.istio.io/inject operator: NotIn values: - "false" + - name: object.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: + - CREATE + apiGroups: + - "" + apiVersions: + - v1 + resources: + - pods + failurePolicy: Fail + admissionReviewVersions: + - v1beta1 + - v1 + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist --- -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: istiod-istio-system @@ -5274,7 +7723,7 @@ webhooks: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: metadata-exchange-1.8 + name: metadata-exchange-1.10 namespace: istio-system labels: istio.io/rev: default @@ -5286,7 +7735,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5313,7 +7762,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5340,7 +7789,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5460,7 +7909,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: stats-filter-1.8 + name: stats-filter-1.10 namespace: istio-system labels: istio.io/rev: default @@ -5470,7 +7919,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5491,6 +7940,8 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio" } vm_config: vm_id: stats_outbound @@ -5502,7 +7953,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5523,6 +7974,16 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] } vm_config: vm_id: stats_inbound @@ -5534,7 +7995,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5555,6 +8016,8 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio", "disable_host_header_fallback": true } vm_config: @@ -5704,7 +8167,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-metadata-exchange-1.8 + name: tcp-metadata-exchange-1.10 namespace: istio-system labels: istio.io/rev: default @@ -5714,7 +8177,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: {} patch: operation: INSERT_BEFORE @@ -5729,7 +8192,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* cluster: {} patch: operation: MERGE @@ -5745,7 +8208,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* cluster: {} patch: operation: MERGE @@ -5818,7 +8281,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-stats-filter-1.8 + name: tcp-stats-filter-1.10 namespace: istio-system labels: istio.io/rev: default @@ -5828,7 +8291,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5847,6 +8310,16 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] } vm_config: vm_id: tcp_stats_inbound @@ -5858,7 +8331,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5877,6 +8350,8 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio" } vm_config: vm_id: tcp_stats_outbound @@ -5888,7 +8363,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5907,6 +8382,8 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio" } vm_config: vm_id: tcp_stats_outbound diff --git a/third_party/istio-latest/istio-kind-mesh/istio.yaml b/third_party/istio-latest/istio-kind-mesh/istio.yaml index 5261411cd9..9f5add1690 100644 --- a/third_party/istio-latest/istio-kind-mesh/istio.yaml +++ b/third_party/istio-latest/istio-kind-mesh/istio.yaml @@ -146,6 +146,7 @@ rules: - networking.istio.io - authentication.istio.io - rbac.istio.io + - telemetry.istio.io verbs: - get - watch @@ -158,6 +159,7 @@ rules: - networking.istio.io - authentication.istio.io - rbac.istio.io + - telemetry.istio.io verbs: - update resources: @@ -295,6 +297,12 @@ rules: - get - watch - list + - apiGroups: + - networking.x-k8s.io + resources: + - '*' + verbs: + - update - apiGroups: - "" resources: @@ -303,6 +311,16 @@ rules: - get - watch - list + - apiGroups: + - multicluster.x-k8s.io + resources: + - serviceexports + verbs: + - get + - watch + - list + - create + - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -418,7 +436,7 @@ subjects: name: istiod-service-account namespace: istio-system --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -441,215 +459,214 @@ spec: listKind: AuthorizationPolicyList plural: authorizationpolicies singular: authorizationpolicy - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider + versions: + - name: v1beta1 + schema: + openAPIV3Schema: properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. + spec: + description: 'Configuration for access control on workloads. See more details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider properties: - name: - description: Specifies the name of the extension provider. - format: string + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + format: string + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: properties: - ipBlocks: - description: Optional. - items: - format: string - type: string - type: array - namespaces: - description: Optional. - items: - format: string - type: string - type: array - notIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - notNamespaces: - description: Optional. - items: - format: string - type: string - type: array - notPrincipals: - description: Optional. - items: - format: string - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - format: string - type: string - type: array - principals: - description: Optional. - items: - format: string - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - requestPrincipals: - description: Optional. - items: - format: string - type: string - type: array + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + format: string + type: string + type: array + namespaces: + description: Optional. + items: + format: string + type: string + type: array + notIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notNamespaces: + description: Optional. + items: + format: string + type: string + type: array + notPrincipals: + description: Optional. + items: + format: string + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + principals: + description: Optional. + items: + format: string + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + requestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + type: object type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. + type: array + to: + description: Optional. + items: properties: - hosts: - description: Optional. - items: - format: string - type: string - type: array - methods: - description: Optional. - items: - format: string - type: string - type: array - notHosts: - description: Optional. - items: - format: string - type: string - type: array - notMethods: - description: Optional. - items: - format: string - type: string - type: array - notPaths: - description: Optional. - items: - format: string - type: string - type: array - notPorts: - description: Optional. - items: - format: string - type: string - type: array - paths: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + format: string + type: string + type: array + methods: + description: Optional. + items: + format: string + type: string + type: array + notHosts: + description: Optional. + items: + format: string + type: string + type: array + notMethods: + description: Optional. + items: + format: string + type: string + type: array + notPaths: + description: Optional. + items: + format: string + type: string + type: array + notPorts: + description: Optional. + items: + format: string + type: string + type: array + paths: + description: Optional. + items: + format: string + type: string + type: array + ports: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + format: string + type: string + notValues: description: Optional. items: format: string type: string type: array - ports: + values: description: Optional. items: format: string type: string type: array type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - format: string - type: string - notValues: - description: Optional. - items: - format: string - type: string - type: array - values: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - format: string - type: string type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1beta1 served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -662,15 +679,6 @@ metadata: knative.dev/crd-install: "true" name: destinationrules.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.host - description: The name of a service from the service registry - name: Host - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: networking.istio.io names: categories: @@ -682,1314 +690,2385 @@ spec: shortNames: - dr singular: destinationrule - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + versions: + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: properties: - exportTo: - description: A list of namespaces to which this destination rule is exported. - items: - format: string - type: string - type: array - host: - description: The name of a service from the service registry. - format: string - type: string - subsets: - items: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - name: - description: Name of the subset. + spec: + description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is exported. + items: format: string type: string - trafficPolicy: - description: Traffic policies that apply to this subset. + type: array + host: + description: The name of a service from the service registry. + format: string + type: string + subsets: + items: properties: - connectionPool: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: Name of the subset. + format: string + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. properties: - http: - description: HTTP connection pool settings. + connectionPool: properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + http: + description: HTTP connection pool settings. properties: - interval: - description: The time duration between keep-alive probes. + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE type: string - probes: + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 type: integer - time: + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object type: object type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash properties: - httpCookie: - description: Hash based on HTTP cookie. + consistentHash: properties: - name: - description: Name of the cookie. + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. format: string type: string - path: - description: Path to set for the cookie. + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. format: string type: string - ttl: - description: Lifetime of the cookie. - type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - format: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. type: string - minimumRingSize: + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover can be set.' - items: + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: properties: - from: - description: Originating locality, '/' separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic distribution weights. + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object type: object type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can be set.' - items: + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash properties: - from: - description: Originating region. - format: string - type: string - to: - format: string + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. + outlierDetection: properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE + baseEjectionTime: + description: Minimum ejection duration. type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to a destination. - format: int32 + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. + consecutiveErrors: format: int32 type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. + maxEjectionPercent: format: int32 type: integer - maxRetries: + minHealthPercent: format: int32 type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. + port: properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 + number: type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: + tls: + description: TLS related settings for connections to the upstream service. properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. + caCertificates: format: string type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. format: string type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can be set.' + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object + format: string + type: string type: array type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. + type: array + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected from the connection pool. - nullable: true - type: integer + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: interval: - description: Time interval between ejection sweep analysis. + description: The time duration between keep-alive probes. type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: + probes: type: integer + time: + type: string type: object - tls: - description: TLS related settings for connections to the upstream service. + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. + name: + description: Name of the cookie. format: string type: string - credentialName: + path: + description: Path to set for the cookie. format: string type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS handshake. - format: string + ttl: + description: Lifetime of the cookie. type: string - subjectAltNames: - items: - format: string - type: string - type: array type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS handshake. - format: string - type: string - subjectAltNames: - items: + httpHeaderName: + description: Hash based on a specific HTTP header. format: string type: string - type: array - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true type: integer - maxRetries: + consecutiveErrors: format: int32 type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. + maxEjectionPercent: format: int32 type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - format: string - type: string - minimumRingSize: + minHealthPercent: + format: int32 type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover can be set.' - items: + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: properties: - from: - description: Originating locality, '/' separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic distribution weights. + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object type: object type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can be set.' - items: + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash properties: - from: - description: Originating region. - format: string - type: string - to: - format: string + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. + outlierDetection: properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE + baseEjectionTime: + description: Minimum ejection duration. type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to a destination. - format: int32 + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. + consecutiveErrors: format: int32 type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. + maxEjectionPercent: format: int32 type: integer - maxRetries: + minHealthPercent: format: int32 type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. + port: properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 + number: type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: + tls: + description: TLS related settings for connections to the upstream service. properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. + caCertificates: format: string type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. format: string type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can be set.' + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object + format: string + type: string type: array type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS handshake. + type: array + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: + items: format: string type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array + type: array + type: object type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 served: true storage: true - - name: v1beta1 - served: true - storage: false ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - listKind: EnvoyFilterList - plural: envoyfilters - singular: envoyfilter - preserveUnknownFields: true - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG + spec: + description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is exported. + items: + format: string type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster + type: array + host: + description: The name of a service from the service registry. + format: string + type: string + subsets: + items: properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - format: string - type: string - portNumber: - description: The service port for which this cluster was generated. - type: integer - service: - description: The fully qualified service name for this cluster. - format: string - type: string - subset: - description: The subset associated with the service. - format: string - type: string + labels: + additionalProperties: + format: string + type: string type: object - context: - description: The specific config generation context to match on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY + name: + description: Name of the subset. + format: string type: string - listener: - description: Match on envoy listener attributes. + trafficPolicy: + description: Traffic policies that apply to this subset. properties: - filterChain: - description: Match a specific filter chain in a listener. + connectionPool: properties: - applicationProtocols: - description: Applies only to sidecars. - format: string - type: string - destinationPort: - description: