From 3ee27d7da5dd768174f6b1718b6179e2e9315eef Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Thu, 1 Jul 2021 16:42:24 +0200 Subject: [PATCH] feat: Istio version bump, optional support for proxyprotocol for ingress, bugfixes --- charts/kubezero-istio-ingress/Chart.yaml | 8 +- charts/kubezero-istio-ingress/README.md | 29 +- .../charts/istio-ingress/Chart.yaml | 2 +- .../istio-ingress/templates/deployment.yaml | 18 +- .../charts/istio-ingress/values.yaml | 20 +- .../charts/istio-private-ingress/Chart.yaml | 2 +- .../templates/deployment.yaml | 18 +- .../charts/istio-private-ingress/values.yaml | 20 +- .../templates/bootstrap-config.yaml | 2 +- .../templates/envoyfilter-keepalive-nlb.yaml | 43 +- .../templates/envoyfilter-proxy-protocol.yaml | 44 + .../templates/ingress-certificate.yaml | 34 +- .../templates/ingress-gateway.yaml | 71 +- charts/kubezero-istio-ingress/values.yaml | 53 +- charts/kubezero-istio/Chart.yaml | 8 +- charts/kubezero-istio/README.md | 7 +- charts/kubezero-istio/charts/base/Chart.yaml | 2 +- .../charts/base/crds/crd-all.gen.yaml | 8733 ++++++++++------ .../charts/base/crds/crd-operator.yaml | 74 +- .../charts/base/files/gen-istio-cluster.yaml | 8819 +++++++++++------ .../charts/base/templates/clusterrole.yaml | 12 +- .../validatingwebhookconfiguration.yaml | 2 +- .../charts/istio-discovery/Chart.yaml | 2 +- .../charts/istio-discovery/NOTES.txt | 4 + .../files/gateway-injection-template.yaml | 1 + .../istio-discovery/files/gen-istio.yaml | 208 +- .../files/injection-template.yaml | 11 +- .../istio-discovery/templates/configmap.yaml | 9 +- .../istio-discovery/templates/deployment.yaml | 22 +- .../templates/mutatingwebhook.yaml | 25 +- .../templates/poddisruptionbudget.yaml | 2 +- .../templates/revision-tags.yaml | 113 + .../istio-discovery/templates/service.yaml | 2 +- ...metryv2_1.9.yaml => telemetryv2_1.10.yaml} | 98 +- .../charts/istio-discovery/values.yaml | 17 +- .../templates/grafana-dashboards.yaml | 8 +- charts/kubezero-istio/update.sh | 4 +- charts/kubezero-istio/values.yaml | 3 +- 38 files changed, 11926 insertions(+), 6624 deletions(-) create mode 100644 charts/kubezero-istio-ingress/templates/envoyfilter-proxy-protocol.yaml create mode 100644 charts/kubezero-istio/charts/istio-discovery/templates/revision-tags.yaml rename charts/kubezero-istio/charts/istio-discovery/templates/{telemetryv2_1.9.yaml => telemetryv2_1.10.yaml} (88%) diff --git a/charts/kubezero-istio-ingress/Chart.yaml b/charts/kubezero-istio-ingress/Chart.yaml index 645462c..d8ac819 100644 --- a/charts/kubezero-istio-ingress/Chart.yaml +++ b/charts/kubezero-istio-ingress/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-istio-ingress description: KubeZero Umbrella Chart for Istio based Ingress type: application -version: 0.5.6 -appVersion: 1.9.3 +version: 0.6.0 +appVersion: 1.10.2 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -16,9 +16,9 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: istio-ingress - version: 1.9.3 + version: 1.10.2 condition: istio-ingress.enabled - name: istio-private-ingress - version: 1.9.3 + version: 1.10.2 condition: istio-private-ingress.enabled kubeVersion: ">= 1.18.0" diff --git a/charts/kubezero-istio-ingress/README.md b/charts/kubezero-istio-ingress/README.md index 7caa87a..5ba6c9f 100644 --- a/charts/kubezero-istio-ingress/README.md +++ b/charts/kubezero-istio-ingress/README.md @@ -1,6 +1,6 @@ # kubezero-istio-ingress -![Version: 0.5.6](https://img.shields.io/badge/Version-0.5.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.3](https://img.shields.io/badge/AppVersion-1.9.3-informational?style=flat-square) +![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.2](https://img.shields.io/badge/AppVersion-1.10.2-informational?style=flat-square) KubeZero Umbrella Chart for Istio based Ingress @@ -20,8 +20,8 @@ Kubernetes: `>= 1.18.0` | Repository | Name | Version | |------------|------|---------| -| | istio-ingress | 1.9.3 | -| | istio-private-ingress | 1.9.3 | +| | istio-ingress | 1.10.2 | +| | istio-private-ingress | 1.10.2 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## Values @@ -30,10 +30,10 @@ Kubernetes: `>= 1.18.0` |-----|------|---------|-------------| | global.arch.amd64 | int | `2` | | | global.defaultPodDisruptionBudget.enabled | bool | `false` | | -| global.jwtPolicy | string | `"first-party-jwt"` | | | global.logAsJson | bool | `true` | | | global.priorityClassName | string | `"system-cluster-critical"` | | -| istio-ingress.dnsNames | list | `[]` | | +| istio-ingress.certificates[0].dnsNames | list | `[]` | | +| istio-ingress.certificates[0].name | string | `"ingress-cert"` | | | istio-ingress.enabled | bool | `false` | | | istio-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | | | istio-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` | | @@ -69,10 +69,16 @@ Kubernetes: `>= 1.18.0` | istio-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | | | istio-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | | | istio-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | | +| istio-ingress.proxyProtocol | bool | `false` | | | istio-ingress.telemetry.enabled | bool | `false` | | -| istio-private-ingress.dnsNames | list | `[]` | | +| istio-private-ingress.certificates[0].dnsNames | list | `[]` | | +| istio-private-ingress.certificates[0].name | string | `"private-ingress-cert"` | | | istio-private-ingress.enabled | bool | `false` | | | istio-private-ingress.gateways.istio-ingressgateway.autoscaleEnabled | bool | `false` | | +| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].configMapName | string | `"istio-gateway-bootstrap-config"` | | +| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].mountPath | string | `"/etc/istio/custom-bootstrap"` | | +| istio-private-ingress.gateways.istio-ingressgateway.configVolumes[0].name | string | `"custom-bootstrap-volume"` | | +| istio-private-ingress.gateways.istio-ingressgateway.env.ISTIO_BOOTSTRAP_OVERRIDE | string | `"/etc/istio/custom-bootstrap/custom_bootstrap.json"` | | | istio-private-ingress.gateways.istio-ingressgateway.externalTrafficPolicy | string | `"Local"` | | | istio-private-ingress.gateways.istio-ingressgateway.labels.app | string | `"istio-private-ingressgateway"` | | | istio-private-ingress.gateways.istio-ingressgateway.labels.istio | string | `"private-ingressgateway"` | | @@ -97,16 +103,6 @@ Kubernetes: `>= 1.18.0` | istio-private-ingress.gateways.istio-ingressgateway.ports[2].port | int | `443` | | | istio-private-ingress.gateways.istio-ingressgateway.ports[2].protocol | string | `"TCP"` | | | istio-private-ingress.gateways.istio-ingressgateway.ports[2].targetPort | int | `8443` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[3].name | string | `"tcp-istiod"` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[3].nodePort | int | `31012` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[3].port | int | `15012` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[3].protocol | string | `"TCP"` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[3].targetPort | int | `15012` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[4].name | string | `"tls"` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[4].nodePort | int | `31044` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[4].port | int | `15443` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[4].protocol | string | `"TCP"` | | -| istio-private-ingress.gateways.istio-ingressgateway.ports[4].targetPort | int | `15443` | | | istio-private-ingress.gateways.istio-ingressgateway.replicaCount | int | `1` | | | istio-private-ingress.gateways.istio-ingressgateway.resources.limits.memory | string | `"512Mi"` | | | istio-private-ingress.gateways.istio-ingressgateway.resources.requests.cpu | string | `"50m"` | | @@ -115,6 +111,7 @@ Kubernetes: `>= 1.18.0` | istio-private-ingress.gateways.istio-ingressgateway.rollingMaxUnavailable | int | `0` | | | istio-private-ingress.gateways.istio-ingressgateway.type | string | `"NodePort"` | | | istio-private-ingress.meshConfig.defaultConfig.proxyMetadata | string | `nil` | | +| istio-private-ingress.proxyProtocol | bool | `false` | | | istio-private-ingress.telemetry.enabled | bool | `false` | | ## Resources diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml index 75fb402..43ca564 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: istio-ingress -version: 1.9.3 +version: 1.10.2 tillerVersion: ">=2.7.2" description: Helm chart for deploying Istio gateways keywords: diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml index 0c10978..c7435d0 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/templates/deployment.yaml @@ -1,4 +1,3 @@ - {{- $gateway := index .Values "gateways" "istio-ingressgateway" }} {{- if eq $gateway.injectionTemplate "" }} apiVersion: apps/v1 @@ -45,17 +44,14 @@ spec: istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} operator.istio.io/component: "IngressGateways" - sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}" + sidecar.istio.io/inject: "false" annotations: {{- if .Values.meshConfig.enablePrometheusMerge }} prometheus.io/port: "15020" prometheus.io/scrape: "true" prometheus.io/path: "/stats/prometheus" {{- end }} - sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}" - {{- if ne $gateway.injectionTemplate "" }} - inject.istio.io/templates: "{{ $gateway.injectionTemplate }}" - {{- end}} + sidecar.istio.io/inject: "false" {{- if $gateway.podAnnotations }} {{ toYaml $gateway.podAnnotations | indent 8 }} {{ end }} @@ -219,13 +215,13 @@ spec: {{- if $.Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ $.Values.global.meshID }}" - {{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }} + {{- else if .Values.meshConfig.trustDomain }} - name: ISTIO_META_MESH_ID - value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}" + value: "{{ .Values.meshConfig.trustDomain }}" {{- end }} - {{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }} + {{- if .Values.meshConfig.trustDomain }} - name: TRUST_DOMAIN - value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}" + value: "{{ .Values.meshConfig.trustDomain }}" {{- end }} {{- if not $gateway.runAsRoot }} - name: ISTIO_META_UNPRIVILEGED_POD @@ -233,7 +229,7 @@ spec: {{- end }} {{- range $key, $val := $gateway.env }} - name: {{ $key }} - value: {{ $val }} + value: "{{ $val }}" {{- end }} {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} - name: {{ $key }} diff --git a/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml b/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml index 4aa40af..8a3ef0a 100644 --- a/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-ingress/values.yaml @@ -24,17 +24,8 @@ gateways: targetPort: 8443 name: https protocol: TCP - - port: 15012 - targetPort: 15012 - name: tcp-istiod - protocol: TCP - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - protocol: TCP - # Scalability tunning + # Scalability tuning # replicaCount: 1 rollingMaxSurge: 100% rollingMaxUnavailable: 25% @@ -174,7 +165,7 @@ global: hub: docker.io/istio # Default tag for Istio images. - tag: 1.9.3 + tag: 1.10.2 # Specify image pull policy if default behavior isn't desired. # Default behavior: latest images will be Always else IfNotPresent. @@ -310,11 +301,14 @@ global: # Setting this port to a non-zero value enables STS server. servicePort: 0 - # Deprecated, use meshConfig.trustDomain - trustDomain: "" meshConfig: enablePrometheusMerge: true + + # The trust domain corresponds to the trust root of a system + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + defaultConfig: proxyMetadata: {} tracing: diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml index 39cecad..b0d3b2e 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: istio-private-ingress -version: 1.9.3 +version: 1.10.2 tillerVersion: ">=2.7.2" description: Helm chart for deploying Istio gateways keywords: diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml index 0c10978..c7435d0 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/templates/deployment.yaml @@ -1,4 +1,3 @@ - {{- $gateway := index .Values "gateways" "istio-ingressgateway" }} {{- if eq $gateway.injectionTemplate "" }} apiVersion: apps/v1 @@ -45,17 +44,14 @@ spec: istio.io/rev: {{ .Values.revision | default "default" }} install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} operator.istio.io/component: "IngressGateways" - sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}" + sidecar.istio.io/inject: "false" annotations: {{- if .Values.meshConfig.enablePrometheusMerge }} prometheus.io/port: "15020" prometheus.io/scrape: "true" prometheus.io/path: "/stats/prometheus" {{- end }} - sidecar.istio.io/inject: "{{- ne $gateway.injectionTemplate "" }}" - {{- if ne $gateway.injectionTemplate "" }} - inject.istio.io/templates: "{{ $gateway.injectionTemplate }}" - {{- end}} + sidecar.istio.io/inject: "false" {{- if $gateway.podAnnotations }} {{ toYaml $gateway.podAnnotations | indent 8 }} {{ end }} @@ -219,13 +215,13 @@ spec: {{- if $.Values.global.meshID }} - name: ISTIO_META_MESH_ID value: "{{ $.Values.global.meshID }}" - {{- else if $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }} + {{- else if .Values.meshConfig.trustDomain }} - name: ISTIO_META_MESH_ID - value: "{{ $.Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}" + value: "{{ .Values.meshConfig.trustDomain }}" {{- end }} - {{- if .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }} + {{- if .Values.meshConfig.trustDomain }} - name: TRUST_DOMAIN - value: "{{ .Values.global.trustDomain | default (index .Values.meshConfig "trustDomain") }}" + value: "{{ .Values.meshConfig.trustDomain }}" {{- end }} {{- if not $gateway.runAsRoot }} - name: ISTIO_META_UNPRIVILEGED_POD @@ -233,7 +229,7 @@ spec: {{- end }} {{- range $key, $val := $gateway.env }} - name: {{ $key }} - value: {{ $val }} + value: "{{ $val }}" {{- end }} {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} - name: {{ $key }} diff --git a/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml b/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml index 4aa40af..8a3ef0a 100644 --- a/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml +++ b/charts/kubezero-istio-ingress/charts/istio-private-ingress/values.yaml @@ -24,17 +24,8 @@ gateways: targetPort: 8443 name: https protocol: TCP - - port: 15012 - targetPort: 15012 - name: tcp-istiod - protocol: TCP - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - protocol: TCP - # Scalability tunning + # Scalability tuning # replicaCount: 1 rollingMaxSurge: 100% rollingMaxUnavailable: 25% @@ -174,7 +165,7 @@ global: hub: docker.io/istio # Default tag for Istio images. - tag: 1.9.3 + tag: 1.10.2 # Specify image pull policy if default behavior isn't desired. # Default behavior: latest images will be Always else IfNotPresent. @@ -310,11 +301,14 @@ global: # Setting this port to a non-zero value enables STS server. servicePort: 0 - # Deprecated, use meshConfig.trustDomain - trustDomain: "" meshConfig: enablePrometheusMerge: true + + # The trust domain corresponds to the trust root of a system + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + defaultConfig: proxyMetadata: {} tracing: diff --git a/charts/kubezero-istio-ingress/templates/bootstrap-config.yaml b/charts/kubezero-istio-ingress/templates/bootstrap-config.yaml index 7117673..aa6ec25 100644 --- a/charts/kubezero-istio-ingress/templates/bootstrap-config.yaml +++ b/charts/kubezero-istio-ingress/templates/bootstrap-config.yaml @@ -1,6 +1,6 @@ +{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }} # https://www.envoyproxy.io/docs/envoy/v1.17.1/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy # https://github.com/istio/istio/issues/24715 -{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }} apiVersion: v1 kind: ConfigMap metadata: diff --git a/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml b/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml index 402b38e..d72d34a 100644 --- a/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml +++ b/charts/kubezero-istio-ingress/templates/envoyfilter-keepalive-nlb.yaml @@ -1,4 +1,4 @@ -{{- if or (index .Values "istio-ingress" "enabled") (index .Values "istio-private-ingress" "enabled") }} +{{- if index .Values "istio-ingress" "enabled" }} apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: @@ -7,6 +7,47 @@ metadata: labels: {{ include "kubezero-lib.labels" . | indent 4 }} spec: + workloadSelector: + labels: + istio: ingressgateway + configPatches: + - applyTo: LISTENER + patch: + operation: MERGE + value: + socket_options: + # SOL_SOCKET = 1 + # SO_KEEPALIVE = 9 + - level: 1 + name: 9 + int_value: 1 + state: STATE_LISTENING + # IPPROTO_TCP = 6 + # TCP_KEEPIDLE = 4 + - level: 6 + name: 4 + int_value: 120 + state: STATE_LISTENING + # TCP_KEEPINTVL = 5 + - level: 6 + name: 5 + int_value: 60 + state: STATE_LISTENING +{{- end }} + +{{- if index .Values "istio-private-ingress" "enabled" }} +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: private-ingressgateway-listener-tcp-keepalive + namespace: {{ .Release.Namespace }} + labels: +{{ include "kubezero-lib.labels" . | indent 4 }} +spec: + workloadSelector: + labels: + istio: private-ingressgateway configPatches: - applyTo: LISTENER patch: diff --git a/charts/kubezero-istio-ingress/templates/envoyfilter-proxy-protocol.yaml b/charts/kubezero-istio-ingress/templates/envoyfilter-proxy-protocol.yaml new file mode 100644 index 0000000..e3d4fe4 --- /dev/null +++ b/charts/kubezero-istio-ingress/templates/envoyfilter-proxy-protocol.yaml @@ -0,0 +1,44 @@ +{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "proxyProtocol") }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: ingressgateway-proxy-protocol + namespace: {{ .Release.Namespace }} + labels: +{{ include "kubezero-lib.labels" . | indent 4 }} +spec: + workloadSelector: + labels: + istio: ingressgateway + configPatches: + - applyTo: LISTENER + patch: + operation: MERGE + value: + listener_filters: + - name: envoy.listener.proxy_protocol + - name: envoy.listener.tls_inspector +{{- end }} + +{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "proxyProtocol") }} +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: private-ingressgateway-proxy-protocol + namespace: {{ .Release.Namespace }} + labels: +{{ include "kubezero-lib.labels" . | indent 4 }} +spec: + workloadSelector: + labels: + istio: private-ingressgateway + configPatches: + - applyTo: LISTENER + patch: + operation: MERGE + value: + listener_filters: + - name: envoy.listener.proxy_protocol + - name: envoy.listener.tls_inspector +{{- end }} diff --git a/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml b/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml index fbb2fee..53d05a6 100644 --- a/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml +++ b/charts/kubezero-istio-ingress/templates/ingress-certificate.yaml @@ -1,35 +1,39 @@ -{{- if index .Values "istio-ingress" "dnsNames" }} +{{- range $cert := (index .Values "istio-ingress" "certificates") }} +{{- if $cert.dnsNames }} apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: ingress-cert - namespace: {{ .Release.Namespace }} + name: {{ $cert.name }} + namespace: {{ $.Release.Namespace }} labels: -{{ include "kubezero-lib.labels" . | indent 4 }} +{{ include "kubezero-lib.labels" $ | indent 4 }} spec: - secretName: ingress-cert + secretName: {{ $cert.name }} issuerRef: - name: letsencrypt-dns-prod + name: {{ default "letsencrypt-dns-prod" $cert.issuer }} kind: ClusterIssuer dnsNames: -{{ toYaml (index .Values "istio-ingress" "dnsNames") | indent 4 }} +{{ toYaml $cert.dnsNames | indent 4 }} +--- +{{- end }} {{- end }} -{{- if index .Values "istio-private-ingress" "dnsNames" }} ---- +{{- range $cert := (index .Values "istio-private-ingress" "certificates") }} +{{- if $cert.dnsNames }} apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: private-ingress-cert - namespace: {{ .Release.Namespace }} + name: {{ $cert.name }} + namespace: {{ $.Release.Namespace }} labels: -{{ include "kubezero-lib.labels" . | indent 4 }} +{{ include "kubezero-lib.labels" $ | indent 4 }} spec: secretName: private-ingress-cert issuerRef: - name: letsencrypt-dns-prod + name: {{ default "letsencrypt-dns-prod" $cert.issuer }} kind: ClusterIssuer dnsNames: -{{ toYaml (index .Values "istio-private-ingress" "dnsNames") | indent 4 }} +{{ toYaml $cert.dnsNames | indent 4 }} +--- +{{- end }} {{- end }} - diff --git a/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml b/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml index cd35cb2..64d9b34 100644 --- a/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml +++ b/charts/kubezero-istio-ingress/templates/ingress-gateway.yaml @@ -1,6 +1,6 @@ +{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "certificates") }} # https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-multiple-hosts -{{- if and (index .Values "istio-ingress" "enabled") (index .Values "istio-ingress" "dnsNames") }} apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: @@ -17,23 +17,25 @@ spec: name: http protocol: HTTP2 hosts: - {{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }} + {{- range $cert := (index .Values "istio-ingress" "certificates") }} + {{- toYaml $cert.dnsNames | nindent 4 }} + {{- end }} tls: httpsRedirect: true + {{- range $cert := (index .Values "istio-ingress" "certificates") }} - port: number: 443 name: https protocol: HTTPS hosts: - {{- toYaml (index .Values "istio-ingress" "dnsNames") | nindent 4 }} + {{- toYaml $cert.dnsNames | nindent 4 }} tls: mode: SIMPLE - privateKey: /etc/istio/ingressgateway-certs/tls.key - serverCertificate: /etc/istio/ingressgateway-certs/tls.crt - credentialName: ingress-cert + credentialName: {{ $cert.name }} + {{- end }} {{- end }} -{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "dnsNames") }} +{{- if and (index .Values "istio-private-ingress" "enabled") (index .Values "istio-private-ingress" "certificates") }} --- apiVersion: networking.istio.io/v1beta1 kind: Gateway @@ -51,53 +53,62 @@ spec: name: http protocol: HTTP2 hosts: - {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} + {{- range $certs := (index .Values "istio-private-ingress" "certificates") }} + {{- toYaml $certs.dnsNames | nindent 4 }} + {{- end }} tls: httpsRedirect: true + # All SSL hosts one entry per ingress-certificate + {{- range $cert := (index .Values "istio-private-ingress" "certificates") }} - port: number: 443 name: https protocol: HTTPS hosts: - {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} + {{- toYaml $cert.dnsNames | nindent 4 }} tls: mode: SIMPLE - privateKey: /etc/istio/ingressgateway-certs/tls.key - serverCertificate: /etc/istio/ingressgateway-certs/tls.crt - credentialName: private-ingress-cert - - port: - number: 5672 - name: amqp - protocol: TCP - hosts: - {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} - - port: - number: 5671 - name: amqps - protocol: TCP - hosts: - {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} + credentialName: {{ $cert.name }} - port: number: 24224 name: fluentd-forward protocol: TLS hosts: - {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} + {{- toYaml $cert.dnsNames | nindent 4 }} tls: mode: SIMPLE - privateKey: /etc/istio/ingressgateway-certs/tls.key - serverCertificate: /etc/istio/ingressgateway-certs/tls.crt - credentialName: private-ingress-cert + credentialName: {{ $cert.name }} + {{- end }} + - port: + number: 5672 + name: amqp + protocol: TCP + hosts: + {{- range $certs := (index .Values "istio-private-ingress" "certificates") }} + {{- toYaml $certs.dnsNames | nindent 4 }} + {{- end }} + - port: + number: 5671 + name: amqps + protocol: TCP + hosts: + {{- range $certs := (index .Values "istio-private-ingress" "certificates") }} + {{- toYaml $certs.dnsNames | nindent 4 }} + {{- end }} - port: number: 6379 name: redis protocol: TCP hosts: - {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} + {{- range $certs := (index .Values "istio-private-ingress" "certificates") }} + {{- toYaml $certs.dnsNames | nindent 4 }} + {{- end }} - port: number: 6380 name: redis-1 protocol: TCP hosts: - {{- toYaml (index .Values "istio-private-ingress" "dnsNames") | nindent 4 }} + {{- range $certs := (index .Values "istio-private-ingress" "certificates") }} + {{- toYaml $certs.dnsNames | nindent 4 }} + {{- end }} {{- end }} diff --git a/charts/kubezero-istio-ingress/values.yaml b/charts/kubezero-istio-ingress/values.yaml index 5583418..5e83d22 100644 --- a/charts/kubezero-istio-ingress/values.yaml +++ b/charts/kubezero-istio-ingress/values.yaml @@ -1,10 +1,9 @@ # Make sure these values match kuberzero-istio !!! global: #hub: docker.io/istio - #tag: 1.9.3 + #tag: 1.10.2 logAsJson: true - jwtPolicy: first-party-jwt priorityClassName: "system-cluster-critical" @@ -69,21 +68,13 @@ istio-ingress: targetPort: 8443 nodePort: 30443 protocol: TCP - ## multi-cluster - disabled on public LBs - #- name: tcp-istiod - # port: 15012 - # targetPort: 15012 - # nodePort: 30012 - # protocol: TCP - ## multi-cluster sni east-west - #- name: tls - # port: 15443 - # targetPort: 15443 - # nodePort: 30044 - # protocol: TCP - dnsNames: [] -# - '*.example.com' + certificates: + - name: ingress-cert + dnsNames: [] + # - '*.example.com' + + proxyProtocol: false meshConfig: defaultConfig: @@ -123,8 +114,16 @@ istio-private-ingress: values: istio-private-ingressgateway type: NodePort podAnnotations: - # sidecar.istio.io/bootstrapOverride: istio-gateway-bootstrap-config proxy.istio.io/config: '{ "terminationDrainDuration": "20s" }' + + # custom hardened bootstrap config + env: + ISTIO_BOOTSTRAP_OVERRIDE: /etc/istio/custom-bootstrap/custom_bootstrap.json + configVolumes: + - name: custom-bootstrap-volume + mountPath: /etc/istio/custom-bootstrap + configMapName: istio-gateway-bootstrap-config + nodeSelector: node.kubernetes.io/ingress.private: "31080_31443" #nodeSelector: "31080_31443_31671_31672_31224" @@ -143,18 +142,6 @@ istio-private-ingress: targetPort: 8443 nodePort: 31443 protocol: TCP - # multi-cluster - - name: tcp-istiod - port: 15012 - targetPort: 15012 - nodePort: 31012 - protocol: TCP - # multi-cluster sni east-west - - name: tls - port: 15443 - targetPort: 15443 - nodePort: 31044 - protocol: TCP #- name: fluentd-forward # port: 24224 # nodePort: 31224 @@ -168,8 +155,12 @@ istio-private-ingress: # port: 6379 # nodePort: 31379 - dnsNames: [] -# - '*.example.com' + certificates: + - name: private-ingress-cert + dnsNames: [] + #- '*.example.com' + + proxyProtocol: false meshConfig: defaultConfig: diff --git a/charts/kubezero-istio/Chart.yaml b/charts/kubezero-istio/Chart.yaml index 5c2a70a..deebed3 100644 --- a/charts/kubezero-istio/Chart.yaml +++ b/charts/kubezero-istio/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: kubezero-istio description: KubeZero Umbrella Chart for Istio type: application -version: 0.5.6 -appVersion: 1.9.3 +version: 0.6.0 +appVersion: 1.10.2 home: https://kubezero.com icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png keywords: @@ -16,7 +16,7 @@ dependencies: version: ">= 0.1.3" repository: https://zero-down-time.github.io/kubezero/ - name: base - version: 1.9.3 + version: 1.10.2 - name: istio-discovery - version: 1.9.3 + version: 1.10.2 kubeVersion: ">= 1.18.0" diff --git a/charts/kubezero-istio/README.md b/charts/kubezero-istio/README.md index 0041be0..cc3a2be 100644 --- a/charts/kubezero-istio/README.md +++ b/charts/kubezero-istio/README.md @@ -1,6 +1,6 @@ # kubezero-istio -![Version: 0.5.6](https://img.shields.io/badge/Version-0.5.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.9.3](https://img.shields.io/badge/AppVersion-1.9.3-informational?style=flat-square) +![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.10.2](https://img.shields.io/badge/AppVersion-1.10.2-informational?style=flat-square) KubeZero Umbrella Chart for Istio @@ -20,8 +20,8 @@ Kubernetes: `>= 1.18.0` | Repository | Name | Version | |------------|------|---------| -| | base | 1.9.3 | -| | istio-discovery | 1.9.3 | +| | base | 1.10.2 | +| | istio-discovery | 1.10.2 | | https://zero-down-time.github.io/kubezero/ | kubezero-lib | >= 0.1.3 | ## Values @@ -29,7 +29,6 @@ Kubernetes: `>= 1.18.0` | Key | Type | Default | Description | |-----|------|---------|-------------| | global.defaultPodDisruptionBudget.enabled | bool | `false` | | -| global.jwtPolicy | string | `"first-party-jwt"` | | | global.logAsJson | bool | `true` | | | global.priorityClassName | string | `"system-cluster-critical"` | | | istio-discovery.meshConfig.accessLogEncoding | string | `"JSON"` | | diff --git a/charts/kubezero-istio/charts/base/Chart.yaml b/charts/kubezero-istio/charts/base/Chart.yaml index 1ed5b5c..eba13b9 100644 --- a/charts/kubezero-istio/charts/base/Chart.yaml +++ b/charts/kubezero-istio/charts/base/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: base -version: 1.9.3 +version: 1.10.2 tillerVersion: ">=2.7.2" description: Helm chart for deploying Istio cluster resources and CRDs keywords: diff --git a/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml b/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml index 0f64904..0387315 100644 --- a/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml +++ b/charts/kubezero-istio/charts/base/crds/crd-all.gen.yaml @@ -1,5 +1,5 @@ # DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -11,19 +11,6 @@ metadata: release: istio name: destinationrules.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.host - description: The name of a service from the service registry - name: Host - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: networking.istio.io names: categories: @@ -35,376 +22,126 @@ spec: shortNames: - dr singular: destinationrule - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: + versions: + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + format: string + type: string + type: array + host: + description: The name of a service from the service registry. format: string type: string - type: array - host: - description: The name of a service from the service registry. - format: string - type: string - subsets: - items: - properties: - labels: - additionalProperties: + subsets: + items: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: Name of the subset. format: string type: string - type: object - name: - description: Name of the subset. - format: string - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is - ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: properties: - connectionPool: + http: + description: HTTP connection pool settings. properties: - http: - description: HTTP connection pool settings. + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE + interval: + description: The time duration between keep-alive + probes. type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP - requests to a destination. - format: int32 + probes: type: integer - http2MaxRequests: - description: Maximum number of requests to a - backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. + time: type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP - upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on - the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object type: object type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: - required: - simple - properties: @@ -430,277 +167,21 @@ spec: - httpQueryParameterName required: - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute - or failover can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to - the upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to - a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool - connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection to - a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to - a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName - required: - httpHeaderName - required: @@ -709,231 +190,237 @@ spec: - useSourceIp - required: - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. + required: + - consistentHash properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover - can be set.' + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. items: properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can - be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected from - the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. + connectionPool: properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to + a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName - required: - httpHeaderName - required: @@ -942,16 +429,275 @@ spec: - useSourceIp - required: - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute + or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: - required: - simple - properties: @@ -977,210 +723,1622 @@ spec: - httpQueryParameterName required: - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: properties: - consistentHash: + httpCookie: + description: Hash based on HTTP cookie. properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. + name: + description: Name of the cookie. format: string type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. + path: + description: Path to set for the cookie. format: string type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean + ttl: + description: Lifetime of the cookie. + type: string type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean type: object - outlierDetection: + localityLbSetting: properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is - ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - format: string - type: string - subjectAltNames: + distribute: + description: 'Optional: only one of distribute or failover + can be set.' items: - format: string - type: string + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can + be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object type: array type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - format: string - type: string - subjectAltNames: - items: + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: format: string type: string - type: array - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true - - name: v1beta1 + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + format: string + type: string + type: array + host: + description: The name of a service from the service registry. + format: string + type: string + subsets: + items: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: Name of the subset. + format: string + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to + a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute + or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover + can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can + be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -1201,238 +2359,238 @@ spec: listKind: EnvoyFilterList plural: envoyfilters singular: envoyfilter - preserveUnknownFields: true scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See