The destination_port value used by a filter chain's match condition. - type: integer - filter: - description: The name of a specific filter to apply the patch to. + http: + description: HTTP connection pool settings. properties: - name: - description: The filter name to match on. - format: string + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. type: string - subFilter: + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. properties: name: - description: The filter name to match on. + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. format: string type: string + ttl: + description: Lifetime of the cookie. + type: string type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean type: object - name: - description: The name assigned to the filter chain. - format: string + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string - sni: - description: The SNI value used by a filter chain's match condition. + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. format: string type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. + sni: + description: SNI string to present to the server during TLS handshake. format: string type: string + subjectAltNames: + items: + format: string + type: string + type: array type: object - name: - description: Match a specific listener by its name. - format: string - type: string - portName: - format: string - type: string - portNumber: - type: integer type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. format: string type: string - type: object - proxyVersion: - format: string - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: properties: - gateway: - format: string - type: string - name: - description: Route configuration name to match on. - format: string - type: string - portName: - description: Applicable only for GATEWAY context. - format: string - type: string - portNumber: - type: integer - vhost: + connectionPool: properties: - name: - format: string - type: string - route: - description: Match a specific route within the virtual host. + http: + description: HTTP connection pool settings. properties: - action: - description: Match a route with specific action type. + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE type: string - name: - format: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object type: object type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: Determines the filter insertion order. - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. - type: object - type: object - type: object - type: array - workloadSelector: - properties: - labels: - additionalProperties: - format: string - type: string - type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + scope: Namespaced versions: - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + format: string + type: string + portNumber: + description: The service port for which this cluster was generated. + type: integer + service: + description: The fully qualified service name for this cluster. + format: string + type: string + subset: + description: The subset associated with the service. + format: string + type: string + type: object + context: + description: The specific config generation context to match on. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + format: string + type: string + destinationPort: + description: The destination_port value used by a filter chain's match condition. + type: integer + filter: + description: The name of a specific filter to apply the patch to. + properties: + name: + description: The filter name to match on. + format: string + type: string + subFilter: + properties: + name: + description: The filter name to match on. + format: string + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + format: string + type: string + sni: + description: The SNI value used by a filter chain's match condition. + format: string + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + format: string + type: string + type: object + name: + description: Match a specific listener by its name. + format: string + type: string + portName: + format: string + type: string + portNumber: + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + format: string + type: string + type: object + proxyVersion: + format: string + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + format: string + type: string + name: + description: Route configuration name to match on. + format: string + type: string + portName: + description: Applicable only for GATEWAY context. + format: string + type: string + portNumber: + type: integer + vhost: + properties: + name: + format: string + type: string + route: + description: Match a specific route within the virtual host. + properties: + action: + description: Match a route with specific action type. + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + format: string + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: Determines the filter insertion order. + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: Determines how the patch should be applied. + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -2013,141 +3092,264 @@ spec: shortNames: - gw singular: gateway - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: properties: - selector: - additionalProperties: - format: string - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - format: string - type: string - defaultEndpoint: - format: string - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - format: string - type: string - type: array - name: - description: An optional name of the server, when set must be unique across all servers. + spec: + description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: format: string type: string - port: + type: object + servers: + description: A list of server specifications. + items: properties: - name: - description: Label assigned to the port. + bind: format: string type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. + defaultEndpoint: format: string type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified cipher list.' + hosts: + description: One or more hosts exposed by this gateway. items: format: string type: string type: array - credentialName: + name: + description: An optional name of the server, when set must be unique across all servers. format: string type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + port: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + format: string + type: string + type: array + credentialName: + format: string + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + verifyCertificateHash: + items: + format: string + type: string + type: array + verifyCertificateSpki: + items: + format: string + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + format: string + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: format: string type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + defaultEndpoint: format: string type: string - subjectAltNames: - items: - format: string - type: string - type: array - verifyCertificateHash: - items: - format: string - type: string - type: array - verifyCertificateSpki: + hosts: + description: One or more hosts exposed by this gateway. items: format: string type: string type: array + name: + description: An optional name of the server, when set must be unique across all servers. + format: string + type: string + port: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + format: string + type: string + type: array + credentialName: + format: string + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + verifyCertificateHash: + items: + format: string + type: string + type: array + verifyCertificateSpki: + items: + format: string + type: string + type: array + type: object type: object - type: object - type: array - type: object - status: + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 served: true storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: istiooperators.install.istio.io @@ -2155,51 +3357,43 @@ metadata: release: istio knative.dev/crd-install: "true" spec: - additionalPrinterColumns: - - JSONPath: .spec.revision - description: Istio control plane revision - name: Revision - type: string - - JSONPath: .status.status - description: IOP current state - type: string - name: Status - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date + conversion: + strategy: None group: install.istio.io names: kind: IstioOperator + listKind: IstioOperatorList plural: istiooperators singular: istiooperator shortNames: - iop - io scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources' + versions: + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + - description: IOP current state + jsonPath: .status.status + name: Status type: string - spec: - description: 'Specification of the desired state of the istio control plane resource. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - status: - description: 'Status describes each of istio control plane component status at the current time. 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + name: v1alpha1 + schema: + openAPIV3Schema: type: object - versions: - - name: v1alpha1 + x-kubernetes-preserve-unknown-fields: true served: true storage: true --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -2213,15 +3407,6 @@ metadata: knative.dev/crd-install: "true" name: peerauthentications.security.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.mtls.mode - description: Defines the mTLS mode used for peer authentication. - name: Mode - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: security.istio.io names: categories: @@ -2233,62 +3418,70 @@ spec: shortNames: - pa singular: peerauthentication - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar. + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the ChannelAuthentication on. + spec: + description: PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar. properties: - matchLabels: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: additionalProperties: - format: string - type: string + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the ChannelAuthentication on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1beta1 served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -2313,87 +3506,86 @@ spec: shortNames: - ra singular: requestauthentication - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication methods are supported by a workload. + versions: + - name: v1beta1 + schema: + openAPIV3Schema: properties: - jwtRules: - description: Define the list of JWTs that can be validated at the selected workloads' proxy. - items: - properties: - audiences: - items: - format: string - type: string - type: array - forwardOriginalToken: - description: If set to true, the orginal token will be kept for the ustream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. + spec: + description: RequestAuthentication defines what request authentication methods are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the selected workloads' proxy. + items: + properties: + audiences: + items: format: string type: string - prefix: - description: The prefix that should be stripped before decoding the token. + type: array + forwardOriginalToken: + description: If set to true, the orginal token will be kept for the ustream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + format: string + type: string + prefix: + description: The prefix that should be stripped before decoding the token. + format: string + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: format: string type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + outputPayloadToHeader: + format: string + type: string + type: object + type: array + selector: + description: The selector determines the workloads to apply the RequestAuthentication on. + properties: + matchLabels: + additionalProperties: + format: string + type: string type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - format: string - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - format: string - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature of the JWT. - format: string - type: string - jwks_uri: - format: string - type: string - jwksUri: - format: string - type: string - outputPayloadToHeader: - format: string - type: string - type: object - type: array - selector: - description: The selector determines the workloads to apply the RequestAuthentication on. - properties: - matchLabels: - additionalProperties: - format: string - type: string type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1beta1 served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -2406,23 +3598,6 @@ metadata: knative.dev/crd-install: "true" name: serviceentries.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.hosts - description: The hosts associated with the ServiceEntry - name: Hosts - type: string - - JSONPath: .spec.location - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) - name: Location - type: string - - JSONPath: .spec.resolution - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) - name: Resolution - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: networking.istio.io names: categories: @@ -2434,211 +3609,220 @@ spec: shortNames: - se singular: serviceentry - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - format: string - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: + spec: + description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: format: string type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer type: object - locality: - description: The locality associated with the endpoint. + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: format: string type: string - network: + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: format: string type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - format: string - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - format: string - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service discovery mode for the hosts. - enum: - - NONE - - STATIC - - DNS - type: string - subjectAltNames: - items: - format: string - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: format: string type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + format: string + type: string + type: object type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 served: true storage: true - - name: v1beta1 - served: true - storage: false ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: properties: - egress: - items: - properties: - bind: + spec: + description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: format: string type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - format: string - type: string - type: array - port: - description: The port associated with the listener. + type: array + endpoints: + description: One or more endpoints associated with the service. + items: properties: - name: - description: Label assigned to the port. + address: format: string type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. format: string type: string - targetPort: + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. type: integer type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP to which the listener should be bound. + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: format: string type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: format: string type: string - port: - description: The port associated with the listener. + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: properties: name: description: Label assigned to the port. @@ -2654,56 +3838,39 @@ spec: targetPort: type: integer type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mode: + type: array + resolution: + description: Service discovery mode for the hosts. enum: - - REGISTRY_ONLY - - ALLOW_ANY + - NONE + - STATIC + - DNS type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: + subjectAltNames: + items: format: string type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + format: string + type: string + type: object type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 served: true storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -2714,772 +3881,1914 @@ metadata: heritage: Tiller release: istio knative.dev/crd-install: "true" - name: virtualservices.networking.istio.io + name: sidecars.