more - details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' - properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG - type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - format: string - type: string - portNumber: - description: The service port for which this cluster was - generated. - type: integer - service: - description: The fully qualified service name for this - cluster. - format: string - type: string - subset: - description: The subset associated with the service. - format: string - type: string - type: object - context: - description: The specific config generation context to match - on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. - properties: - filterChain: - description: Match a specific filter chain in a listener. - properties: - applicationProtocols: - description: Applies only to sidecars. - format: string - type: string - destinationPort: - description: The destination_port value used by a - filter chain's match condition. - type: integer - filter: - description: The name of a specific filter to apply - the patch to. - properties: - name: - description: The filter name to match on. - format: string - type: string - subFilter: - properties: - name: - description: The filter name to match on. - format: string - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. - format: string - type: string - sni: - description: The SNI value used by a filter chain's - match condition. - format: string - type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. - format: string - type: string - type: object - name: - description: Match a specific listener by its name. - format: string - type: string - portName: - format: string - type: string - portNumber: - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - format: string - type: string - type: object - proxyVersion: - format: string - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. - properties: - gateway: - format: string - type: string - name: - description: Route configuration name to match on. - format: string - type: string - portName: - description: Applicable only for GATEWAY context. - format: string - type: string - portNumber: - type: integer - vhost: - properties: - name: - format: string - type: string - route: - description: Match a specific route within the virtual - host. - properties: - action: - description: Match a route with specific action - type. - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string - name: - format: string - type: string - type: object - type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: Determines the filter insertion order. - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. - type: object - type: object - type: object - type: array - workloadSelector: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object versions: - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See + more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + format: string + type: string + portNumber: + description: The service port for which this cluster + was generated. + type: integer + service: + description: The fully qualified service name for this + cluster. + format: string + type: string + subset: + description: The subset associated with the service. + format: string + type: string + type: object + context: + description: The specific config generation context to match + on. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + format: string + type: string + destinationPort: + description: The destination_port value used by + a filter chain's match condition. + type: integer + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + format: string + type: string + subFilter: + properties: + name: + description: The filter name to match on. + format: string + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + format: string + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + format: string + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + format: string + type: string + type: object + name: + description: Match a specific listener by its name. + format: string + type: string + portName: + format: string + type: string + portNumber: + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + format: string + type: string + type: object + proxyVersion: + format: string + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + format: string + type: string + name: + description: Route configuration name to match on. + format: string + type: string + portName: + description: Applicable only for GATEWAY context. + format: string + type: string + portNumber: + type: integer + vhost: + properties: + name: + format: string + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: Match a route with specific action + type. + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + format: string + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: Determines the filter insertion order. + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: Determines how the patch should be applied. + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -1455,146 +2613,273 @@ spec: shortNames: - gw singular: gateway - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - format: string - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - format: string - type: string - defaultEndpoint: - format: string - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - format: string - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - format: string - type: string - port: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - format: string - type: string - type: array - credentialName: - format: string - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - verifyCertificateHash: - items: - format: string - type: string - type: array - verifyCertificateSpki: - items: - format: string - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object versions: - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + format: string + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + format: string + type: string + defaultEndpoint: + format: string + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + format: string + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + format: string + type: string + port: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + format: string + type: string + type: array + credentialName: + format: string + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + verifyCertificateHash: + items: + format: string + type: string + type: array + verifyCertificateSpki: + items: + format: string + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + format: string + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + format: string + type: string + defaultEndpoint: + format: string + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + format: string + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + format: string + type: string + port: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + format: string + type: string + type: array + credentialName: + format: string + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + verifyCertificateHash: + items: + format: string + type: string + type: array + verifyCertificateSpki: + items: + format: string + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -1606,28 +2891,6 @@ metadata: release: istio name: serviceentries.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.hosts - description: The hosts associated with the ServiceEntry - name: Hosts - type: string - - JSONPath: .spec.location - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL - or MESH_INTERNAL) - name: Location - type: string - - JSONPath: .spec.resolution - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) - name: Resolution - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: networking.istio.io names: categories: @@ -1639,26 +2902,2457 @@ spec: shortNames: - se singular: serviceentry - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + format: string + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + format: string + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + format: string + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: + format: string + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + format: string + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + format: string + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + format: string + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: + format: string + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + format: string + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + format: string + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + format: string + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + format: string + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + format: string + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + format: string + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + format: string + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + format: string + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + format: string + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + format: string + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: array + exposeHeaders: + items: + format: string + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + format: string + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + format: string + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + format: string + type: string + http2Error: + format: string + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + name: + description: The name assigned to a match. + format: string + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + format: string + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + properties: + authority: + format: string + type: string + redirectCode: + type: integer + uri: + format: string + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + format: string + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + format: string + type: string + uri: + format: string + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + format: string + type: string + type: array + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + format: string + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + format: string + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + format: string + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + format: string + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + format: string + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + format: string + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: array + exposeHeaders: + items: + format: string + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + format: string + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + format: string + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + format: string + type: string + http2Error: + format: string + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + name: + description: The name assigned to a match. + format: string + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + format: string + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + properties: + authority: + format: string + type: string + redirectCode: + type: integer + uri: + format: string + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + format: string + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + format: string + type: string + uri: + format: string + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + format: string + type: string + type: array + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadEntry + listKind: WorkloadEntryList + plural: workloadentries + shortNames: + - we + singular: workloadentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: format: string type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadgroups.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + format: string + type: string + type: object + labels: + additionalProperties: + format: string + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + format: string + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + format: string + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + format: string + type: string + value: + format: string + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + format: string + type: string + port: + description: Port on which the endpoint lives. + type: integer + scheme: + format: string + type: string + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + format: string + type: string + port: + type: integer + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. properties: address: format: string @@ -1688,1328 +5382,18 @@ spec: description: The load balancing weight associated with the endpoint. type: integer type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - format: string - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - format: string - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service discovery mode for the hosts. - enum: - - NONE - - STATIC - - DNS - type: string - subjectAltNames: - items: - format: string - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true - - name: v1beta1 - served: true - storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - items: - properties: - bind: - format: string - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - format: string - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP to which the listener should be bound. - format: string - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - format: string - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: virtualservices.networking.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .spec.gateways - description: The names of gateways and sidecars that should apply these routes - name: Gateways - type: string - - JSONPath: .spec.hosts - description: The destination hosts to which traffic is being sent - name: Hosts - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is exported. - items: - format: string - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply these - routes. - items: - format: string - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - format: string - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - format: string - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the resource. - items: - format: string - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - format: string - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - type: array - exposeHeaders: - items: - format: string - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - format: string - type: string - namespace: - description: Namespace specifies the namespace where the delegate - VirtualService resides. - format: string - type: string - type: object - fault: - description: Fault injection policy to apply on HTTP traffic at - the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - format: string - type: string - http2Error: - format: string - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching should - be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - name: - description: The name assigned to a match. - format: string - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the `mirror` - field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the `mirror` - field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the `mirror` - field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - format: string - type: string - redirect: - description: A HTTP rule can either redirect or forward (default) - traffic. - properties: - authority: - format: string - type: string - redirectCode: - type: integer - uri: - format: string - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry takes - place. - format: string - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should retry - to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this value. - format: string - type: string - uri: - format: string - type: string - type: object - route: - description: A HTTP rule can either redirect or forward (default) - traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - weight: - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination with - optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should be - forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination with - optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - format: string - type: string - type: array - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should be - forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadentries.networking.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date - - JSONPath: .spec.address - description: Address associated with the network endpoint. - name: Address - type: string - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadEntry - listKind: WorkloadEntryList - plural: workloadentries - shortNames: - - we - singular: workloadentry - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See more - details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - format: string - type: string - network: - format: string - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadgroups.networking.