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.gateways - description: The names of gateways and sidecars that should apply these routes - name: Gateways - type: string - - JSONPath: .spec.hosts - description: The destination hosts to which traffic is being sent - name: Hosts - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: networking.istio.io names: categories: - istio-io - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - preserveUnknownFields: false + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: properties: - exportTo: - description: A list of namespaces to which this virtual service is exported. - items: - format: string - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply these routes. - items: - format: string - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - format: string - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). + spec: + description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: + bind: + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: items: format: string type: string type: array - allowMethods: - description: List of HTTP methods allowed to access the resource. - items: + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + format: string + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. format: string type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform CORS requests. - items: + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. format: string type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + format: string + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + format: string + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: telemetry + release: istio + knative.dev/crd-install: "true" + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: Telemetry defines how the telemetry is generated for workloads within a mesh. + properties: + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment variable to each span. + properties: + defaultValue: + description: Optional. + format: string + type: string + name: + description: Name of the environment variable from which to extract the tag value. + format: string + type: string + type: object + header: + description: RequestHeader adds the value of an header from the request to each span. + properties: + defaultValue: + description: Optional. + format: string + type: string + name: + description: Name of the header from which to extract the tag value. + format: string + type: string + type: object + literal: + description: Literal adds the same, hard-coded value to each span. + properties: + value: + description: The tag value to use. + format: string + type: string + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + providers: + description: Optional. + items: + properties: + name: + description: Required. + format: string + type: string + type: object + type: array + randomSamplingPercentage: + nullable: true + type: number + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is exported. + items: + format: string + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply these routes. + items: + format: string + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + format: string + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + format: string + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the resource. + items: + format: string + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform CORS requests. + items: + format: string + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: array + exposeHeaders: + items: + format: string + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + format: string + type: string + namespace: + description: Namespace specifies the namespace where the delegate VirtualService resides. + format: string + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + format: string + type: string + http2Error: + format: string + type: string + httpStatus: + description: HTTP status code to use to abort the Http request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the request. + type: string + percent: + description: Percentage of requests on which the delay will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + gateways: + description: Names of gateways where the rule should be applied. + items: + format: string + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + name: + description: The name assigned to a match. + format: string + type: string + port: + description: Specifies the ports on the host that is being addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: - exact - required: - prefix - required: - regex - - required: - - exact - - required: - - prefix - - required: - - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. + format: string + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: withoutHeader has the same syntax with the header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + format: string + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) traffic. + properties: + authority: + format: string + type: string + redirectCode: + type: integer + uri: + format: string + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry takes place. + format: string + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this value. + format: string + type: string + uri: + format: string + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: properties: - exact: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being addressed. + type: integer + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. format: string type: string - prefix: + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional subnet. format: string type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: object + type: array + route: + description: The destination to which the connection should be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + format: string + type: string + type: array + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. format: string type: string type: object type: array - exposeHeaders: - items: - format: string - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - format: string - type: string - namespace: - description: Namespace specifies the namespace where the delegate VirtualService resides. - format: string - type: string - type: object - fault: - description: Fault injection policy to apply on HTTP traffic at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - format: string - type: string - http2Error: - format: string - type: string - httpStatus: - description: HTTP status code to use to abort the Http request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the request. - type: string - percent: - description: Percentage of requests on which the delay will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay will be injected. - properties: - value: - format: double - type: number - type: object - type: object + route: + description: The destination to which the connection should be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array type: object - headers: + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is exported. + items: + format: string + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply these routes. + items: + format: string + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + format: string + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: properties: - request: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: + allowCredentials: + nullable: true + type: boolean + allowHeaders: items: format: string type: string type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: + allowMethods: + description: List of HTTP methods allowed to access the resource. + items: format: string type: string - type: object - remove: + type: array + allowOrigin: + description: The list of origins that are allowed to perform CORS requests. items: format: string type: string type: array - set: - additionalProperties: + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: array + exposeHeaders: + items: format: string type: string - type: object + type: array + maxAge: + type: string type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - gateways: - description: Names of gateways where the rule should be applied. - items: + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. format: string type: string - type: array - headers: - additionalProperties: + namespace: + description: Namespace specifies the namespace where the delegate VirtualService resides. + format: string + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic at the client side. + properties: + abort: oneOf: - not: anyOf: - required: - - exact + - httpStatus - required: - - prefix + - grpcStatus - required: - - regex + - http2Error - required: - - exact + - httpStatus - required: - - prefix + - grpcStatus - required: - - regex + - http2Error properties: - exact: - format: string - type: string - prefix: + grpcStatus: format: string type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + http2Error: format: string type: string + httpStatus: + description: HTTP status code to use to abort the Http request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with the error code provided. + properties: + value: + format: double + type: number + type: object type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - name: - description: The name assigned to a match. - format: string - type: string - port: - description: Specifies the ports on the host that is being addressed. - type: integer - queryParams: - additionalProperties: + delay: oneOf: - not: anyOf: - required: - - exact - - required: - - prefix + - fixedDelay - required: - - regex + - exponentialDelay - required: - - exact + - fixedDelay - required: - - prefix - - required: - - regex + - exponentialDelay properties: - exact: - format: string + exponentialDelay: type: string - prefix: - format: string + fixedDelay: + description: Add a fixed delay before forwarding the request. type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + percent: + description: Percentage of requests on which the delay will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + gateways: + description: Names of gateways where the rule should be applied. + items: format: string type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + name: + description: The name assigned to a match. + format: string + type: string + port: + description: Specifies the ports on the host that is being addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex - required: - exact - required: - prefix - required: - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. format: string type: string - type: object - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string - type: string - uri: - oneOf: - - not: - anyOf: + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex - required: - exact - required: - prefix - required: - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: withoutHeader has the same syntax with the header, but has opposite meaning. + type: object type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string + number: + type: integer type: object - description: withoutHeader has the same syntax with the header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. format: string type: string - port: - description: Specifies the port on the host that is being addressed. + redirect: + description: A HTTP rule can either redirect or forward (default) traffic. properties: - number: + authority: + format: string + type: string + redirectCode: type: integer + uri: + format: string + type: string type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - format: string - type: string - redirect: - description: A HTTP rule can either redirect or forward (default) traffic. - properties: - authority: - format: string - type: string - redirectCode: - type: integer - uri: - format: string - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry takes place. - format: string + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry takes place. + format: string + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this value. + format: string + type: string + uri: + format: string + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should retry to other localities. - nullable: true - type: boolean type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: properties: - authority: - description: rewrite the Authority/Host header with this value. - format: string - type: string - uri: - format: string - type: string - type: object - route: - description: A HTTP rule can either redirect or forward (default) traffic. - items: - properties: - destination: + match: + items: properties: - host: - description: The name of a service from the service registry. - format: string - type: string + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + format: string + type: string + type: array port: description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer + type: integer + sourceLabels: + additionalProperties: + format: string + type: string type: object - subset: - description: The name of a subset within the service. + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. + format: string + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional subnet. format: string type: string type: object - headers: + type: array + route: + description: The destination to which the connection should be forwarded to. + items: properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: + destination: properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer type: object + subset: + description: The name of a subset within the service. + format: string + type: string type: object + weight: + format: int32 + type: integer type: object - weight: - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination with optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being addressed. - type: integer - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional subnet. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should be forwarded to. - items: - properties: - destination: + type: array + type: object + type: array + tls: + items: + properties: + match: + items: properties: - host: - description: The name of a service from the service registry. - format: string - type: string + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + format: string + type: string + type: array port: description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + format: string + type: string + type: array + sourceLabels: + additionalProperties: + format: string + type: string type: object - subset: - description: The name of a subset within the service. + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. format: string type: string type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination with optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - format: string - type: string - type: array - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should be forwarded to. - items: - properties: - destination: + type: array + route: + description: The destination to which the connection should be forwarded to. + items: properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being addressed. + destination: properties: - number: - type: integer + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string type: object - subset: - description: The name of a subset within the service. - format: string - type: string + weight: + format: int32 + type: integer type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 served: true storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -3492,15 +5801,6 @@ metadata: knative.dev/crd-install: "true" name: workloadentries.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date - - JSONPath: .spec.address - description: Address associated with the network endpoint. - name: Address - type: string group: networking.istio.io names: categories: @@ -3512,196 +5812,75 @@ spec: shortNames: - we singular: workloadentry - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - format: string - type: string - network: - format: string - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 - served: true - storage: false ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: workloadgroups.networking.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadGroup - listKind: WorkloadGroupList - plural: workloadgroups - shortNames: - - wg - singular: workloadgroup - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details at: https://istio.io/docs/reference/config/networking/workload-group.html' + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1alpha3 + schema: + openAPIV3Schema: properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' properties: - annotations: - additionalProperties: - format: string - type: string - type: object + address: + format: string + type: string labels: additionalProperties: format: string type: string + description: One or more labels associated with the endpoint. type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed exited. - properties: - command: - description: Command to run. - items: - format: string - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. - format: int32 - type: integer - httpGet: - properties: - host: - description: Host name to connect to, defaults to the pod IP. - format: string - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - format: string - type: string - value: - format: string - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - format: string - type: string - port: - description: Port on which the endpoint lives. - type: integer - scheme: - format: string - type: string - type: object - initialDelaySeconds: - description: Number of seconds after the container has started before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - format: string - type: string - port: - type: integer + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. type: integer type: object - template: - description: Template to be used for the generation of `WorkloadEntry` resources that belong to this `WorkloadGroup`. + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' properties: address: format: string @@ -3731,15 +5910,192 @@ spec: description: The load balancing weight associated with the endpoint. type: integer type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: workloadgroups.