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadGroup - listKind: WorkloadGroupList - plural: workloadgroups - shortNames: - - wg - singular: workloadgroup - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details - at: https://istio.io/docs/reference/config/networking/workload-group.html' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - format: string - type: string - type: object - labels: - additionalProperties: - format: string - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - format: string - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered - failed after having succeeded. - format: int32 - type: integer - httpGet: - properties: - host: - description: Host name to connect to, defaults to the pod IP. - format: string - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - format: string - type: string - value: - format: string - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - format: string - type: string - port: - description: Port on which the endpoint lives. - type: integer - scheme: - format: string - type: string - type: object - initialDelaySeconds: - description: Number of seconds after the container has started before - readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered - successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - format: string - type: string - port: - type: integer - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - format: string - type: string - network: - format: string - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - ---- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -3031,217 +5415,216 @@ spec: listKind: AuthorizationPolicyList plural: authorizationpolicies singular: authorizationpolicy - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more details - at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - format: string - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - format: string - type: string - type: array - namespaces: - description: Optional. - items: - format: string - type: string - type: array - notIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - notNamespaces: - description: Optional. - items: - format: string - type: string - type: array - notPrincipals: - description: Optional. - items: - format: string - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - format: string - type: string - type: array - principals: - description: Optional. - items: - format: string - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - requestPrincipals: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - format: string - type: string - type: array - methods: - description: Optional. - items: - format: string - type: string - type: array - notHosts: - description: Optional. - items: - format: string - type: string - type: array - notMethods: - description: Optional. - items: - format: string - type: string - type: array - notPaths: - description: Optional. - items: - format: string - type: string - type: array - notPorts: - description: Optional. - items: - format: string - type: string - type: array - paths: - description: Optional. - items: - format: string - type: string - type: array - ports: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - format: string - type: string - notValues: - description: Optional. - items: - format: string - type: string - type: array - values: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object versions: - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + format: string + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + format: string + type: string + type: array + namespaces: + description: Optional. + items: + format: string + type: string + type: array + notIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notNamespaces: + description: Optional. + items: + format: string + type: string + type: array + notPrincipals: + description: Optional. + items: + format: string + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + principals: + description: Optional. + items: + format: string + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + requestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + format: string + type: string + type: array + methods: + description: Optional. + items: + format: string + type: string + type: array + notHosts: + description: Optional. + items: + format: string + type: string + type: array + notMethods: + description: Optional. + items: + format: string + type: string + type: array + notPaths: + description: Optional. + items: + format: string + type: string + type: array + notPorts: + description: Optional. + items: + format: string + type: string + type: array + paths: + description: Optional. + items: + format: string + type: string + type: array + ports: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + format: string + type: string + notValues: + description: Optional. + items: + format: string + type: string + type: array + values: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -3254,19 +5637,6 @@ metadata: release: istio name: peerauthentications.security.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.mtls.mode - description: Defines the mTLS mode used for peer authentication. - name: Mode - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: security.istio.io names: categories: @@ -3278,31 +5648,31 @@ spec: shortNames: - pa singular: peerauthentication - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: PeerAuthentication defines how traffic will be tunneled (or - not) to the sidecar. - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: PeerAuthentication defines how traffic will be tunneled (or + not) to the sidecar. + properties: + mtls: + description: Mutual TLS settings for workload. properties: mode: description: Defines the mTLS mode used for peer authentication. @@ -3313,30 +5683,42 @@ spec: - STRICT type: string type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the ChannelAuthentication - on. - properties: - matchLabels: - additionalProperties: - format: string - type: string + portLevelMtls: + additionalProperties: + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1beta1 + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the ChannelAuthentication + on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -3360,90 +5742,233 @@ spec: shortNames: - ra singular: requestauthentication - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication methods - are supported by a workload. - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the selected - workloads' proxy. - items: - properties: - audiences: - items: - format: string - type: string - type: array - forwardOriginalToken: - description: If set to true, the orginal token will be kept for - the ustream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - format: string - type: string - prefix: - description: The prefix that should be stripped before decoding - the token. - format: string - type: string - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - format: string - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - format: string - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - format: string - type: string - jwks_uri: - format: string - type: string - jwksUri: - format: string - type: string - outputPayloadToHeader: - format: string - type: string - type: object - type: array - selector: - description: The selector determines the workloads to apply the RequestAuthentication - on. - properties: - matchLabels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object versions: - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: RequestAuthentication defines what request authentication + methods are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + items: + format: string + type: string + type: array + forwardOriginalToken: + description: If set to true, the orginal token will be kept + for the ustream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + format: string + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + format: string + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + format: string + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + outputPayloadToHeader: + format: string + type: string + type: object + type: array + selector: + description: The selector determines the workloads to apply the RequestAuthentication + on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: telemetry + release: istio + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: Telemetry defines how the telemetry is generated for workloads + within a mesh. + properties: + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + format: string + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + format: string + type: string + type: object + header: + description: RequestHeader adds the value of an header + from the request to each span. + properties: + defaultValue: + description: Optional. + format: string + type: string + name: + description: Name of the header from which to extract + the tag value. + format: string + type: string + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + format: string + type: string + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + providers: + description: Optional. + items: + properties: + name: + description: Required. + format: string + type: string + type: object + type: array + randomSamplingPercentage: + nullable: true + type: number + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} --- diff --git a/charts/kubezero-istio/charts/base/crds/crd-operator.yaml b/charts/kubezero-istio/charts/base/crds/crd-operator.yaml index d0be4c3..2a80f41 100644 --- a/charts/kubezero-istio/charts/base/crds/crd-operator.yaml +++ b/charts/kubezero-istio/charts/base/crds/crd-operator.yaml @@ -1,66 +1,48 @@ # SYNC WITH manifests/charts/istio-operator/templates -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: istiooperators.install.istio.io labels: release: istio spec: - additionalPrinterColumns: - - JSONPath: .spec.revision - description: Istio control plane revision - name: Revision - type: string - - JSONPath: .status.status - description: IOP current state - type: string - name: Status - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date + conversion: + strategy: None group: install.istio.io names: kind: IstioOperator + listKind: IstioOperatorList plural: istiooperators singular: istiooperator shortNames: - iop - io scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - spec: - description: 'Specification of the desired state of the istio control plane resource. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - status: - description: 'Status describes each of istio control plane component status at the current time. - 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. - More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object versions: - - name: v1alpha1 + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision + type: string + - description: IOP current state + jsonPath: .status.status + name: Status + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + name: v1alpha1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true served: true storage: true --- diff --git a/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml b/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml index 365ca20..aec8e17 100644 --- a/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml +++ b/charts/kubezero-istio/charts/base/files/gen-istio-cluster.yaml @@ -1,7 +1,7 @@ --- # Source: crds/crd-all.gen.yaml # DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -13,19 +13,6 @@ metadata: release: istio name: destinationrules.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.host - description: The name of a service from the service registry - name: Host - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: networking.istio.io names: categories: @@ -37,376 +24,126 @@ spec: shortNames: - dr singular: destinationrule - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: + versions: + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + format: string + type: string + type: array + host: + description: The name of a service from the service registry. format: string type: string - type: array - host: - description: The name of a service from the service registry. - format: string - type: string - subsets: - items: - properties: - labels: - additionalProperties: + subsets: + items: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: Name of the subset. format: string type: string - type: object - name: - description: Name of the subset. - format: string - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is - ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: properties: - connectionPool: + http: + description: HTTP connection pool settings. properties: - http: - description: HTTP connection pool settings. + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE + interval: + description: The time duration between keep-alive + probes. type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP - requests to a destination. - format: int32 + probes: type: integer - http2MaxRequests: - description: Maximum number of requests to a - backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. + time: type: string - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP - upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on - the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string - type: object type: object type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: - required: - simple - properties: @@ -432,277 +169,21 @@ spec: - httpQueryParameterName required: - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute - or failover can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to - the upstream service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - type: object - type: object - type: object - type: array - trafficPolicy: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests to - a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool - connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection to - a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to - a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName - required: - httpHeaderName - required: @@ -711,231 +192,237 @@ spec: - useSourceIp - required: - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash - properties: - consistentHash: - properties: - httpCookie: - description: Hash based on HTTP cookie. + required: + - consistentHash properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH type: string type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - format: string - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - format: string - type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or failover - can be set.' + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. items: properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute can - be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected from - the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of pending HTTP requests - to a destination. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of requests to a backend. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. + connectionPool: properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - type: integer - time: - type: string + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to + a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - oneOf: - - not: - anyOf: + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName - required: - httpHeaderName - required: @@ -944,16 +431,275 @@ spec: - useSourceIp - required: - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - required: - - consistentHash + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute + or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: - required: - simple - properties: @@ -979,210 +725,1622 @@ spec: - httpQueryParameterName required: - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: properties: - consistentHash: + httpCookie: + description: Hash based on HTTP cookie. properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - format: string - type: string - path: - description: Path to set for the cookie. - format: string - type: string - ttl: - description: Lifetime of the cookie. - type: string - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. + name: + description: Name of the cookie. format: string type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. + path: + description: Path to set for the cookie. format: string type: string - minimumRingSize: - type: integer - useSourceIp: - description: Hash based on the source IP address. - type: boolean + ttl: + description: Lifetime of the cookie. + type: string type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute or - failover can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - format: string - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only failover or distribute - can be set.' - items: - properties: - from: - description: Originating region. - format: string - type: string - to: - format: string - type: string - type: object - type: array - type: object - simple: - enum: - - ROUND_ROBIN - - LEAST_CONN - - RANDOM - - PASSTHROUGH + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean type: object - outlierDetection: + localityLbSetting: properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is - ejected from the connection pool. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - format: int32 - type: integer - minHealthPercent: - format: int32 - type: integer - type: object - port: - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - format: string - type: string - subjectAltNames: + distribute: + description: 'Optional: only one of distribute or failover + can be set.' items: - format: string - type: string + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can + be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object type: array type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string type: object - type: array - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - format: string - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - credentialName: - format: string - type: string - mode: - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - format: string - type: string - subjectAltNames: - items: + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: format: string type: string - type: array - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true - - name: v1beta1 + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + format: string + type: string + type: array + host: + description: The name of a service from the service registry. + format: string + type: string + subsets: + items: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + name: + description: Name of the subset. + format: string + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to + a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute + or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover + can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can + be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + format: string + type: string + path: + description: Path to set for the cookie. + format: string + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + format: string + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + format: string + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + format: string + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + format: string + type: string + to: + format: string + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + format: string + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + credentialName: + format: string + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -1203,238 +2361,238 @@ spec: listKind: EnvoyFilterList plural: envoyfilters singular: envoyfilter - preserveUnknownFields: true scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See more - details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' - properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG - type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - format: string - type: string - portNumber: - description: The service port for which this cluster was - generated. - type: integer - service: - description: The fully qualified service name for this - cluster. - format: string - type: string - subset: - description: The subset associated with the service. - format: string - type: string - type: object - context: - description: The specific config generation context to match - on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. - properties: - filterChain: - description: Match a specific filter chain in a listener. - properties: - applicationProtocols: - description: Applies only to sidecars. - format: string - type: string - destinationPort: - description: The destination_port value used by a - filter chain's match condition. - type: integer - filter: - description: The name of a specific filter to apply - the patch to. - properties: - name: - description: The filter name to match on. - format: string - type: string - subFilter: - properties: - name: - description: The filter name to match on. - format: string - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. - format: string - type: string - sni: - description: The SNI value used by a filter chain's - match condition. - format: string - type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. - format: string - type: string - type: object - name: - description: Match a specific listener by its name. - format: string - type: string - portName: - format: string - type: string - portNumber: - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - format: string - type: string - type: object - proxyVersion: - format: string - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. - properties: - gateway: - format: string - type: string - name: - description: Route configuration name to match on. - format: string - type: string - portName: - description: Applicable only for GATEWAY context. - format: string - type: string - portNumber: - type: integer - vhost: - properties: - name: - format: string - type: string - route: - description: Match a specific route within the virtual - host. - properties: - action: - description: Match a route with specific action - type. - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string - name: - format: string - type: string - type: object - type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: Determines the filter insertion order. - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. - type: object - type: object - type: object - type: array - workloadSelector: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object versions: - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See + more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + format: string + type: string + portNumber: + description: The service port for which this cluster + was generated. + type: integer + service: + description: The fully qualified service name for this + cluster. + format: string + type: string + subset: + description: The subset associated with the service. + format: string + type: string + type: object + context: + description: The specific config generation context to match + on. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + format: string + type: string + destinationPort: + description: The destination_port value used by + a filter chain's match condition. + type: integer + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + format: string + type: string + subFilter: + properties: + name: + description: The filter name to match on. + format: string + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + format: string + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + format: string + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + format: string + type: string + type: object + name: + description: Match a specific listener by its name. + format: string + type: string + portName: + format: string + type: string + portNumber: + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + format: string + type: string + type: object + proxyVersion: + format: string + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + format: string + type: string + name: + description: Route configuration name to match on. + format: string + type: string + portName: + description: Applicable only for GATEWAY context. + format: string + type: string + portNumber: + type: integer + vhost: + properties: + name: + format: string + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: Match a route with specific action + type. + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + format: string + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: Determines the filter insertion order. + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: Determines how the patch should be applied. + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -1457,146 +2615,273 @@ spec: shortNames: - gw singular: gateway - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - format: string - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - format: string - type: string - defaultEndpoint: - format: string - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - format: string - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - format: string - type: string - port: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - format: string - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - format: string - type: string - type: array - credentialName: - format: string - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - format: string - type: string - subjectAltNames: - items: - format: string - type: string - type: array - verifyCertificateHash: - items: - format: string - type: string - type: array - verifyCertificateSpki: - items: - format: string - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object versions: - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + format: string + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + format: string + type: string + defaultEndpoint: + format: string + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + format: string + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + format: string + type: string + port: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + format: string + type: string + type: array + credentialName: + format: string + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + verifyCertificateHash: + items: + format: string + type: string + type: array + verifyCertificateSpki: + items: + format: string + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + format: string + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + format: string + type: string + defaultEndpoint: + format: string + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + format: string + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + format: string + type: string + port: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + format: string + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + format: string + type: string + type: array + credentialName: + format: string + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + format: string + type: string + subjectAltNames: + items: + format: string + type: string + type: array + verifyCertificateHash: + items: + format: string + type: string + type: array + verifyCertificateSpki: + items: + format: string + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -1608,28 +2893,6 @@ metadata: release: istio name: serviceentries.networking.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.hosts - description: The hosts associated with the ServiceEntry - name: Hosts - type: string - - JSONPath: .spec.location - description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL - or MESH_INTERNAL) - name: Location - type: string - - JSONPath: .spec.resolution - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) - name: Resolution - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: networking.istio.io names: categories: @@ -1641,26 +2904,2457 @@ spec: shortNames: - se singular: serviceentry - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + format: string + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + format: string + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + format: string + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: + format: string + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + format: string + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + format: string + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + format: string + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: + format: string + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + format: string + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + format: string + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + format: string + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + format: string + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + format: string + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + format: string + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + format: string + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + format: string + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + format: string + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + format: string + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + format: string + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + format: string + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + format: string + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: array + exposeHeaders: + items: + format: string + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + format: string + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + format: string + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + format: string + type: string + http2Error: + format: string + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + name: + description: The name assigned to a match. + format: string + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + format: string + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + properties: + authority: + format: string + type: string + redirectCode: + type: integer + uri: + format: string + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + format: string + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + format: string + type: string + uri: + format: string + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + format: string + type: string + type: array + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + format: string + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + format: string + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + format: string + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + format: string + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + format: string + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + format: string + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: array + exposeHeaders: + items: + format: string + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + format: string + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + format: string + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + format: string + type: string + http2Error: + format: string + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + name: + description: The name assigned to a match. + format: string + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + format: string + type: string + prefix: + format: string + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + format: string + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + format: string + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + format: string + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + properties: + authority: + format: string + type: string + redirectCode: + type: integer + uri: + format: string + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + format: string + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + format: string + type: string + uri: + format: string + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + format: string + type: string + type: object + remove: + items: + format: string + type: string + type: array + set: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + format: string + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + format: string + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + format: string + type: string + type: array + sourceLabels: + additionalProperties: + format: string + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + format: string + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + format: string + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + format: string + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadEntry + listKind: WorkloadEntryList + plural: workloadentries + shortNames: + - we + singular: workloadentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: format: string type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + format: string + type: string + labels: + additionalProperties: + format: string + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + format: string + type: string + network: + format: string + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + format: string + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadgroups.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + format: string + type: string + type: object + labels: + additionalProperties: + format: string + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + format: string + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + format: string + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + format: string + type: string + value: + format: string + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + format: string + type: string + port: + description: Port on which the endpoint lives. + type: integer + scheme: + format: string + type: string + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + format: string + type: string + port: + type: integer + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. properties: address: format: string @@ -1690,1328 +5384,18 @@ spec: description: The load balancing weight associated with the endpoint. type: integer type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - format: string - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - format: string - type: string - type: array - location: - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: array - resolution: - description: Service discovery mode for the hosts. - enum: - - NONE - - STATIC - - DNS - type: string - subjectAltNames: - items: - format: string - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true - - name: v1beta1 - served: true - storage: false + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - items: - properties: - bind: - format: string - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - items: - format: string - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: object - type: array - ingress: - items: - properties: - bind: - description: The IP to which the listener should be bound. - format: string - type: string - captureMode: - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - defaultEndpoint: - format: string - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - format: string - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - format: string - type: string - targetPort: - type: integer - type: object - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - properties: - labels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: virtualservices.networking.