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + scope: Namespaced versions: - - name: v1alpha3 + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + format: string + type: string + type: object + labels: + additionalProperties: + format: string + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed exited. + properties: + command: + description: Command to run. + items: + format: string + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. + format: int32 + type: integer + httpGet: + properties: + host: + description: Host name to connect to, defaults to the pod IP. + format: string + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + format: string + type: string + value: + format: string + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + format: string + type: string + port: + description: Port on which the endpoint lives. + type: integer + scheme: + format: string + type: string + type: object + initialDelaySeconds: + description: Number of seconds after the container has started before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + format: string + type: string + port: + type: integer + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` resources that belong to this `WorkloadGroup`. + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} --- apiVersion: v1 kind: ConfigMap @@ -3779,11 +6135,6 @@ data: values: |- { "global": { - "arch": { - "amd64": 2, - "ppc64le": 2, - "s390x": 2 - }, "caAddress": "", "configValidation": true, "defaultNodeSelector": {}, @@ -3874,7 +6225,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.9.3", + "tag": "1.10.0", "tracer": { "datadog": { "address": "$(HOST_IP):8126" @@ -3893,7 +6244,6 @@ data: "address": "" } }, - "trustDomain": "", "useMCP": false }, "istio_cni": { @@ -3912,7 +6262,7 @@ data: }, "rewriteAppHTTPProbe": true, "templates": {}, - "useLegacySelectors": true + "useLegacySelectors": false } } config: |- @@ -3938,6 +6288,7 @@ data: annotations: { {{- if eq (len $containers) 1 }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{ end }} {{- if .Values.istio_cni.enabled }} {{- if not .Values.istio_cni.chained }} @@ -4009,7 +6360,7 @@ data: - "--run-validation" - "--skip-rule-apply" {{ end -}} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{- if .ProxyConfig.ProxyMetadata }} env: {{- range $key, $value := .ProxyConfig.ProxyMetadata }} @@ -4078,7 +6429,7 @@ data: {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} resources: {} securityContext: allowPrivilegeEscalation: true @@ -4140,6 +6491,10 @@ data: - wait {{- end }} env: + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} - name: JWT_POLICY value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER @@ -4242,7 +6597,7 @@ data: - name: {{ $key }} value: "{{ $value }}" {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} readinessProbe: httpGet: @@ -4429,6 +6784,7 @@ data: annotations: { {{- if eq (len $containers) 1 }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{ end }} } spec: @@ -4787,6 +7143,10 @@ spec: value: istio-ingressgateway - name: ISTIO_META_OWNER value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway + - name: ISTIO_META_MESH_ID + value: cluster.local + - name: TRUST_DOMAIN + value: cluster.local - name: ISTIO_META_UNPRIVILEGED_POD value: "true" - name: ISTIO_META_ROUTER_MODE @@ -4795,7 +7155,7 @@ spec: value: "20" - name: ISTIO_META_CLUSTER_ID value: Kubernetes - image: docker.io/istio/proxyv2:1.9.3 + image: docker.io/istio/proxyv2:1.10.0 name: istio-proxy ports: - containerPort: 15021 @@ -4804,10 +7164,6 @@ spec: protocol: TCP - containerPort: 8443 protocol: TCP - - containerPort: 15012 - protocol: TCP - - containerPort: 15443 - protocol: TCP - containerPort: 15090 name: http-envoy-prom protocol: TCP @@ -4989,9 +7345,7 @@ spec: value: "true" - name: CLUSTER_ID value: Kubernetes - - name: EXTERNAL_ISTIOD - value: "false" - image: docker.io/istio/pilot:1.9.3 + image: docker.io/istio/pilot:1.10.0 name: discovery ports: - containerPort: 8080 @@ -5019,8 +7373,6 @@ spec: runAsNonRoot: true runAsUser: 1337 volumeMounts: - - mountPath: /etc/istio/config - name: config-volume - mountPath: /var/run/secrets/tokens name: istio-token readOnly: true @@ -5032,9 +7384,6 @@ spec: - mountPath: /var/run/secrets/remote name: istio-kubeconfig readOnly: true - - mountPath: /var/lib/istio/inject - name: inject - readOnly: true securityContext: fsGroup: 1337 serviceAccountName: istiod-service-account @@ -5057,12 +7406,6 @@ spec: secret: optional: true secretName: istio-kubeconfig - - configMap: - name: istio-sidecar-injector - name: inject - - configMap: - name: istio - name: config-volume --- apiVersion: v1 kind: Service @@ -5095,14 +7438,6 @@ spec: port: 443 protocol: TCP targetPort: 8443 - - name: tcp-istiod - port: 15012 - protocol: TCP - targetPort: 15012 - - name: tls - port: 15443 - protocol: TCP - targetPort: 15443 --- apiVersion: v1 kind: Service @@ -5197,7 +7532,7 @@ spec: app: istiod istio: pilot --- -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: istio-sidecar-injector @@ -5208,12 +7543,87 @@ metadata: app: sidecar-injector release: istio webhooks: - - name: sidecar-injector.istio.io + - name: rev.namespace.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: + - CREATE + apiGroups: + - "" + apiVersions: + - v1 + resources: + - pods + failurePolicy: Fail + admissionReviewVersions: + - v1beta1 + - v1 + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - default + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - name: rev.object.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: + - CREATE + apiGroups: + - "" + apiVersions: + - v1 + resources: + - pods + failurePolicy: Fail + admissionReviewVersions: + - v1beta1 + - v1 + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - default + - name: namespace.sidecar-injector.istio.io clientConfig: service: name: istiod namespace: istio-system path: /inject + port: 443 caBundle: "" sideEffects: None rules: @@ -5230,16 +7640,55 @@ webhooks: - v1beta1 - v1 namespaceSelector: - matchLabels: - istio-injection: enabled + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled objectSelector: matchExpressions: - key: sidecar.istio.io/inject operator: NotIn values: - "false" + - name: object.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: + - CREATE + apiGroups: + - "" + apiVersions: + - v1 + resources: + - pods + failurePolicy: Fail + admissionReviewVersions: + - v1beta1 + - v1 + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist --- -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: istiod-istio-system @@ -5275,7 +7724,7 @@ webhooks: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: metadata-exchange-1.8 + name: metadata-exchange-1.10 namespace: istio-system labels: istio.io/rev: default @@ -5287,7 +7736,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5314,7 +7763,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5341,7 +7790,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5461,7 +7910,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: stats-filter-1.8 + name: stats-filter-1.10 namespace: istio-system labels: istio.io/rev: default @@ -5471,7 +7920,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5492,6 +7941,8 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio" } vm_config: vm_id: stats_outbound @@ -5503,7 +7954,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5524,6 +7975,16 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] } vm_config: vm_id: stats_inbound @@ -5535,7 +7996,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5556,6 +8017,8 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio", "disable_host_header_fallback": true } vm_config: @@ -5705,7 +8168,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-metadata-exchange-1.8 + name: tcp-metadata-exchange-1.10 namespace: istio-system labels: istio.io/rev: default @@ -5715,7 +8178,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: {} patch: operation: INSERT_BEFORE @@ -5730,7 +8193,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* cluster: {} patch: operation: MERGE @@ -5746,7 +8209,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* cluster: {} patch: operation: MERGE @@ -5819,7 +8282,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-stats-filter-1.8 + name: tcp-stats-filter-1.10 namespace: istio-system labels: istio.io/rev: default @@ -5829,7 +8292,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5848,6 +8311,16 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] } vm_config: vm_id: tcp_stats_inbound @@ -5859,7 +8332,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5878,6 +8351,8 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio" } vm_config: vm_id: tcp_stats_outbound @@ -5889,7 +8364,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5908,6 +8383,8 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio" } vm_config: vm_id: tcp_stats_outbound diff --git a/third_party/istio-latest/istio-kind-no-mesh/istio.yaml b/third_party/istio-latest/istio-kind-no-mesh/istio.yaml index 7a11a575b2..245be0cea9 100644 --- a/third_party/istio-latest/istio-kind-no-mesh/istio.yaml +++ b/third_party/istio-latest/istio-kind-no-mesh/istio.yaml @@ -146,6 +146,7 @@ rules: - networking.istio.io - authentication.istio.io - rbac.istio.io + - telemetry.istio.io verbs: - get - watch @@ -158,6 +159,7 @@ rules: - networking.istio.io - authentication.istio.io - rbac.istio.io + - telemetry.istio.io verbs: - update resources: @@ -295,6 +297,12 @@ rules: - get - watch - list + - apiGroups: + - networking.x-k8s.io + resources: + - '*' + verbs: + - update - apiGroups: - "" resources: @@ -303,6 +311,16 @@ rules: - get - watch - list + - apiGroups: + - multicluster.x-k8s.io + resources: + - serviceexports + verbs: + - get + - watch + - list + - create + - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -418,7 +436,7 @@ subjects: name: istiod-service-account namespace: istio-system --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -441,215 +459,214 @@ spec: listKind: AuthorizationPolicyList plural: authorizationpolicies singular: authorizationpolicy - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider + versions: + - name: v1beta1 + schema: + openAPIV3Schema: properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. + spec: + description: 'Configuration for access control on workloads. See more details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider properties: - name: - description: Specifies the name of the extension provider. - format: string + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + format: string + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: properties: - ipBlocks: - description: Optional. - items: - format: string - type: string - type: array - namespaces: - description: Optional. - items: - format: string - type: string - type: array - notIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - notNamespaces: - description: Optional. - items: - format: string - type: string - type: array - notPrincipals: - description: Optional. - items: - format: string - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - format: string - type: string - type: array - principals: - description: Optional. - items: - format: string - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - requestPrincipals: - description: Optional. - items: - format: string - type: string - type: array + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + format: string + type: string + type: array + namespaces: + description: Optional. + items: + format: string + type: string + type: array + notIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notNamespaces: + description: Optional. + items: + format: string + type: string + type: array + notPrincipals: + description: Optional. + items: + format: string + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + principals: + description: Optional. + items: + format: string + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + requestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + type: object type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. + type: array + to: + description: Optional. + items: properties: - hosts: - description: Optional. - items: - format: string - type: string - type: array - methods: - description: Optional. - items: - format: string - type: string - type: array - notHosts: - description: Optional. - items: - format: string - type: string - type: array - notMethods: - description: Optional. - items: - format: string - type: string - type: array - notPaths: - description: Optional. - items: - format: string - type: string - type: array - notPorts: - description: Optional. - items: - format: string - type: string - type: array - paths: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + format: string + type: string + type: array + methods: + description: Optional. + items: + format: string + type: string + type: array + notHosts: + description: Optional. + items: + format: string + type: string + type: array + notMethods: + description: Optional. + items: + format: string + type: string + type: array + notPaths: + description: Optional. + items: + format: string + type: string + type: array + notPorts: + description: Optional. + items: + format: string + type: string + type: array + paths: + description: Optional. + items: + format: string + type: string + type: array + ports: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + format: string + type: string + notValues: description: Optional. items: format: string type: string type: array - ports: + values: description: Optional. items: format: string type: string type: array type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - format: string - type: string - notValues: - description: Optional. - items: - format: string - type: string - type: array - values: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - format: string - type: string type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1beta1 served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -662,15 +679,6 @@ metadata: knative.dev/crd-install: "true" name: destinationrules.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.host - description: The name of a service from the service registry - name: Host - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: networking.istio.io names: categories: @@ -682,1314 +690,2385 @@ spec: shortNames: - dr singular: destinationrule - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + versions: + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: properties: - exportTo: - description: A list of namespaces to which this destination rule is exported. - items: - format: string - type: string - type: array - host: - description: The name of a service from the service registry. - format: string - type: string - subsets: - items: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - name: - description: Name of the subset. + spec: + description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is exported. + items: format: string type: string - trafficPolicy: - description: Traffic policies that apply to this subset. + type: array + host: + description: The name of a service from the service registry. + format: string + type: string + subsets: + items: properties: - connectionPool: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: Name of the subset. + format: string + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. properties: - http: - description: HTTP connection pool settings. + connectionPool: properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + http: + description: HTTP connection pool settings. properties: - interval: - description: The time duration between keep-alive probes. + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE type: string - probes: + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 type: integer - time: + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object type: object type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash properties: - httpCookie: - description: Hash based on HTTP cookie. + consistentHash: properties: - name: - description: Name of the cookie. + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. format: string type: string - path: - description: Path to set for the cookie. + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. format: string type: string - ttl: - description: Lifetime of the cookie. - type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - format: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. type: string - minimumRingSize: + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover can be set.' - items: + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: properties: - from: - description: Originating locality, '/' separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic distribution weights. + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object type: object type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can be set.' - items: + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash properties: - from: - description: Originating region. - format: string - type: string - to: - format: string + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. + outlierDetection: properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE + baseEjectionTime: + description: Minimum ejection duration. type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to a destination. - format: int32 + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. + consecutiveErrors: format: int32 type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. + maxEjectionPercent: format: int32 type: integer - maxRetries: + minHealthPercent: format: int32 type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. + port: properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 + number: type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: + tls: + description: TLS related settings for connections to the upstream service. properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. + caCertificates: format: string type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. format: string type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can be set.' + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object + format: string + type: string type: array type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. + type: array + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected from the connection pool. - nullable: true - type: integer + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: interval: - description: Time interval between ejection sweep analysis. + description: The time duration between keep-alive probes. type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: + probes: type: integer + time: + type: string type: object - tls: - description: TLS related settings for connections to the upstream service. + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. + name: + description: Name of the cookie. format: string type: string - credentialName: + path: + description: Path to set for the cookie. format: string type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS handshake. - format: string + ttl: + description: Lifetime of the cookie. type: string - subjectAltNames: - items: - format: string - type: string - type: array type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS handshake. - format: string - type: string - subjectAltNames: - items: + httpHeaderName: + description: Hash based on a specific HTTP header. format: string type: string - type: array - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. - format: int32 + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true type: integer - maxRetries: + consecutiveErrors: format: int32 type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. + maxEjectionPercent: format: int32 type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - format: string - type: string - minimumRingSize: + minHealthPercent: + format: int32 type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover can be set.' - items: + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: properties: - from: - description: Originating locality, '/' separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic distribution weights. + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object type: object type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can be set.' - items: + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash properties: - from: - description: Originating region. - format: string - type: string - to: - format: string + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. + outlierDetection: properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE + baseEjectionTime: + description: Minimum ejection duration. type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to a destination. - format: int32 + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. + consecutiveErrors: format: int32 type: integer - idleTimeout: - description: The idle timeout for upstream connection pool connections. + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection to a backend. + maxEjectionPercent: format: int32 type: integer - maxRetries: + minHealthPercent: format: int32 type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved while initiating connection to backend. - type: boolean type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. + port: properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a destination host. - format: int32 + number: type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: + tls: + description: TLS related settings for connections to the upstream service. properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. + caCertificates: format: string type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. format: string type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can be set.' + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object + format: string + type: string type: array type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS handshake. + type: array + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: + items: format: string type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array + type: array + type: object type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 served: true storage: true - - name: v1beta1 - served: true - storage: false ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - listKind: EnvoyFilterList - plural: envoyfilters - singular: envoyfilter - preserveUnknownFields: true - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG + spec: + description: 'Configuration affecting load balancing, outlier detection, etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is exported. + items: + format: string type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster + type: array + host: + description: The name of a service from the service registry. + format: string + type: string + subsets: + items: properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - format: string - type: string - portNumber: - description: The service port for which this cluster was generated. - type: integer - service: - description: The fully qualified service name for this cluster. - format: string - type: string - subset: - description: The subset associated with the service. - format: string - type: string + labels: + additionalProperties: + format: string + type: string type: object - context: - description: The specific config generation context to match on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY + name: + description: Name of the subset. + format: string type: string - listener: - description: Match on envoy listener attributes. + trafficPolicy: + description: Traffic policies that apply to this subset. properties: - filterChain: - description: Match a specific filter chain in a listener. + connectionPool: properties: - applicationProtocols: - description: Applies only to sidecars. - format: string - type: string - destinationPort: - description: The destination_port value used by a filter chain's match condition. - type: integer - filter: - description: The name of a specific filter to apply the patch to. + http: + description: HTTP connection pool settings. properties: - name: - description: The filter name to match on. - format: string + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. type: string - subFilter: + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. properties: name: - description: The filter name to match on. + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. format: string type: string + ttl: + description: Lifetime of the cookie. + type: string type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean type: object - name: - description: The name assigned to the filter chain. - format: string + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string - sni: - description: The SNI value used by a filter chain's match condition. + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. format: string type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. + sni: + description: SNI string to present to the server during TLS handshake. format: string type: string + subjectAltNames: + items: + format: string + type: string + type: array type: object - name: - description: Match a specific listener by its name. - format: string - type: string - portName: - format: string - type: string - portNumber: - type: integer type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. format: string type: string - type: object - proxyVersion: - format: string - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: properties: - gateway: - format: string - type: string - name: - description: Route configuration name to match on. - format: string - type: string - portName: - description: Applicable only for GATEWAY context. - format: string - type: string - portNumber: - type: integer - vhost: + connectionPool: properties: - name: - format: string - type: string - route: - description: Match a specific route within the virtual host. + http: + description: HTTP connection pool settings. properties: - action: - description: Match a route with specific action type. + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded to http2 for the associated destination. enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE type: string - name: - format: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object type: object type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: Determines the filter insertion order. - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. - type: object - type: object - type: object - type: array - workloadSelector: - properties: - labels: - additionalProperties: - format: string - type: string - type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + scope: Namespaced versions: - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + format: string + type: string + portNumber: + description: The service port for which this cluster was generated. + type: integer + service: + description: The fully qualified service name for this cluster. + format: string + type: string + subset: + description: The subset associated with the service. + format: string + type: string + type: object + context: + description: The specific config generation context to match on. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + format: string + type: string + destinationPort: + description: The destination_port value used by a filter chain's match condition. + type: integer + filter: + description: The name of a specific filter to apply the patch to. + properties: + name: + description: The filter name to match on. + format: string + type: string + subFilter: + properties: + name: + description: The filter name to match on. + format: string + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + format: string + type: string + sni: + description: The SNI value used by a filter chain's match condition. + format: string + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + format: string + type: string + type: object + name: + description: Match a specific listener by its name. + format: string + type: string + portName: + format: string + type: string + portNumber: + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + format: string + type: string + type: object + proxyVersion: + format: string + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + format: string + type: string + name: + description: Route configuration name to match on. + format: string + type: string + portName: + description: Applicable only for GATEWAY context. + format: string + type: string + portNumber: + type: integer + vhost: + properties: + name: + format: string + type: string + route: + description: Match a specific route within the virtual host. + properties: + action: + description: Match a route with specific action type. + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + format: string + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: Determines the filter insertion order. + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: Determines how the patch should be applied. + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -2013,141 +3092,264 @@ spec: shortNames: - gw singular: gateway - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: properties: - selector: - additionalProperties: - format: string - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - format: string - type: string - defaultEndpoint: - format: string - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - format: string - type: string - type: array - name: - description: An optional name of the server, when set must be unique across all servers. + spec: + description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: format: string type: string - port: + type: object + servers: + description: A list of server specifications. + items: properties: - name: - description: Label assigned to the port. + bind: format: string type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. + defaultEndpoint: format: string type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified cipher list.' + hosts: + description: One or more hosts exposed by this gateway. items: format: string type: string type: array - credentialName: + name: + description: An optional name of the server, when set must be unique across all servers. format: string type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + port: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + format: string + type: string + type: array + credentialName: + format: string + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + verifyCertificateHash: + items: + format: string + type: string + type: array + verifyCertificateSpki: + items: + format: string + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + format: string + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: format: string type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + defaultEndpoint: format: string type: string - subjectAltNames: - items: - format: string - type: string - type: array - verifyCertificateHash: - items: - format: string - type: string - type: array - verifyCertificateSpki: + hosts: + description: One or more hosts exposed by this gateway. items: format: string type: string type: array + name: + description: An optional name of the server, when set must be unique across all servers. + format: string + type: string + port: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified cipher list.' + items: + format: string + type: string + type: array + credentialName: + format: string + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + verifyCertificateHash: + items: + format: string + type: string + type: array + verifyCertificateSpki: + items: + format: string + type: string + type: array + type: object type: object - type: object - type: array - type: object - status: + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 served: true storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: istiooperators.install.istio.io @@ -2155,51 +3357,43 @@ metadata: release: istio knative.dev/crd-install: "true" spec: - additionalPrinterColumns: - - JSONPath: .spec.revision - description: Istio control plane revision - name: Revision - type: string - - JSONPath: .status.status - description: IOP current state - type: string - name: Status - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date + conversion: + strategy: None group: install.istio.io names: kind: IstioOperator + listKind: IstioOperatorList plural: istiooperators singular: istiooperator shortNames: - iop - io scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources' + versions: + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + - description: IOP current state + jsonPath: .status.status + name: Status type: string - spec: - description: 'Specification of the desired state of the istio control plane resource. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - status: - description: 'Status describes each of istio control plane component status at the current time. 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + name: v1alpha1 + schema: + openAPIV3Schema: type: object - versions: - - name: v1alpha1 + x-kubernetes-preserve-unknown-fields: true served: true storage: true --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -2213,15 +3407,6 @@ metadata: knative.dev/crd-install: "true" name: peerauthentications.security.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.mtls.mode - description: Defines the mTLS mode used for peer authentication. - name: Mode - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: security.istio.io names: categories: @@ -2233,62 +3418,70 @@ spec: shortNames: - pa singular: peerauthentication - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar. + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the ChannelAuthentication on. + spec: + description: PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar. properties: - matchLabels: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: additionalProperties: - format: string - type: string + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the ChannelAuthentication on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1beta1 served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -2313,87 +3506,86 @@ spec: shortNames: - ra singular: requestauthentication - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication methods are supported by a workload. + versions: + - name: v1beta1 + schema: + openAPIV3Schema: properties: - jwtRules: - description: Define the list of JWTs that can be validated at the selected workloads' proxy. - items: - properties: - audiences: - items: - format: string - type: string - type: array - forwardOriginalToken: - description: If set to true, the orginal token will be kept for the ustream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. + spec: + description: RequestAuthentication defines what request authentication methods are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the selected workloads' proxy. + items: + properties: + audiences: + items: format: string type: string - prefix: - description: The prefix that should be stripped before decoding the token. + type: array + forwardOriginalToken: + description: If set to true, the orginal token will be kept for the ustream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + format: string + type: string + prefix: + description: The prefix that should be stripped before decoding the token. + format: string + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: format: string type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + outputPayloadToHeader: + format: string + type: string + type: object + type: array + selector: + description: The selector determines the workloads to apply the RequestAuthentication on. + properties: + matchLabels: + additionalProperties: + format: string + type: string type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - format: string - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - format: string - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature of the JWT. - format: string - type: string - jwks_uri: - format: string - type: string - jwksUri: - format: string - type: string - outputPayloadToHeader: - format: string - type: string - type: object - type: array - selector: - description: The selector determines the workloads to apply the RequestAuthentication on. - properties: - matchLabels: - additionalProperties: - format: string - type: string type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1beta1 served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -2406,23 +3598,6 @@ metadata: knative.dev/crd-install: "true" name: serviceentries.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.hosts - description: The hosts associated with the ServiceEntry - name: Hosts - type: string - - JSONPath: .spec.location - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) - name: Location - type: string - - JSONPath: .spec.resolution - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) - name: Resolution - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: networking.istio.io names: categories: @@ -2434,211 +3609,220 @@ spec: shortNames: - se singular: serviceentry - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - format: string - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: + spec: + description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: format: string type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer type: object - locality: - description: The locality associated with the endpoint. + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: format: string type: string - network: + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: format: string type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - format: string - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - format: string - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service discovery mode for the hosts. - enum: - - NONE - - STATIC - - DNS - type: string - subjectAltNames: - items: - format: string - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: format: string type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + format: string + type: string + type: object type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 served: true storage: true - - name: v1beta1 - served: true - storage: false ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: properties: - egress: - items: - properties: - bind: + spec: + description: 'Configuration affecting service registry. See more details at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: format: string type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - format: string - type: string - type: array - port: - description: The port associated with the listener. + type: array + endpoints: + description: One or more endpoints associated with the service. + items: properties: - name: - description: Label assigned to the port. + address: format: string type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. format: string type: string - targetPort: + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. type: integer type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP to which the listener should be bound. + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: format: string type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: format: string type: string - port: - description: The port associated with the listener. + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: properties: name: description: Label assigned to the port. @@ -2654,56 +3838,39 @@ spec: targetPort: type: integer type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mode: + type: array + resolution: + description: Service discovery mode for the hosts. enum: - - REGISTRY_ONLY - - ALLOW_ANY + - NONE + - STATIC + - DNS type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: + subjectAltNames: + items: format: string type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + format: string + type: string + type: object type: object type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 served: true storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -2714,772 +3881,1914 @@ metadata: heritage: Tiller release: istio knative.dev/crd-install: "true" - name: virtualservices.networking.istio.io + name: sidecars.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.gateways - description: The names of gateways and sidecars that should apply these routes - name: Gateways - type: string - - JSONPath: .spec.hosts - description: The destination hosts to which traffic is being sent - name: Hosts - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: networking.istio.io names: categories: - istio-io - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - preserveUnknownFields: false + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: properties: - exportTo: - description: A list of namespaces to which this virtual service is exported. - items: - format: string - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply these routes. - items: - format: string - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - format: string - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). + spec: + description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: + bind: + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: items: format: string type: string type: array - allowMethods: - description: List of HTTP methods allowed to access the resource. - items: + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + format: string + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. format: string type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform CORS requests. - items: + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. format: string type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + format: string + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + format: string + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: telemetry + release: istio + knative.dev/crd-install: "true" + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: Telemetry defines how the telemetry is generated for workloads within a mesh. + properties: + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment variable to each span. + properties: + defaultValue: + description: Optional. + format: string + type: string + name: + description: Name of the environment variable from which to extract the tag value. + format: string + type: string + type: object + header: + description: RequestHeader adds the value of an header from the request to each span. + properties: + defaultValue: + description: Optional. + format: string + type: string + name: + description: Name of the header from which to extract the tag value. + format: string + type: string + type: object + literal: + description: Literal adds the same, hard-coded value to each span. + properties: + value: + description: The tag value to use. + format: string + type: string + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + providers: + description: Optional. + items: + properties: + name: + description: Required. + format: string + type: string + type: object + type: array + randomSamplingPercentage: + nullable: true + type: number + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is exported. + items: + format: string + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply these routes. + items: + format: string + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + format: string + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + format: string + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the resource. + items: + format: string + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform CORS requests. + items: + format: string + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: array + exposeHeaders: + items: + format: string + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + format: string + type: string + namespace: + description: Namespace specifies the namespace where the delegate VirtualService resides. + format: string + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + format: string + type: string + http2Error: + format: string + type: string + httpStatus: + description: HTTP status code to use to abort the Http request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the request. + type: string + percent: + description: Percentage of requests on which the delay will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + gateways: + description: Names of gateways where the rule should be applied. + items: + format: string + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + name: + description: The name assigned to a match. + format: string + type: string + port: + description: Specifies the ports on the host that is being addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: - exact - required: - prefix - required: - regex - - required: - - exact - - required: - - prefix - - required: - - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. + format: string + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: withoutHeader has the same syntax with the header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + format: string + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) traffic. + properties: + authority: + format: string + type: string + redirectCode: + type: integer + uri: + format: string + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry takes place. + format: string + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this value. + format: string + type: string + uri: + format: string + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: properties: - exact: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being addressed. + type: integer + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. format: string type: string - prefix: + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional subnet. format: string type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: object + type: array + route: + description: The destination to which the connection should be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + format: string + type: string + type: array + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. format: string type: string type: object type: array - exposeHeaders: - items: - format: string - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - format: string - type: string - namespace: - description: Namespace specifies the namespace where the delegate VirtualService resides. - format: string - type: string - type: object - fault: - description: Fault injection policy to apply on HTTP traffic at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - format: string - type: string - http2Error: - format: string - type: string - httpStatus: - description: HTTP status code to use to abort the Http request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the request. - type: string - percent: - description: Percentage of requests on which the delay will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay will be injected. - properties: - value: - format: double - type: number - type: object - type: object + route: + description: The destination to which the connection should be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array type: object - headers: + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is exported. + items: + format: string + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply these routes. + items: + format: string + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + format: string + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: properties: - request: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: + allowCredentials: + nullable: true + type: boolean + allowHeaders: items: format: string type: string type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: + allowMethods: + description: List of HTTP methods allowed to access the resource. + items: format: string type: string - type: object - remove: + type: array + allowOrigin: + description: The list of origins that are allowed to perform CORS requests. items: format: string type: string type: array - set: - additionalProperties: + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: array + exposeHeaders: + items: format: string type: string - type: object + type: array + maxAge: + type: string type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - gateways: - description: Names of gateways where the rule should be applied. - items: + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. format: string type: string - type: array - headers: - additionalProperties: + namespace: + description: Namespace specifies the namespace where the delegate VirtualService resides. + format: string + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic at the client side. + properties: + abort: oneOf: - not: anyOf: - required: - - exact + - httpStatus - required: - - prefix + - grpcStatus - required: - - regex + - http2Error - required: - - exact + - httpStatus - required: - - prefix + - grpcStatus - required: - - regex + - http2Error properties: - exact: - format: string - type: string - prefix: + grpcStatus: format: string type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + http2Error: format: string type: string + httpStatus: + description: HTTP status code to use to abort the Http request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with the error code provided. + properties: + value: + format: double + type: number + type: object type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - name: - description: The name assigned to a match. - format: string - type: string - port: - description: Specifies the ports on the host that is being addressed. - type: integer - queryParams: - additionalProperties: + delay: oneOf: - not: anyOf: - required: - - exact - - required: - - prefix + - fixedDelay - required: - - regex + - exponentialDelay - required: - - exact + - fixedDelay - required: - - prefix - - required: - - regex + - exponentialDelay properties: - exact: - format: string + exponentialDelay: type: string - prefix: - format: string + fixedDelay: + description: Add a fixed delay before forwarding the request. type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + percent: + description: Percentage of requests on which the delay will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + gateways: + description: Names of gateways where the rule should be applied. + items: format: string type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + name: + description: The name assigned to a match. + format: string + type: string + port: + description: Specifies the ports on the host that is being addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex - required: - exact - required: - prefix - required: - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. format: string type: string - type: object - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string - type: string - uri: - oneOf: - - not: - anyOf: + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex - required: - exact - required: - prefix - required: - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: withoutHeader has the same syntax with the header, but has opposite meaning. + type: object type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string + number: + type: integer type: object - description: withoutHeader has the same syntax with the header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. format: string type: string - port: - description: Specifies the port on the host that is being addressed. + redirect: + description: A HTTP rule can either redirect or forward (default) traffic. properties: - number: + authority: + format: string + type: string + redirectCode: type: integer + uri: + format: string + type: string type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - format: string - type: string - redirect: - description: A HTTP rule can either redirect or forward (default) traffic. - properties: - authority: - format: string - type: string - redirectCode: - type: integer - uri: - format: string - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry takes place. - format: string + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry takes place. + format: string + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this value. + format: string + type: string + uri: + format: string + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should retry to other localities. - nullable: true - type: boolean type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: properties: - authority: - description: rewrite the Authority/Host header with this value. - format: string - type: string - uri: - format: string - type: string - type: object - route: - description: A HTTP rule can either redirect or forward (default) traffic. - items: - properties: - destination: + match: + items: properties: - host: - description: The name of a service from the service registry. - format: string - type: string + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + format: string + type: string + type: array port: description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer + type: integer + sourceLabels: + additionalProperties: + format: string + type: string type: object - subset: - description: The name of a subset within the service. + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. + format: string + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional subnet. format: string type: string type: object - headers: + type: array + route: + description: The destination to which the connection should be forwarded to. + items: properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: + destination: properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer type: object + subset: + description: The name of a subset within the service. + format: string + type: string type: object + weight: + format: int32 + type: integer type: object - weight: - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination with optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being addressed. - type: integer - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional subnet. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should be forwarded to. - items: - properties: - destination: + type: array + type: object + type: array + tls: + items: + properties: + match: + items: properties: - host: - description: The name of a service from the service registry. - format: string - type: string + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be applied. + items: + format: string + type: string + type: array port: description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + format: string + type: string + type: array + sourceLabels: + additionalProperties: + format: string + type: string type: object - subset: - description: The name of a subset within the service. + sourceNamespace: + description: Source namespace constraining the applicability of a rule to workloads in that namespace. format: string type: string type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination with optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - format: string - type: string - type: array - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability of a rule to workloads in that namespace. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should be forwarded to. - items: - properties: - destination: + type: array + route: + description: The destination to which the connection should be forwarded to. + items: properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being addressed. + destination: properties: - number: - type: integer + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string type: object - subset: - description: The name of a subset within the service. - format: string - type: string + weight: + format: int32 + type: integer type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 served: true storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -3492,15 +5801,6 @@ metadata: knative.dev/crd-install: "true" name: workloadentries.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date - - JSONPath: .spec.address - description: Address associated with the network endpoint. - name: Address - type: string group: networking.istio.io names: categories: @@ -3512,196 +5812,75 @@ spec: shortNames: - we singular: workloadentry - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - format: string - type: string - network: - format: string - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 - served: true - storage: false ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - knative.dev/crd-install: "true" - name: workloadgroups.networking.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadGroup - listKind: WorkloadGroupList - plural: workloadgroups - shortNames: - - wg - singular: workloadgroup - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details at: https://istio.io/docs/reference/config/networking/workload-group.html' + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1alpha3 + schema: + openAPIV3Schema: properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' properties: - annotations: - additionalProperties: - format: string - type: string - type: object + address: + format: string + type: string labels: additionalProperties: format: string type: string + description: One or more labels associated with the endpoint. type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed exited. - properties: - command: - description: Command to run. - items: - format: string - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. - format: int32 - type: integer - httpGet: - properties: - host: - description: Host name to connect to, defaults to the pod IP. - format: string - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - format: string - type: string - value: - format: string - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - format: string - type: string - port: - description: Port on which the endpoint lives. - type: integer - scheme: - format: string - type: string - type: object - initialDelaySeconds: - description: Number of seconds after the container has started before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - format: string - type: string - port: - type: integer + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. type: integer type: object - template: - description: Template to be used for the generation of `WorkloadEntry` resources that belong to this `WorkloadGroup`. + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' properties: address: format: string @@ -3731,15 +5910,192 @@ spec: description: The load balancing weight associated with the endpoint. type: integer type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object + served: true + storage: false + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + knative.dev/crd-install: "true" + name: workloadgroups.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + scope: Namespaced versions: - - name: v1alpha3 + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + format: string + type: string + type: object + labels: + additionalProperties: + format: string + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed exited. + properties: + command: + description: Command to run. + items: + format: string + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. + format: int32 + type: integer + httpGet: + properties: + host: + description: Host name to connect to, defaults to the pod IP. + format: string + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + format: string + type: string + value: + format: string + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + format: string + type: string + port: + description: Port on which the endpoint lives. + type: integer + scheme: + format: string + type: string + type: object + initialDelaySeconds: + description: Number of seconds after the container has started before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + format: string + type: string + port: + type: integer + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` resources that belong to this `WorkloadGroup`. + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} --- apiVersion: v1 kind: ConfigMap @@ -3778,11 +6134,6 @@ data: values: |- { "global": { - "arch": { - "amd64": 2, - "ppc64le": 2, - "s390x": 2 - }, "caAddress": "", "configValidation": true, "defaultNodeSelector": {}, @@ -3873,7 +6224,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.9.3", + "tag": "1.10.0", "tracer": { "datadog": { "address": "$(HOST_IP):8126" @@ -3892,7 +6243,6 @@ data: "address": "" } }, - "trustDomain": "", "useMCP": false }, "istio_cni": { @@ -3911,7 +6261,7 @@ data: }, "rewriteAppHTTPProbe": true, "templates": {}, - "useLegacySelectors": true + "useLegacySelectors": false } } config: |- @@ -3937,6 +6287,7 @@ data: annotations: { {{- if eq (len $containers) 1 }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{ end }} {{- if .Values.istio_cni.enabled }} {{- if not .Values.istio_cni.chained }} @@ -4008,7 +6359,7 @@ data: - "--run-validation" - "--skip-rule-apply" {{ end -}} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{- if .ProxyConfig.ProxyMetadata }} env: {{- range $key, $value := .ProxyConfig.ProxyMetadata }} @@ -4077,7 +6428,7 @@ data: {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} resources: {} securityContext: allowPrivilegeEscalation: true @@ -4139,6 +6490,10 @@ data: - wait {{- end }} env: + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} - name: JWT_POLICY value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER @@ -4241,7 +6596,7 @@ data: - name: {{ $key }} value: "{{ $value }}" {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} readinessProbe: httpGet: @@ -4428,6 +6783,7 @@ data: annotations: { {{- if eq (len $containers) 1 }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{ end }} } spec: @@ -4788,13 +7144,17 @@ spec: value: istio-ingressgateway - name: ISTIO_META_OWNER value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway + - name: ISTIO_META_MESH_ID + value: cluster.local + - name: TRUST_DOMAIN + value: cluster.local - name: ISTIO_META_UNPRIVILEGED_POD value: "true" - name: ISTIO_META_ROUTER_MODE value: standard - name: ISTIO_META_CLUSTER_ID value: Kubernetes - image: docker.io/istio/proxyv2:1.9.3 + image: docker.io/istio/proxyv2:1.10.0 name: istio-proxy ports: - containerPort: 15021 @@ -4803,10 +7163,6 @@ spec: protocol: TCP - containerPort: 8443 protocol: TCP - - containerPort: 15012 - protocol: TCP - - containerPort: 15443 - protocol: TCP - containerPort: 15090 name: http-envoy-prom protocol: TCP @@ -4988,9 +7344,7 @@ spec: value: "true" - name: CLUSTER_ID value: Kubernetes - - name: EXTERNAL_ISTIOD - value: "false" - image: docker.io/istio/pilot:1.9.3 + image: docker.io/istio/pilot:1.10.0 name: discovery ports: - containerPort: 8080 @@ -5018,8 +7372,6 @@ spec: runAsNonRoot: true runAsUser: 1337 volumeMounts: - - mountPath: /etc/istio/config - name: config-volume - mountPath: /var/run/secrets/tokens name: istio-token readOnly: true @@ -5031,9 +7383,6 @@ spec: - mountPath: /var/run/secrets/remote name: istio-kubeconfig readOnly: true - - mountPath: /var/lib/istio/inject - name: inject - readOnly: true securityContext: fsGroup: 1337 serviceAccountName: istiod-service-account @@ -5056,12 +7405,6 @@ spec: secret: optional: true secretName: istio-kubeconfig - - configMap: - name: istio-sidecar-injector - name: inject - - configMap: - name: istio - name: config-volume --- apiVersion: v1 kind: Service @@ -5094,14 +7437,6 @@ spec: port: 443 protocol: TCP targetPort: 8443 - - name: tcp-istiod - port: 15012 - protocol: TCP - targetPort: 15012 - - name: tls - port: 15443 - protocol: TCP - targetPort: 15443 --- apiVersion: v1 kind: Service @@ -5196,7 +7531,7 @@ spec: app: istiod istio: pilot --- -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: istio-sidecar-injector @@ -5207,12 +7542,87 @@ metadata: app: sidecar-injector release: istio webhooks: - - name: sidecar-injector.istio.io + - name: rev.namespace.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: + - CREATE + apiGroups: + - "" + apiVersions: + - v1 + resources: + - pods + failurePolicy: Fail + admissionReviewVersions: + - v1beta1 + - v1 + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - default + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - name: rev.object.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: + - CREATE + apiGroups: + - "" + apiVersions: + - v1 + resources: + - pods + failurePolicy: Fail + admissionReviewVersions: + - v1beta1 + - v1 + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - default + - name: namespace.sidecar-injector.istio.io clientConfig: service: name: istiod namespace: istio-system path: /inject + port: 443 caBundle: "" sideEffects: None rules: @@ -5229,16 +7639,55 @@ webhooks: - v1beta1 - v1 namespaceSelector: - matchLabels: - istio-injection: enabled + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled objectSelector: matchExpressions: - key: sidecar.istio.io/inject operator: NotIn values: - "false" + - name: object.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: /inject + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: + - CREATE + apiGroups: + - "" + apiVersions: + - v1 + resources: + - pods + failurePolicy: Fail + admissionReviewVersions: + - v1beta1 + - v1 + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist --- -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: istiod-istio-system @@ -5274,7 +7723,7 @@ webhooks: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: metadata-exchange-1.8 + name: metadata-exchange-1.10 namespace: istio-system labels: istio.io/rev: default @@ -5286,7 +7735,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5313,7 +7762,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5340,7 +7789,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5460,7 +7909,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: stats-filter-1.8 + name: stats-filter-1.10 namespace: istio-system labels: istio.io/rev: default @@ -5470,7 +7919,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5491,6 +7940,8 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio" } vm_config: vm_id: stats_outbound @@ -5502,7 +7953,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5523,6 +7974,16 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] } vm_config: vm_id: stats_inbound @@ -5534,7 +7995,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5555,6 +8016,8 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio", "disable_host_header_fallback": true } vm_config: @@ -5704,7 +8167,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-metadata-exchange-1.8 + name: tcp-metadata-exchange-1.10 namespace: istio-system labels: istio.io/rev: default @@ -5714,7 +8177,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: {} patch: operation: INSERT_BEFORE @@ -5729,7 +8192,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* cluster: {} patch: operation: MERGE @@ -5745,7 +8208,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* cluster: {} patch: operation: MERGE @@ -5818,7 +8281,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-stats-filter-1.8 + name: tcp-stats-filter-1.10 namespace: istio-system labels: istio.io/rev: default @@ -5828,7 +8291,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5847,6 +8310,16 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] } vm_config: vm_id: tcp_stats_inbound @@ -5858,7 +8331,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5877,6 +8350,8 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio" } vm_config: vm_id: tcp_stats_outbound @@ -5888,7 +8363,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: ^1\.8.* + proxyVersion: ^1\.10.