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .spec.gateways - description: The names of gateways and sidecars that should apply these routes - name: Gateways - type: string - - JSONPath: .spec.hosts - description: The destination hosts to which traffic is being sent - name: Hosts - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is exported. - items: - format: string - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply these - routes. - items: - format: string - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - format: string - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - format: string - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the resource. - items: - format: string - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - format: string - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - type: array - exposeHeaders: - items: - format: string - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - format: string - type: string - namespace: - description: Namespace specifies the namespace where the delegate - VirtualService resides. - format: string - type: string - type: object - fault: - description: Fault injection policy to apply on HTTP traffic at - the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - format: string - type: string - http2Error: - format: string - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching should - be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - name: - description: The name assigned to a match. - format: string - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - format: string - type: string - prefix: - format: string - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - format: string - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - format: string - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the `mirror` - field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the `mirror` - field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the `mirror` - field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - format: string - type: string - redirect: - description: A HTTP rule can either redirect or forward (default) - traffic. - properties: - authority: - format: string - type: string - redirectCode: - type: integer - uri: - format: string - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry takes - place. - format: string - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should retry - to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this value. - format: string - type: string - uri: - format: string - type: string - type: object - route: - description: A HTTP rule can either redirect or forward (default) - traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - format: string - type: string - type: object - remove: - items: - format: string - type: string - type: array - set: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - weight: - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination with - optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should be - forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination with - optional subnet. - items: - format: string - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - format: string - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - format: string - type: string - type: array - sourceLabels: - additionalProperties: - format: string - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - format: string - type: string - type: object - type: array - route: - description: The destination to which the connection should be - forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - format: string - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - format: string - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadentries.networking.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date - - JSONPath: .spec.address - description: Address associated with the network endpoint. - name: Address - type: string - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadEntry - listKind: WorkloadEntryList - plural: workloadentries - shortNames: - - we - singular: workloadentry - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See more - details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - format: string - type: string - network: - format: string - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - - name: v1beta1 - served: true - storage: false - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadgroups.networking.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadGroup - listKind: WorkloadGroupList - plural: workloadgroups - shortNames: - - wg - singular: workloadgroup - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details - at: https://istio.io/docs/reference/config/networking/workload-group.html' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - format: string - type: string - type: object - labels: - additionalProperties: - format: string - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - format: string - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered - failed after having succeeded. - format: int32 - type: integer - httpGet: - properties: - host: - description: Host name to connect to, defaults to the pod IP. - format: string - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - format: string - type: string - value: - format: string - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - format: string - type: string - port: - description: Port on which the endpoint lives. - type: integer - scheme: - format: string - type: string - type: object - initialDelaySeconds: - description: Number of seconds after the container has started before - readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered - successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - format: string - type: string - port: - type: integer - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - format: string - type: string - labels: - additionalProperties: - format: string - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - format: string - type: string - network: - format: string - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - format: string - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha3 - served: true - storage: true - ---- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -3033,217 +5417,216 @@ spec: listKind: AuthorizationPolicyList plural: authorizationpolicies singular: authorizationpolicy - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more details - at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - format: string - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - format: string - type: string - type: array - namespaces: - description: Optional. - items: - format: string - type: string - type: array - notIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - notNamespaces: - description: Optional. - items: - format: string - type: string - type: array - notPrincipals: - description: Optional. - items: - format: string - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - format: string - type: string - type: array - principals: - description: Optional. - items: - format: string - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - format: string - type: string - type: array - requestPrincipals: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - format: string - type: string - type: array - methods: - description: Optional. - items: - format: string - type: string - type: array - notHosts: - description: Optional. - items: - format: string - type: string - type: array - notMethods: - description: Optional. - items: - format: string - type: string - type: array - notPaths: - description: Optional. - items: - format: string - type: string - type: array - notPorts: - description: Optional. - items: - format: string - type: string - type: array - paths: - description: Optional. - items: - format: string - type: string - type: array - ports: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - format: string - type: string - notValues: - description: Optional. - items: - format: string - type: string - type: array - values: - description: Optional. - items: - format: string - type: string - type: array - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object versions: - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + format: string + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + format: string + type: string + type: array + namespaces: + description: Optional. + items: + format: string + type: string + type: array + notIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notNamespaces: + description: Optional. + items: + format: string + type: string + type: array + notPrincipals: + description: Optional. + items: + format: string + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + principals: + description: Optional. + items: + format: string + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + format: string + type: string + type: array + requestPrincipals: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + format: string + type: string + type: array + methods: + description: Optional. + items: + format: string + type: string + type: array + notHosts: + description: Optional. + items: + format: string + type: string + type: array + notMethods: + description: Optional. + items: + format: string + type: string + type: array + notPaths: + description: Optional. + items: + format: string + type: string + type: array + notPorts: + description: Optional. + items: + format: string + type: string + type: array + paths: + description: Optional. + items: + format: string + type: string + type: array + ports: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + format: string + type: string + notValues: + description: Optional. + items: + format: string + type: string + type: array + values: + description: Optional. + items: + format: string + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -3256,19 +5639,6 @@ metadata: release: istio name: peerauthentications.security.istio.io spec: - additionalPrinterColumns: - - JSONPath: .spec.mtls.mode - description: Defines the mTLS mode used for peer authentication. - name: Mode - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date group: security.istio.io names: categories: @@ -3280,31 +5650,31 @@ spec: shortNames: - pa singular: peerauthentication - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: PeerAuthentication defines how traffic will be tunneled (or - not) to the sidecar. - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: PeerAuthentication defines how traffic will be tunneled (or + not) to the sidecar. + properties: + mtls: + description: Mutual TLS settings for workload. properties: mode: description: Defines the mTLS mode used for peer authentication. @@ -3315,30 +5685,42 @@ spec: - STRICT type: string type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the ChannelAuthentication - on. - properties: - matchLabels: - additionalProperties: - format: string - type: string + portLevelMtls: + additionalProperties: + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1beta1 + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the ChannelAuthentication + on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: @@ -3362,159 +5744,284 @@ spec: shortNames: - ra singular: requestauthentication - preserveUnknownFields: false scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: RequestAuthentication defines what request authentication methods - are supported by a workload. - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the selected - workloads' proxy. - items: - properties: - audiences: - items: - format: string - type: string - type: array - forwardOriginalToken: - description: If set to true, the orginal token will be kept for - the ustream request. - type: boolean - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - format: string - type: string - prefix: - description: The prefix that should be stripped before decoding - the token. - format: string - type: string - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - format: string - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - format: string - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - format: string - type: string - jwks_uri: - format: string - type: string - jwksUri: - format: string - type: string - outputPayloadToHeader: - format: string - type: string - type: object - type: array - selector: - description: The selector determines the workloads to apply the RequestAuthentication - on. - properties: - matchLabels: - additionalProperties: - format: string - type: string - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object versions: - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: RequestAuthentication defines what request authentication + methods are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + items: + format: string + type: string + type: array + forwardOriginalToken: + description: If set to true, the orginal token will be kept + for the ustream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + format: string + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + format: string + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + format: string + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + format: string + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + format: string + type: string + jwks_uri: + format: string + type: string + jwksUri: + format: string + type: string + outputPayloadToHeader: + format: string + type: string + type: object + type: array + selector: + description: The selector determines the workloads to apply the RequestAuthentication + on. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object served: true storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: telemetry + release: istio + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: Telemetry defines how the telemetry is generated for workloads + within a mesh. + properties: + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + format: string + type: string + type: object + type: object + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + format: string + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + format: string + type: string + type: object + header: + description: RequestHeader adds the value of an header + from the request to each span. + properties: + defaultValue: + description: Optional. + format: string + type: string + name: + description: Name of the header from which to extract + the tag value. + format: string + type: string + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + format: string + type: string + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + providers: + description: Optional. + items: + properties: + name: + description: Required. + format: string + type: string + type: object + type: array + randomSamplingPercentage: + nullable: true + type: number + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} --- --- # Source: crds/crd-operator.yaml # SYNC WITH manifests/charts/istio-operator/templates -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: istiooperators.install.istio.io labels: release: istio spec: - additionalPrinterColumns: - - JSONPath: .spec.revision - description: Istio control plane revision - name: Revision - type: string - - JSONPath: .status.status - description: IOP current state - type: string - name: Status - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date + conversion: + strategy: None group: install.istio.io names: kind: IstioOperator + listKind: IstioOperatorList plural: istiooperators singular: istiooperator shortNames: - iop - io scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - spec: - description: 'Specification of the desired state of the istio control plane resource. - More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - status: - description: 'Status describes each of istio control plane component status at the current time. - 0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING. - More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html & - https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object versions: - - name: v1alpha1 + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision + type: string + - description: IOP current state + jsonPath: .status.status + name: Status + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + name: v1alpha1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true served: true storage: true --- @@ -3562,7 +6069,7 @@ rules: # istio configuration # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io"] + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] verbs: ["get", "watch", "list"] resources: ["*"] - apiGroups: ["networking.istio.io"] @@ -3626,11 +6133,19 @@ rules: - apiGroups: ["networking.x-k8s.io"] resources: ["*"] verbs: ["get", "watch", "list"] + - apiGroups: ["networking.x-k8s.io"] + resources: ["*"] # TODO: should be on just */status but wildcard is not supported + verbs: ["update"] # Needed for multicluster secret reading, possibly ingress certs in the future - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "watch", "list", "create", "delete"] --- # Source: base/templates/clusterrole.yaml apiVersion: rbac.authorization.k8s.io/v1 @@ -3746,7 +6261,7 @@ subjects: namespace: istio-system --- # Source: base/templates/validatingwebhookconfiguration.yaml -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: istiod-istio-system diff --git a/charts/kubezero-istio/charts/base/templates/clusterrole.yaml b/charts/kubezero-istio/charts/base/templates/clusterrole.yaml index e4176d5..014970c 100644 --- a/charts/kubezero-istio/charts/base/templates/clusterrole.yaml +++ b/charts/kubezero-istio/charts/base/templates/clusterrole.yaml @@ -19,11 +19,11 @@ rules: # istio configuration # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io"] + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] verbs: ["get", "watch", "list"] resources: ["*"] {{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io"] + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] verbs: ["update"] # TODO: should be on just */status but wildcard is not supported resources: ["*"] @@ -97,12 +97,20 @@ rules: - apiGroups: ["networking.x-k8s.io"] resources: ["*"] verbs: ["get", "watch", "list"] + - apiGroups: ["networking.x-k8s.io"] + resources: ["*"] # TODO: should be on just */status but wildcard is not supported + verbs: ["update"] # Needed for multicluster secret reading, possibly ingress certs in the future - apiGroups: [""] resources: ["secrets"] verbs: ["get", "watch", "list"] + # Used for MCS serviceexport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "watch", "list", "create", "delete"] + --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml b/charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml index 80124a9..bd5d1cf 100644 --- a/charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml +++ b/charts/kubezero-istio/charts/base/templates/validatingwebhookconfiguration.yaml @@ -1,5 +1,5 @@ {{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: istiod-{{ .Values.global.istioNamespace }} diff --git a/charts/kubezero-istio/charts/istio-discovery/Chart.yaml b/charts/kubezero-istio/charts/istio-discovery/Chart.yaml index 06bd7e2..6afbc9b 100644 --- a/charts/kubezero-istio/charts/istio-discovery/Chart.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: istio-discovery -version: 1.9.3 +version: 1.10.2 tillerVersion: ">=2.7.2" description: Helm chart for istio control plane keywords: diff --git a/charts/kubezero-istio/charts/istio-discovery/NOTES.txt b/charts/kubezero-istio/charts/istio-discovery/NOTES.txt index 997f4ac..620f3e1 100644 --- a/charts/kubezero-istio/charts/istio-discovery/NOTES.txt +++ b/charts/kubezero-istio/charts/istio-discovery/NOTES.txt @@ -3,3 +3,7 @@ Minimal control plane for Istio. Pilot and mesh config are included. MCP and injector should optionally be installed in the same namespace. Alternatively remote address of an MCP server can be set. + +Thank you for installing Istio 1.10. Please take a few minutes to tell us about your install/upgrade experience! + https://forms.gle/KjkrDnMPByq7akrYA" + diff --git a/charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml b/charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml index ab3e652..865d2c1 100644 --- a/charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/files/gateway-injection-template.yaml @@ -8,6 +8,7 @@ metadata: annotations: { {{- if eq (len $containers) 1 }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{ end }} } spec: diff --git a/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml b/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml index 71d892c..817cce5 100644 --- a/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/files/gen-istio.yaml @@ -167,7 +167,6 @@ data: "address": "" } }, - "trustDomain": "", "useMCP": false }, "revision": "", @@ -183,7 +182,7 @@ data: }, "rewriteAppHTTPProbe": true, "templates": {}, - "useLegacySelectors": true + "useLegacySelectors": false } } @@ -215,6 +214,7 @@ data: annotations: { {{- if eq (len $containers) 1 }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{ end }} {{- if .Values.istio_cni.enabled }} {{- if not .Values.istio_cni.chained }} @@ -286,7 +286,7 @@ data: - "--run-validation" - "--skip-rule-apply" {{ end -}} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{- if .ProxyConfig.ProxyMetadata }} env: {{- range $key, $value := .ProxyConfig.ProxyMetadata }} @@ -355,7 +355,7 @@ data: {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} resources: {} securityContext: allowPrivilegeEscalation: true @@ -417,6 +417,10 @@ data: - wait {{- end }} env: + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} - name: JWT_POLICY value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER @@ -519,7 +523,7 @@ data: - name: {{ $key }} value: "{{ $value }}" {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} readinessProbe: httpGet: @@ -706,6 +710,7 @@ data: annotations: { {{- if eq (len $containers) 1 }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{ end }} } spec: @@ -1063,8 +1068,6 @@ spec: value: "false" - name: CLUSTER_ID value: "Kubernetes" - - name: EXTERNAL_ISTIOD - value: "false" resources: requests: cpu: 500m @@ -1077,8 +1080,6 @@ spec: drop: - ALL volumeMounts: - - name: config-volume - mountPath: /etc/istio/config - name: istio-token mountPath: /var/run/secrets/tokens readOnly: true @@ -1090,9 +1091,6 @@ spec: - name: istio-kubeconfig mountPath: /var/run/secrets/remote readOnly: true - - name: inject - mountPath: /var/lib/istio/inject - readOnly: true volumes: # Technically not needed on this pod - but it helps debugging/testing SDS # Should be removed after everything works. @@ -1115,13 +1113,6 @@ spec: secret: secretName: istio-kubeconfig optional: true - # Optional - image should have - - name: inject - configMap: - name: istio-sidecar-injector - - name: config-volume - configMap: - name: istio --- # Source: istio-discovery/templates/autoscale.yaml apiVersion: autoscaling/v2beta1 @@ -1148,12 +1139,17 @@ spec: name: cpu targetAverageUtilization: 80 --- -# Source: istio-discovery/templates/telemetryv2_1.8.yaml +# Source: istio-discovery/templates/revision-tags.yaml +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +--- +# Source: istio-discovery/templates/telemetryv2_1.10.yaml # Note: metadata exchange filter is wasm enabled only in sidecars. apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: metadata-exchange-1.8 + name: metadata-exchange-1.10 namespace: istio-system labels: istio.io/rev: default @@ -1165,7 +1161,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -1192,7 +1188,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -1219,7 +1215,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -1243,11 +1239,11 @@ spec: local: inline_string: envoy.wasm.metadata_exchange --- -# Source: istio-discovery/templates/telemetryv2_1.8.yaml +# Source: istio-discovery/templates/telemetryv2_1.10.yaml apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-metadata-exchange-1.8 + name: tcp-metadata-exchange-1.10 namespace: istio-system labels: istio.io/rev: default @@ -1257,7 +1253,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' listener: {} patch: operation: INSERT_BEFORE @@ -1272,7 +1268,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' cluster: {} patch: operation: MERGE @@ -1288,7 +1284,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' cluster: {} patch: operation: MERGE @@ -1301,12 +1297,12 @@ spec: value: protocol: istio-peer-exchange --- -# Source: istio-discovery/templates/telemetryv2_1.8.yaml +# Source: istio-discovery/templates/telemetryv2_1.10.yaml # Note: http stats filter is wasm enabled only in sidecars. apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: stats-filter-1.8 + name: stats-filter-1.10 namespace: istio-system labels: istio.io/rev: default @@ -1316,7 +1312,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -1337,6 +1333,8 @@ spec: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { + "debug": "false", + "stat_prefix": "istio" } vm_config: vm_id: stats_outbound @@ -1348,7 +1346,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -1369,6 +1367,16 @@ spec: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] } vm_config: vm_id: stats_inbound @@ -1380,7 +1388,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -1401,6 +1409,8 @@ spec: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { + "debug": "false", + "stat_prefix": "istio", "disable_host_header_fallback": true } vm_config: @@ -1410,12 +1420,12 @@ spec: local: inline_string: envoy.wasm.stats --- -# Source: istio-discovery/templates/telemetryv2_1.8.yaml +# Source: istio-discovery/templates/telemetryv2_1.10.yaml # Note: tcp stats filter is wasm enabled only in sidecars. apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-stats-filter-1.8 + name: tcp-stats-filter-1.10 namespace: istio-system labels: istio.io/rev: default @@ -1425,7 +1435,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -1444,6 +1454,16 @@ spec: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] } vm_config: vm_id: tcp_stats_inbound @@ -1455,7 +1475,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -1474,6 +1494,8 @@ spec: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { + "debug": "false", + "stat_prefix": "istio" } vm_config: vm_id: tcp_stats_outbound @@ -1485,7 +1507,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.8.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -1504,6 +1526,8 @@ spec: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | { + "debug": "false", + "stat_prefix": "istio" } vm_config: vm_id: tcp_stats_outbound @@ -1937,7 +1961,7 @@ spec: inline_string: "envoy.wasm.stats" --- # Source: istio-discovery/templates/mutatingwebhook.yaml -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: istio-sidecar-injector @@ -1948,12 +1972,13 @@ metadata: app: sidecar-injector release: istio webhooks: -- name: sidecar-injector.istio.io +- name: rev.namespace.sidecar-injector.istio.io clientConfig: service: name: istiod namespace: istio-system path: "/inject" + port: 443 caBundle: "" sideEffects: None rules: @@ -1964,11 +1989,106 @@ webhooks: failurePolicy: Fail admissionReviewVersions: ["v1beta1", "v1"] namespaceSelector: - matchLabels: - istio-injection: enabled + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "default" + - key: istio-injection + operator: DoesNotExist objectSelector: matchExpressions: - - key: "sidecar.istio.io/inject" + - key: sidecar.istio.io/inject operator: NotIn values: - "false" +- name: rev.object.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: "/inject" + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "default" +- name: namespace.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: "/inject" + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +- name: object.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: "/inject" + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist diff --git a/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml b/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml index 8b1f156..39a6424 100644 --- a/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/files/injection-template.yaml @@ -9,6 +9,7 @@ metadata: annotations: { {{- if eq (len $containers) 1 }} kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{ end }} {{- if .Values.istio_cni.enabled }} {{- if not .Values.istio_cni.chained }} @@ -80,7 +81,7 @@ spec: - "--run-validation" - "--skip-rule-apply" {{ end -}} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{- if .ProxyConfig.ProxyMetadata }} env: {{- range $key, $value := .ProxyConfig.ProxyMetadata }} @@ -149,7 +150,7 @@ spec: {{- else }} image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} resources: {} securityContext: allowPrivilegeEscalation: true @@ -211,6 +212,10 @@ spec: - wait {{- end }} env: + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} - name: JWT_POLICY value: {{ .Values.global.jwtPolicy }} - name: PILOT_CERT_PROVIDER @@ -313,7 +318,7 @@ spec: - name: {{ $key }} value: "{{ $value }}" {{- end }} - imagePullPolicy: "{{ valueOrDefault .Values.global.imagePullPolicy `Always` }}" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} readinessProbe: httpGet: diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml index 3a6bb68..f63fff1 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/configmap.yaml @@ -1,8 +1,7 @@ - {{- define "mesh" }} # The trust domain corresponds to the trust root of a system. # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: {{ .Values.global.trustDomain | default "cluster.local" | quote }} + trustDomain: "cluster.local" # The namespace to treat as the administrative root namespace for Istio configuration. # When processing a leaf namespace Istio will search for declarations in that namespace first @@ -13,8 +12,6 @@ defaultConfig: {{- if .Values.global.meshID }} meshId: {{ .Values.global.meshID }} - {{- else if .Values.global.trustDomain }} - meshId: {{ .Values.global.trustDomain }} {{- end }} tracing: {{- if eq .Values.global.proxy.tracer "lightstep" }} @@ -50,8 +47,8 @@ maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }} {{- end }} {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} - {{- /* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */ -}} - {{ toYaml $.Values.meshConfig.defaultConfig.tracing }} + {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} +{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} {{- end }} {{- if .Values.global.remotePilotAddress }} {{- if .Values.pilot.enabled }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml index c7a42c0..9c226dc 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/deployment.yaml @@ -25,7 +25,7 @@ spec: maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }} selector: matchLabels: - {{- if ne .Values.revision ""}} + {{- if ne .Values.revision "" }} app: istiod istio.io/rev: {{ .Values.revision | default "default" }} {{- else }} @@ -39,10 +39,10 @@ spec: install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} sidecar.istio.io/inject: "false" operator.istio.io/component: "Pilot" - {{- if eq .Values.revision ""}} - istio: pilot - {{- else }} + {{- if ne .Values.revision "" }} istio: istiod + {{- else }} + istio: pilot {{- end }} annotations: {{- if .Values.meshConfig.enablePrometheusMerge }} @@ -153,8 +153,6 @@ spec: value: "{{ .Values.global.istiod.enableAnalysis }}" - name: CLUSTER_ID value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - - name: EXTERNAL_ISTIOD - value: "{{ $.Values.global.externalIstiod | default "false" }}" {{- if not .Values.telemetry.v2.enabled }} - name: PILOT_ENDPOINT_TELEMETRY_LABEL value: "false" @@ -173,8 +171,6 @@ spec: drop: - ALL volumeMounts: - - name: config-volume - mountPath: /etc/istio/config {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - name: istio-token mountPath: /var/run/secrets/tokens @@ -188,9 +184,6 @@ spec: - name: istio-kubeconfig mountPath: /var/run/secrets/remote readOnly: true - - name: inject - mountPath: /var/lib/istio/inject - readOnly: true {{- if .Values.pilot.jwksResolverExtraRootCA }} - name: extracacerts mountPath: /cacerts @@ -219,13 +212,6 @@ spec: secret: secretName: istio-kubeconfig optional: true - # Optional - image should have - - name: inject - configMap: - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - - name: config-volume - configMap: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.pilot.jwksResolverExtraRootCA }} - name: extracacerts configMap: diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml index f9fd67b..b50f0b7 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/mutatingwebhook.yaml @@ -11,6 +11,7 @@ a unique prefix to each. */}} name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} namespace: {{ .Release.Namespace }} path: "/inject" + port: 443 {{- end }} caBundle: "" sideEffects: None @@ -24,7 +25,7 @@ a unique prefix to each. */}} {{- end }} {{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} {{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: {{- if eq .Release.Namespace "istio-system"}} @@ -41,7 +42,7 @@ metadata: webhooks: {{- if .Values.sidecarInjectorWebhook.useLegacySelectors}} {{- /* Setup the "legacy" selectors. These are for backwards compatibility, will be removed in the future. */}} -{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "")) }} +{{- include "core" . }} namespaceSelector: {{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} matchExpressions: @@ -92,18 +93,21 @@ webhooks: {{- end }} {{- else }} -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} -{{- if .Values.revision }} + {{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} {{- /* Case 1: namespace selector matches, and object doesn't disable */}} {{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.namespace.") ) }} namespaceSelector: matchExpressions: - key: istio.io/rev operator: In values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} - "{{ .Values.revision }}" + {{- end }} - key: istio-injection operator: DoesNotExist objectSelector: @@ -114,7 +118,7 @@ webhooks: - "false" {{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "object.") ) }} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.object.") ) }} namespaceSelector: matchExpressions: - key: istio.io/rev @@ -130,10 +134,15 @@ webhooks: - key: istio.io/rev operator: In values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} - "{{ .Values.revision }}" + {{- end }} -{{- else }} -{{- /* "default" revision */}} + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} {{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} {{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }} diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/poddisruptionbudget.