* listener: filterChain: filter: @@ -5907,6 +8382,8 @@ spec: '@type': type.googleapis.com/google.protobuf.StringValue value: | { + "debug": "false", + "stat_prefix": "istio" } vm_config: vm_id: tcp_stats_outbound diff --git a/third_party/istio-stable/generate-manifests.sh b/third_party/istio-stable/generate-manifests.sh index f55f741123..1a6da51457 100755 --- a/third_party/istio-stable/generate-manifests.sh +++ b/third_party/istio-stable/generate-manifests.sh @@ -16,4 +16,4 @@ source "$(dirname $0)/../library.sh" -generate "1.9.1" "$(dirname $0)" +generate "1.9.3" "$(dirname $0)" diff --git a/third_party/istio-stable/istio-ci-mesh/istio.yaml b/third_party/istio-stable/istio-ci-mesh/istio.yaml index 06ae2321e5..e3702f32eb 100644 --- a/third_party/istio-stable/istio-ci-mesh/istio.yaml +++ b/third_party/istio-stable/istio-ci-mesh/istio.yaml @@ -3217,7 +3217,7 @@ spec: format: int32 type: integer perTryTimeout: - description: Timeout per retry attempt for a given request. + description: Timeout per attempt for a given request, including the initial call and any retries. type: string retryOn: description: Specifies the conditions under which retry takes place. @@ -3848,7 +3848,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.9.1", + "tag": "1.9.3", "tracer": { "datadog": { "address": "$(HOST_IP):8126" @@ -4392,6 +4392,240 @@ data: securityContext: fsGroup: 1337 {{- end }} + gateway: | + {{- $containers := list }} + {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} + metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + istio.io/rev: {{ .Revision | default "default" | quote }} + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{ end }} + } + spec: + containers: + - name: istio-proxy + {{- if contains "/" .Values.global.proxy.image }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + {{ if ne "" (index .ObjectMeta.Labels "app") -}} + - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" + {{ else -}} + - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" + {{ end -}} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CANONICAL_SERVICE + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-name'] + - name: CANONICAL_REVISION + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-revision'] + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{ if .ObjectMeta.Annotations }} + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + {{ toJSON .ObjectMeta.Annotations }} + {{ end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - path: "cpu-limit" + resourceFieldRef: + containerName: istio-proxy + resource: limits.cpu + divisor: 1m + - path: "cpu-request" + resourceFieldRef: + containerName: istio-proxy + resource: requests.cpu + divisor: 1m + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} --- apiVersion: apps/v1 kind: Deployment @@ -4535,7 +4769,7 @@ spec: value: "20" - name: ISTIO_META_CLUSTER_ID value: Kubernetes - image: docker.io/istio/proxyv2:1.9.1 + image: docker.io/istio/proxyv2:1.9.3 name: istio-proxy ports: - containerPort: 15021 @@ -4687,7 +4921,7 @@ spec: fsGroup: 1337 containers: - name: discovery - image: docker.io/istio/pilot:1.9.1 + image: docker.io/istio/pilot:1.9.3 args: - discovery - --monitoringAddr=:15014 diff --git a/third_party/istio-stable/istio-ci-no-mesh/istio.yaml b/third_party/istio-stable/istio-ci-no-mesh/istio.yaml index d5f2ccc608..189296ca10 100644 --- a/third_party/istio-stable/istio-ci-no-mesh/istio.yaml +++ b/third_party/istio-stable/istio-ci-no-mesh/istio.yaml @@ -3217,7 +3217,7 @@ spec: format: int32 type: integer perTryTimeout: - description: Timeout per retry attempt for a given request. + description: Timeout per attempt for a given request, including the initial call and any retries. type: string retryOn: description: Specifies the conditions under which retry takes place. @@ -3847,7 +3847,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.9.1", + "tag": "1.9.3", "tracer": { "datadog": { "address": "$(HOST_IP):8126" @@ -4391,6 +4391,240 @@ data: securityContext: fsGroup: 1337 {{- end }} + gateway: | + {{- $containers := list }} + {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} + metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + istio.io/rev: {{ .Revision | default "default" | quote }} + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{ end }} + } + spec: + containers: + - name: istio-proxy + {{- if contains "/" .Values.global.proxy.image }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + {{ if ne "" (index .ObjectMeta.Labels "app") -}} + - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" + {{ else -}} + - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" + {{ end -}} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CANONICAL_SERVICE + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-name'] + - name: CANONICAL_REVISION + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-revision'] + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{ if .ObjectMeta.Annotations }} + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + {{ toJSON .ObjectMeta.Annotations }} + {{ end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - path: "cpu-limit" + resourceFieldRef: + containerName: istio-proxy + resource: limits.cpu + divisor: 1m + - path: "cpu-request" + resourceFieldRef: + containerName: istio-proxy + resource: requests.cpu + divisor: 1m + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} --- apiVersion: apps/v1 kind: Deployment @@ -4534,7 +4768,7 @@ spec: value: standard - name: ISTIO_META_CLUSTER_ID value: Kubernetes - image: docker.io/istio/proxyv2:1.9.1 + image: docker.io/istio/proxyv2:1.9.3 name: istio-proxy ports: - containerPort: 15021 @@ -4686,7 +4920,7 @@ spec: fsGroup: 1337 containers: - name: discovery - image: docker.io/istio/pilot:1.9.1 + image: docker.io/istio/pilot:1.9.3 args: - discovery - --monitoringAddr=:15014 diff --git a/third_party/istio-stable/istio-kind-mesh/istio.yaml b/third_party/istio-stable/istio-kind-mesh/istio.yaml index 16cf117217..b6c248dc0f 100644 --- a/third_party/istio-stable/istio-kind-mesh/istio.yaml +++ b/third_party/istio-stable/istio-kind-mesh/istio.yaml @@ -3217,7 +3217,7 @@ spec: format: int32 type: integer perTryTimeout: - description: Timeout per retry attempt for a given request. + description: Timeout per attempt for a given request, including the initial call and any retries. type: string retryOn: description: Specifies the conditions under which retry takes place. @@ -3848,7 +3848,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.9.1", + "tag": "1.9.3", "tracer": { "datadog": { "address": "$(HOST_IP):8126" @@ -4392,6 +4392,240 @@ data: securityContext: fsGroup: 1337 {{- end }} + gateway: | + {{- $containers := list }} + {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} + metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + istio.io/rev: {{ .Revision | default "default" | quote }} + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{ end }} + } + spec: + containers: + - name: istio-proxy + {{- if contains "/" .Values.global.proxy.image }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + {{ if ne "" (index .ObjectMeta.Labels "app") -}} + - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" + {{ else -}} + - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" + {{ end -}} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CANONICAL_SERVICE + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-name'] + - name: CANONICAL_REVISION + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-revision'] + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{ if .ObjectMeta.Annotations }} + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + {{ toJSON .ObjectMeta.Annotations }} + {{ end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - path: "cpu-limit" + resourceFieldRef: + containerName: istio-proxy + resource: limits.cpu + divisor: 1m + - path: "cpu-request" + resourceFieldRef: + containerName: istio-proxy + resource: requests.cpu + divisor: 1m + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} --- apiVersion: apps/v1 kind: Deployment @@ -4535,7 +4769,7 @@ spec: value: "20" - name: ISTIO_META_CLUSTER_ID value: Kubernetes - image: docker.io/istio/proxyv2:1.9.1 + image: docker.io/istio/proxyv2:1.9.3 name: istio-proxy ports: - containerPort: 15021 @@ -4687,7 +4921,7 @@ spec: fsGroup: 1337 containers: - name: discovery - image: docker.io/istio/pilot:1.9.1 + image: docker.io/istio/pilot:1.9.3 args: - discovery - --monitoringAddr=:15014 diff --git a/third_party/istio-stable/istio-kind-no-mesh/istio.yaml b/third_party/istio-stable/istio-kind-no-mesh/istio.yaml index 08f010f32f..b46086801f 100644 --- a/third_party/istio-stable/istio-kind-no-mesh/istio.yaml +++ b/third_party/istio-stable/istio-kind-no-mesh/istio.yaml @@ -3217,7 +3217,7 @@ spec: format: int32 type: integer perTryTimeout: - description: Timeout per retry attempt for a given request. + description: Timeout per attempt for a given request, including the initial call and any retries. type: string retryOn: description: Specifies the conditions under which retry takes place. @@ -3847,7 +3847,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.9.1", + "tag": "1.9.3", "tracer": { "datadog": { "address": "$(HOST_IP):8126" @@ -4391,6 +4391,240 @@ data: securityContext: fsGroup: 1337 {{- end }} + gateway: | + {{- $containers := list }} + {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} + metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + istio.io/rev: {{ .Revision | default "default" | quote }} + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{ end }} + } + spec: + containers: + - name: istio-proxy + {{- if contains "/" .Values.global.proxy.image }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + {{ if ne "" (index .ObjectMeta.Labels "app") -}} + - "{{ index .ObjectMeta.Labels `app` }}.$(POD_NAMESPACE)" + {{ else -}} + - "{{ valueOrDefault .DeploymentMeta.Name `istio-proxy` }}.{{ valueOrDefault .DeploymentMeta.Namespace `default` }}" + {{ end -}} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: CANONICAL_SERVICE + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-name'] + - name: CANONICAL_REVISION + valueFrom: + fieldRef: + fieldPath: metadata.labels['service.istio.io/canonical-revision'] + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{ if .ObjectMeta.Annotations }} + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + {{ toJSON .ObjectMeta.Annotations }} + {{ end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - path: "cpu-limit" + resourceFieldRef: + containerName: istio-proxy + resource: limits.cpu + divisor: 1m + - path: "cpu-request" + resourceFieldRef: + containerName: istio-proxy + resource: requests.cpu + divisor: 1m + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} --- apiVersion: apps/v1 kind: Deployment @@ -4534,7 +4768,7 @@ spec: value: standard - name: ISTIO_META_CLUSTER_ID value: Kubernetes - image: docker.io/istio/proxyv2:1.9.1 + image: docker.io/istio/proxyv2:1.9.3 name: istio-proxy ports: - containerPort: 15021 @@ -4686,7 +4920,7 @@ spec: fsGroup: 1337 containers: - name: discovery - image: docker.io/istio/pilot:1.9.1 + image: docker.io/istio/pilot:1.9.3 args: - discovery - --monitoringAddr=:15014 From 7e9816337bb7f76515815138caffbf5ea56b071c Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Mon, 14 Jun 2021 22:05:59 +0900 Subject: [PATCH 2/3] Update istio-latest to 1.10.1 --- third_party/istio-latest/generate-manifests.sh | 2 +- third_party/istio-latest/istio-ci-mesh/istio.yaml | 6 +++--- third_party/istio-latest/istio-ci-no-mesh/istio.yaml | 6 +++--- third_party/istio-latest/istio-kind-mesh/istio.yaml | 6 +++--- third_party/istio-latest/istio-kind-no-mesh/istio.yaml | 6 +++--- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/third_party/istio-latest/generate-manifests.sh b/third_party/istio-latest/generate-manifests.sh index 2afe41a2eb..c00bd05743 100755 --- a/third_party/istio-latest/generate-manifests.sh +++ b/third_party/istio-latest/generate-manifests.sh @@ -16,6 +16,6 @@ source "$(dirname $0)/../library.sh" -generate "1.10.0" "$(dirname $0)" \ +generate "1.10.1" "$(dirname $0)" \ --set values.pilot.env.PILOT_ENABLE_STATUS=true \ --set values.global.istiod.enableAnalysis=true \ diff --git a/third_party/istio-latest/istio-ci-mesh/istio.yaml b/third_party/istio-latest/istio-ci-mesh/istio.yaml index 6d3187a139..f0d38b5994 100644 --- a/third_party/istio-latest/istio-ci-mesh/istio.yaml +++ b/third_party/istio-latest/istio-ci-mesh/istio.yaml @@ -6225,7 +6225,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.10.0", + "tag": "1.10.1", "tracer": { "datadog": { "address": "$(HOST_IP):8126" @@ -7155,7 +7155,7 @@ spec: value: "20" - name: ISTIO_META_CLUSTER_ID value: Kubernetes - image: docker.io/istio/proxyv2:1.10.0 + image: docker.io/istio/proxyv2:1.10.1 name: istio-proxy ports: - containerPort: 15021 @@ -7345,7 +7345,7 @@ spec: value: "true" - name: CLUSTER_ID value: Kubernetes - image: docker.io/istio/pilot:1.10.0 + image: docker.io/istio/pilot:1.10.1 name: discovery ports: - containerPort: 8080 diff --git a/third_party/istio-latest/istio-ci-no-mesh/istio.yaml b/third_party/istio-latest/istio-ci-no-mesh/istio.yaml index c572d52e19..7f85b5a013 100644 --- a/third_party/istio-latest/istio-ci-no-mesh/istio.yaml +++ b/third_party/istio-latest/istio-ci-no-mesh/istio.yaml @@ -6224,7 +6224,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.10.0", + "tag": "1.10.1", "tracer": { "datadog": { "address": "$(HOST_IP):8126" @@ -7154,7 +7154,7 @@ spec: value: standard - name: ISTIO_META_CLUSTER_ID value: Kubernetes - image: docker.io/istio/proxyv2:1.10.0 + image: docker.io/istio/proxyv2:1.10.1 name: istio-proxy ports: - containerPort: 15021 @@ -7344,7 +7344,7 @@ spec: value: "true" - name: CLUSTER_ID value: Kubernetes - image: docker.io/istio/pilot:1.10.0 + image: docker.io/istio/pilot:1.10.1 name: discovery ports: - containerPort: 8080 diff --git a/third_party/istio-latest/istio-kind-mesh/istio.yaml b/third_party/istio-latest/istio-kind-mesh/istio.yaml index 9f5add1690..a37a62e0b2 100644 --- a/third_party/istio-latest/istio-kind-mesh/istio.yaml +++ b/third_party/istio-latest/istio-kind-mesh/istio.yaml @@ -6225,7 +6225,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.10.0", + "tag": "1.10.1", "tracer": { "datadog": { "address": "$(HOST_IP):8126" @@ -7155,7 +7155,7 @@ spec: value: "20" - name: ISTIO_META_CLUSTER_ID value: Kubernetes - image: docker.io/istio/proxyv2:1.10.0 + image: docker.io/istio/proxyv2:1.10.1 name: istio-proxy ports: - containerPort: 15021 @@ -7345,7 +7345,7 @@ spec: value: "true" - name: CLUSTER_ID value: Kubernetes - image: docker.io/istio/pilot:1.10.0 + image: docker.io/istio/pilot:1.10.1 name: discovery ports: - containerPort: 8080 diff --git a/third_party/istio-latest/istio-kind-no-mesh/istio.yaml b/third_party/istio-latest/istio-kind-no-mesh/istio.yaml index 245be0cea9..6ba3927774 100644 --- a/third_party/istio-latest/istio-kind-no-mesh/istio.yaml +++ b/third_party/istio-latest/istio-kind-no-mesh/istio.yaml @@ -6224,7 +6224,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.10.0", + "tag": "1.10.1", "tracer": { "datadog": { "address": "$(HOST_IP):8126" @@ -7154,7 +7154,7 @@ spec: value: standard - name: ISTIO_META_CLUSTER_ID value: Kubernetes - image: docker.io/istio/proxyv2:1.10.0 + image: docker.io/istio/proxyv2:1.10.1 name: istio-proxy ports: - containerPort: 15021 @@ -7344,7 +7344,7 @@ spec: value: "true" - name: CLUSTER_ID value: Kubernetes - image: docker.io/istio/pilot:1.10.0 + image: docker.io/istio/pilot:1.10.1 name: discovery ports: - containerPort: 8080 From 22840070b2286094a97b2fc03bb52aaa34083e79 Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Mon, 14 Jun 2021 22:07:50 +0900 Subject: [PATCH 3/3] Update istio-stable to 1.9.5 --- third_party/istio-stable/generate-manifests.sh | 2 +- third_party/istio-stable/istio-ci-mesh/istio.yaml | 6 +++--- third_party/istio-stable/istio-ci-no-mesh/istio.yaml | 6 +++--- third_party/istio-stable/istio-kind-mesh/istio.yaml | 6 +++--- third_party/istio-stable/istio-kind-no-mesh/istio.yaml | 6 +++--- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/third_party/istio-stable/generate-manifests.sh b/third_party/istio-stable/generate-manifests.sh index 1a6da51457..dec04ed327 100755 --- a/third_party/istio-stable/generate-manifests.sh +++ b/third_party/istio-stable/generate-manifests.sh @@ -16,4 +16,4 @@ source "$(dirname $0)/../library.sh" -generate "1.9.3" "$(dirname $0)" +generate "1.9.5" "$(dirname $0)" diff --git a/third_party/istio-stable/istio-ci-mesh/istio.yaml b/third_party/istio-stable/istio-ci-mesh/istio.yaml index e3702f32eb..22695ab7f0 100644 --- a/third_party/istio-stable/istio-ci-mesh/istio.yaml +++ b/third_party/istio-stable/istio-ci-mesh/istio.yaml @@ -3848,7 +3848,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.9.3", + "tag": "1.9.5", "tracer": { "datadog": { "address": "$(HOST_IP):8126" @@ -4769,7 +4769,7 @@ spec: value: "20" - name: ISTIO_META_CLUSTER_ID value: Kubernetes - image: docker.io/istio/proxyv2:1.9.3 + image: docker.io/istio/proxyv2:1.9.5 name: istio-proxy ports: - containerPort: 15021 @@ -4921,7 +4921,7 @@ spec: fsGroup: 1337 containers: - name: discovery - image: docker.io/istio/pilot:1.9.3 + image: docker.io/istio/pilot:1.9.5 args: - discovery - --monitoringAddr=:15014 diff --git a/third_party/istio-stable/istio-ci-no-mesh/istio.yaml b/third_party/istio-stable/istio-ci-no-mesh/istio.yaml index 189296ca10..5bcb40867f 100644 --- a/third_party/istio-stable/istio-ci-no-mesh/istio.yaml +++ b/third_party/istio-stable/istio-ci-no-mesh/istio.yaml @@ -3847,7 +3847,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.9.3", + "tag": "1.9.5", "tracer": { "datadog": { "address": "$(HOST_IP):8126" @@ -4768,7 +4768,7 @@ spec: value: standard - name: ISTIO_META_CLUSTER_ID value: Kubernetes - image: docker.io/istio/proxyv2:1.9.3 + image: docker.io/istio/proxyv2:1.9.5 name: istio-proxy ports: - containerPort: 15021 @@ -4920,7 +4920,7 @@ spec: fsGroup: 1337 containers: - name: discovery - image: docker.io/istio/pilot:1.9.3 + image: docker.io/istio/pilot:1.9.5 args: - discovery - --monitoringAddr=:15014 diff --git a/third_party/istio-stable/istio-kind-mesh/istio.yaml b/third_party/istio-stable/istio-kind-mesh/istio.yaml index b6c248dc0f..e261493e69 100644 --- a/third_party/istio-stable/istio-kind-mesh/istio.yaml +++ b/third_party/istio-stable/istio-kind-mesh/istio.yaml @@ -3848,7 +3848,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.9.3", + "tag": "1.9.5", "tracer": { "datadog": { "address": "$(HOST_IP):8126" @@ -4769,7 +4769,7 @@ spec: value: "20" - name: ISTIO_META_CLUSTER_ID value: Kubernetes - image: docker.io/istio/proxyv2:1.9.3 + image: docker.io/istio/proxyv2:1.9.5 name: istio-proxy ports: - containerPort: 15021 @@ -4921,7 +4921,7 @@ spec: fsGroup: 1337 containers: - name: discovery - image: docker.io/istio/pilot:1.9.3 + image: docker.io/istio/pilot:1.9.5 args: - discovery - --monitoringAddr=:15014 diff --git a/third_party/istio-stable/istio-kind-no-mesh/istio.yaml b/third_party/istio-stable/istio-kind-no-mesh/istio.yaml index b46086801f..1c3e319335 100644 --- a/third_party/istio-stable/istio-kind-no-mesh/istio.yaml +++ b/third_party/istio-stable/istio-kind-no-mesh/istio.yaml @@ -3847,7 +3847,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.9.3", + "tag": "1.9.5", "tracer": { "datadog": { "address": "$(HOST_IP):8126" @@ -4768,7 +4768,7 @@ spec: value: standard - name: ISTIO_META_CLUSTER_ID value: Kubernetes - image: docker.io/istio/proxyv2:1.9.3 + image: docker.io/istio/proxyv2:1.9.5 name: istio-proxy ports: - containerPort: 15021 @@ -4920,7 +4920,7 @@ spec: fsGroup: 1337 containers: - name: discovery - image: docker.io/istio/pilot:1.9.3 + image: docker.io/istio/pilot:1.9.5 args: - discovery - --monitoringAddr=:15014