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/poddisruptionbudget.yaml index fef641a..40b2e60 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/poddisruptionbudget.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/poddisruptionbudget.yaml @@ -16,7 +16,7 @@ spec: selector: matchLabels: app: istiod - {{- if ne .Values.revision ""}} + {{- if ne .Values.revision "" }} istio.io/rev: {{ .Values.revision }} {{- else }} istio: pilot diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/revision-tags.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/revision-tags.yaml new file mode 100644 index 0000000..3df335d --- /dev/null +++ b/charts/kubezero-istio/charts/istio-discovery/templates/revision-tags.yaml @@ -0,0 +1,113 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +{{- define "core" }} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .Values.istiodRemote.injectionURL }} + url: {{ .Values.istiodRemote.injectionURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + path: "/inject" + {{- end }} + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] +{{- end }} + +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/service.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/service.yaml index 1fe1b5a..1d4d9fe 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/service.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/service.yaml @@ -27,7 +27,7 @@ spec: protocol: TCP selector: app: istiod - {{- if ne .Values.revision ""}} + {{- if ne .Values.revision "" }} istio.io/rev: {{ .Values.revision }} {{- else }} # Label used by the 'default' service. For versioned deployments we match with app and version. diff --git a/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.9.yaml b/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.10.yaml similarity index 88% rename from charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.9.yaml rename to charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.10.yaml index b1db1b9..3e4e597 100644 --- a/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.9.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/templates/telemetryv2_1.10.yaml @@ -3,7 +3,7 @@ apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: metadata-exchange-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: metadata-exchange-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -19,7 +19,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -54,7 +54,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -89,7 +89,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -124,7 +124,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-metadata-exchange-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: tcp-metadata-exchange-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -138,7 +138,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: {} patch: operation: INSERT_BEFORE @@ -153,7 +153,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' cluster: {} patch: operation: MERGE @@ -169,7 +169,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' cluster: {} patch: operation: MERGE @@ -187,7 +187,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: stats-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -201,7 +201,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -224,15 +224,7 @@ spec: {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} { "debug": "false", - "stat_prefix": "istio", - "metrics": [ - { - "dimensions": { - "source_cluster": "node.metadata['CLUSTER_ID']", - "destination_cluster": "upstream_peer.cluster_id" - } - } - ] + "stat_prefix": "istio" } {{- else }} {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} @@ -255,7 +247,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -309,7 +301,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -333,15 +325,7 @@ spec: { "debug": "false", "stat_prefix": "istio", - "disable_host_header_fallback": true, - "metrics": [ - { - "dimensions": { - "source_cluster": "node.metadata['CLUSTER_ID']", - "destination_cluster": "upstream_peer.cluster_id" - } - } - ] + "disable_host_header_fallback": true } {{- else }} {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} @@ -365,7 +349,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-stats-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: tcp-stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -379,7 +363,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -431,7 +415,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -452,15 +436,7 @@ spec: {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} { "debug": "false", - "stat_prefix": "istio", - "metrics": [ - { - "dimensions": { - "source_cluster": "node.metadata['CLUSTER_ID']", - "destination_cluster": "upstream_peer.cluster_id" - } - } - ] + "stat_prefix": "istio" } {{- else }} {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} @@ -483,7 +459,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -504,15 +480,7 @@ spec: {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} { "debug": "false", - "stat_prefix": "istio", - "metrics": [ - { - "dimensions": { - "source_cluster": "node.metadata['CLUSTER_ID']", - "destination_cluster": "upstream_peer.cluster_id" - } - } - ] + "stat_prefix": "istio" } {{- else }} {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} @@ -537,7 +505,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: stackdriver-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -552,7 +520,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -573,7 +541,7 @@ spec: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - {"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "meshEdgesReportingDuration": "600s"} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} {{- else }} {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} {{- end }} @@ -587,7 +555,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -608,7 +576,7 @@ spec: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - {"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true} + {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true} {{- else }} {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} {{- end }} @@ -621,7 +589,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -642,7 +610,7 @@ spec: "@type": "type.googleapis.com/google.protobuf.StringValue" value: | {{- if not .Values.telemetry.v2.stackdriver.configOverride }} - {"enable_mesh_edges_reporting": {{ .Values.telemetry.v2.stackdriver.topology }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "meshEdgesReportingDuration": "600s", "disable_host_header_fallback": true} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true} {{- else }} {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} {{- end }} @@ -655,7 +623,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: tcp-stackdriver-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: tcp-stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -670,7 +638,7 @@ spec: match: context: SIDECAR_OUTBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -703,7 +671,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -735,7 +703,7 @@ spec: match: context: GATEWAY proxy: - proxyVersion: '^1\.9.*' + proxyVersion: '^1\.10.*' listener: filterChain: filter: @@ -768,7 +736,7 @@ spec: apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: - name: stackdriver-sampling-accesslog-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + name: stackdriver-sampling-accesslog-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.meshConfig.rootNamespace }} namespace: {{ .Values.meshConfig.rootNamespace }} {{- else }} @@ -782,7 +750,7 @@ spec: match: context: SIDECAR_INBOUND proxy: - proxyVersion: '1\.9.*' + proxyVersion: '1\.10.*' listener: filterChain: filter: diff --git a/charts/kubezero-istio/charts/istio-discovery/values.yaml b/charts/kubezero-istio/charts/istio-discovery/values.yaml index 1290bee..fc595d4 100644 --- a/charts/kubezero-istio/charts/istio-discovery/values.yaml +++ b/charts/kubezero-istio/charts/istio-discovery/values.yaml @@ -68,7 +68,7 @@ sidecarInjectorWebhook: # If enabled, the legacy webhook selection logic will be used. This relies on filtering of webhook # requests in Istiod, rather than at the webhook selection level. # This is option is intended for migration purposes only and will be removed in Istio 1.10. - useLegacySelectors: true + useLegacySelectors: false # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or # always skip the injection on pods that match that label selector, regardless of the global policy. # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions @@ -157,15 +157,13 @@ telemetry: enabled: false logging: false monitoring: false - topology: false + topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported. disableOutbound: false # configOverride parts give you the ability to override the low level configuration params passed to envoy filter. configOverride: {} # e.g. - # enable_mesh_edges_reporting: true # disable_server_access_logging: false - # meshEdgesReportingDuration: 500s # disable_host_header_fallback: true # Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver. accessLogPolicy: @@ -176,6 +174,9 @@ telemetry: # Revision is set as 'version' label and part of the resource names when installing multiple control planes. revision: "" +# Revision tags are aliases to Istio control plane revisions +revisionTags: [] + # For Helm compatibility. ownerName: "" @@ -197,6 +198,10 @@ meshConfig: rootNamespace: + # The trust domain corresponds to the trust root of a system + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + # TODO: the intent is to eventually have this enabled by default when security is used. # It is not clear if user should normally need to configure - the metadata is typically # used as an escape and to control testing and rollout, but it is not intended as a long-term @@ -232,7 +237,7 @@ global: # Dev builds from prow are on gcr.io hub: docker.io/istio # Default tag for Istio images. - tag: 1.9.3 + tag: 1.10.2 # Specify image pull policy if default behavior isn't desired. # Default behavior: latest images will be Always else IfNotPresent. @@ -505,8 +510,6 @@ global: # Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source. useMCP: false - # Deprecated, use meshConfig.trustDomain - trustDomain: "" base: # For istioctl usage to disable istio config crds in base enableIstioConfigCRDs: true diff --git a/charts/kubezero-istio/templates/grafana-dashboards.yaml b/charts/kubezero-istio/templates/grafana-dashboards.yaml index edb9810..e0e0de3 100644 --- a/charts/kubezero-istio/templates/grafana-dashboards.yaml +++ b/charts/kubezero-istio/templates/grafana-dashboards.yaml @@ -11,11 +11,11 @@ metadata: k8s-sidecar-target-directory: Istio binaryData: istio-control-plane.json.gz: - H4sIAAAAAAAC/+1dW2/bOBZ+768ghMUiWSSBnVvbAeYhTdJOMOlMELedRaeFQEuMzY0sakgqsZvN/vY9JGXr7qvsKBm9JDYpk+fGcz4eXvTwCiHLtqkfhFJYP6E/4TtCD/ov1Ph4QKDUOuvYV9e/fzz/9Mv55461M672cJd4qv6KswGRfRKKuNIlwuE0kJT56pG4Qo4C3aiLJRYs5A6J6wIv7FH/wlX1QUGjpv63iKxEt/qBR/j7fcewxMlfIeWkgKlx/z2Ob7CP48apW1g8FsKHbMUd4SLi7njvcO8gImKnuLsA+yCsfGdBv7CrZHGio+l9FImUlgrTz4uxqMujvdZeawneJO56JN/bp3RxnreJErHvM4mVASktmk4tjwo50WlMCtR0Q+rJC9VSeycuTYgEuvhHgYTgIeJron5CkockUd6nbkEpdZh/yjzGVYu818VbrR20327Dn6OjHdTeTjY9ZvskZgb9E514hEuRfC5Woeh3GeauFdU96v/fX0XSz46rCwGf0CnzJWceuvJAE+hs3AaKpIvae2/BPvXviUtlxO0N9oRmzOr5ROpR9/r48MiUKBP8xJgnaTAWKQjfv9UjyihIq71ghDnM83AgiJvsQ9f0OHWvWKxOI+WMyu7h+/5homAIBa3E95H6PhZP2uqOW7GvmFD3PfY9VHrGo5HAYyPioi9GQiLvnzi7L7Z67FEstAFoRmIKuliXpFlWCr0kfk9qNlupclL0+Cx7tW6o5yVFVi7Vo0Wl2i6W6tFx7PNJj/huuit818vyoawg5Jz4sqBmgIdFpdQvKBV9dp8fghLGklfw9B32wlioOWbAfnVtsjVdeE9dmTLDjKmboRx63hWjvvzItFvQBYnYREBLvsQ9klNqoH7FsUtDkdSKKc/bAIjNJZxo/3LjMRn3IQinRPwOwxpUTjL0iQA7pMjUhMTOba4XIUkQEPcS2M/VScx7JIEI0q5WeZFhoMkT4WCLKhdkK/frPjhsEDAfxPDzNyugQPs363EbdUdoCwSTdIzKjhkfYKlDBR0Q2/CWfgTEQzgo9T12pPa37VS1Mcb3k3YeHhB0gx4f061wcmMgxYk1KX6MPiV8Qx/gQp95bs5nDMh7CJFQqhSeKr8mvSg8ZX7Q6dMbmf9F5H2ulGSKXM/E3z4kRwDm2pVmxoBgXGaGsDZ/e+zAqO/SO+qGMFJyIyEBgpJIY4iHNONHuqFza0whyYsar9EoUOwWRLzM08XjeDJe//yeI3GEh2SKBcbWA01zmdb4GJmmiVAVrPcOC5KzJOOSco8bn5QrTjATG9RObelMOsMiyx/ltQ4xrlfkjnX5JbmbUJ1CKdlIuQkgcFwCBPbnAwLXxIRX9Fkoz/0SUcDrjEiPZ0j0dQkIaDBAgwGKMADMLR0ihH1HuYRgYw/IgPGR3R1JIh5wEAAU0BDBBSywBAIAyossqAgd7E9FB18Mfeijpq8EIlyky5WAVMMz3XxWGIAlQDu+rFoaC3F8HRExneVfVmS5xxSToCYp7D7BgS1GoiJ+Cyfgi8tBUYWAqjlg4aK8Ys9jTg251XSV8Hu2HL9VsrogSydTuHlftflSPxSkWpWu7Lt+UTql/i5QViKG8wrFoINFpXJYkN2OImA6vx9W5NdhEKch7vGxh75n/Jb6PSBfRkxPHvn5f98slwqHQdAdfbN2UMBcVWbksbv3r//qT7t6xgtfn9JSzsZ0oq0J/dslMny3YRlGUuJsuC4pLpgw6IDQHcznENVpTVIHmUjepAyWShlo22xSBjVMGbycafXxfNPqJrXeTKvLU+scSxIHJ9sJQjtUiSoIflDqClurKxFlFwYqf7YH37fXnplfBJUsMB0z8hnPuZV00nLJwFbNax2QWURxOdhYDZctazoL47Mljacqic4P32Yi3afEdKdXnxtA16wBbZDOBs8tjufa+/MButcNoGsA3fRsyY2IQnE2R7L+NNOymGXtGaQpMqlr2qjmu0xAd7cNrlhbosiynhhVgA3SAfZEUTsxBz7zyaIMtJK7LpoU0tNBjjfzQY7Dp4Yc2eIGc9QEc/SY3WOchVJJdtOreL+Fgy7hiN2gDxMaSmNmjefnBdQ34bTqafqTh9O/8SR9E/s024cl2wrfzLdR0+yZvgpFH134RlfqCEx1GzZTQad6VJA5t9MBjQsk+wSpPK3ykXr+goJQd7AEmHiT0cibWQo5Kts5u/+yMhhpVa0GJxAW6AfhLAErSoJ6/eFGyuArXrLSxmwPXWEbg35QwxOwh+OKja05nXohcMXn2NCxsypbZINsnftuZCgr7+6bzZi3QcYuAZgSn/AKtmnOZoxvkLFrQI+lyPe8Sq5EKVdjkguQVja5RRxOSq3rXZXk+hWQqw6D6wOtonR/aJ0OfV1l4vv0eUQuPr6oiURSXSbGT0pWmGOwYK07u6yW1WzseoZZuQz+PsWBDGHsI4zuMHh4OYoxOMApxteCwd/Mi8GrXURU+y3OB4EcFV9x8FUB2lxNs/L4oraSxTEYMLjNyX+II7MJwW3EONrCXQESmvMHu+n7Lqre/zMDWGmiiItOzzrqDowb2hPVwP2YebKotEjtpXU+U1pny0qLLyotXntpXc+U1smy0vIWlZZXe2ldzpTWgjOIzATinlMJcBf4gUlV4f7OtU/n/lAkoE+GhHlmHYtxqaOm5lXT5cMXA0gq4rYqlV9E1KHzNFzKHi5dXQ7G4uvGv7FyZCxfXbJ0DbRXM8kvmDTbakMMGcp62oJOy58aCqfbw6/PffRrVmcM/g+1Sjlk9NEsXTY7jJsdxhtY2NMBDCnDRVQiiW8JlDO9wocwckz4CANXrf9BOUZ6h+M60g7t47nX/g6b3cvV5RD2X1AOoQ9xloEjH9h/hdiX1CNbrb2jHZSJ0tqGFVgBysF+HBOtbePfTYTW18F5ZP2hOjhqodWnbIWMv603429bq0++ivmuO+NvV8//lDBee8733s6RzXlSOKrkhSYAukGkKyLSBo02aHT5zedZ0Jg631a0YWz/oGT3+VGzWFUl0CzYY/a3vFZQx1g1TfKoI23qd1nou7YX7RLa4NVcs/KgmjA0a/vSAtArwzoLZZp3uy9lYKtzeXY0jmzpBLWRyO8RvbFI0JaiGCmKUUQxAooruAFipqigm+clKaBvbkGdrlNQSmXPS1KK4u2ag+DTSANNQrZJyDZbveqOgXOXPpSC4Obah2bzVWHgBdVH+SJ1QbYKknfUyR/GXHuGaHz9dSciYHXsFXP2ZEzNYObdkjtz8rtrVB4vYO76D60w3492aY3PeaCHB+i59KUm5zUBNidnHfSR+RS4pH6vQTcNumnOyi55Vvag5D1cx4fznZU99+/YaE3HZJ9kOd0lElNPIAxzQIkMe2r1Bbwtor5ebR+An9vEsdmD/RIA2GoAYAMAp5+DI8pwbcecS7XDQEhO8MB2huO7OKMaFW0AfgAQ2e3xwHn6/X3/Nrt6fbPTUVR5pLZcJo7p0L6Bof9cRIPeA7HqXFFFZ1h9B6QhxlJSMFtlfwGkQhdggNImAXP6mzp4rNzutel4HsT9lGjUEHtm4kYDRlcDo2s+UlkRFH0iKps0W+XHIksxVrvBWA3GKguW5UgC4hu9I1MwxPa6r0JTKOFEUzEXjqrxZWgzOGkibJPuafZzbeB0gaA/9LVhajxy8heYoBQI+y58EQGMyPVcIpY7SVAaqvfXtimsqC7aFdZE+Bcb4UGVWzMSBnxoLg9/DtmU62iUoneKYvQRDHXlo/jpgxkvV1gnYJXJl3UvveY3h03JNYtpKWlobz/Tck6WsJw5DKf2EpluHnV5kWOCboE6EMwbCL0ahH7XJKlqmKQqXy5Ngd/UGKluIfWwVXbO9Xi+ldQ/SLfP2K2o5QJqSmg5jK8KPigoaBB1aw0nQg7z69QQ9l3id4xfz1Ifyf5tMzWYb2owYx7AAhlFnoT4lIVcTqYUud7/lmeXJ+c2e9jzyMgGDVFXb4ywAyzAOa12BemXSXMCbXVCZ9qrHU+WuP8kT7VaEq2OarQVrVpu13xRz1y5E3JDdcxAA52a7GOTfawOS2SSjtZGQUZuy/1yKOOgVTnKaJBEgyTGMVmYVwDa1I+uf7OFCfwmLbJaaL4YN7oePJGn/cbE/6ppfyawYvwa6QnpDZ5o8MTLwBOvombVoFPjSXF90DLpDEs4fTLAXwgXJtCb1w2CoxyZceFibl4gCv6xFyveulDHYqxJ05IMAg9wuN+bkGypU8UJS3koCrEppQji6WMvOYvUHQy1ulxyg0MvozBtsMnaIv2PVyOSQ5P6jhe65MQrirzFZmANoANa8Hg0wqyCFdxUdI3dElJJd/VeXXU0G9wZkX0SJlODpvrLmLtkTazLdqq0R4bZR8UtDT5zrzPynaLXNEY+J0F2ynyUC3g0OqaawUi7N8b/Wj67322PnRX4yqjMSv0soOCuePzjiHp7HFKSHsU6SmTa2q3El4Pkl/Yg/nyU+NxOfjloJWsSLnU/8bntGo6/j3lQqxIJfc3sJdnwcbLhZC/7h8kvbvz5tZukd0xLSnw/mMYrVpezexG9zSgOXXoo6ptXOfPQlYd9gs4A7ncZ5qZtK9R42DrY3f14+eXr12hE38Wjvv3q8f87VdPrCKQAAA== + H4sIAAAAAAAC/+1dW1PjOBZ+71+h8sMWbAGVcOvuqZoHGugeaukZCrp7tvpSLsUWiRbHcksyJMOyv32PJDu+5+qAYfwCieRI56ZzPh1dfP8KIcu2qR+EUli/oG/wHaF7/RdqfDwkUGqdXNkXl398PP302+nnK2srrvZwj3iq/oKzIZEDEoqk0iXC4TSQlPnqkaRCjgPdqIslFizkDknqAi/sU//MVfVBSaOm/veIrFS3+oEH+Ptjy7DEyc+QclLCVNx/n+Nr7OOkceqWFsdC+JCvuCVcRNwd7uzv7EVEbJV3F2AfhFXsLBiUdpUuTnU0vY8ykdJKYfpFMZZ1ebDT2ekswZvEPY8Ue/uULS7yNlEi9n0msTIgpUXTqeVRISc6TUiBml5IPXmmWupuJaUpkZSzCs8QX9P0C5I8JKnyAXVLSqnD/GPmMa4a5P0e3uhsod1uF/4cHGyh7ma66Zjro4QX9A905BEuMyQkGhSDHsPctaK6B/3/x6tI+PlhdSbgEzpmvuTMQxceKAKdxG2gSLiou/MWzFP/nrhURtxeY09oxqy+T6QedK8P9w9MibLAT4x5kgaxREH2/o0eUEY/WuslA8xhnocDQdx0H7qmz6l7wRJtGinnNHYH33f3UwUjKOikvo/V91g8WaM77CSuYkLdj8T1UOkZh0YCj42Ji74YCYmie+LsrtzosUex0AagGUko6GFdkmVZKfSc+H2p2exkyknZ4zPM1bqmnpeWWLVQDxYVardcqAeHiccnfeK72a7wbT/PhjKCkHPiy5KaIR6VlVK/pFQM2F1xBEoYSl7J07fYCxOZFpgB89W16dZ04R11ZcYKc5ZuRnLoeReM+vIj015BF6QiEwGd+RL3SUGngfoVxy4NRVorprxoAiA2l3Ci3cu1x2TShyCcEvEHjGpQOcnRJwLskDJLExI7N4VehCRBQNxzYL9QJzHvkxQeyDpa5URGgSZPhMMNqjyQrZyve++wYcB8EMOv362AAu3frYdN1BujDRBM2i8qO2Z8iKUOFHRIbMNb9hEQD+Gg1PfYkdrddjPVxhjfT9q5v0fQDXp4yLbCybUBFEfWpPgh+pRyDQMACwPmuQWXMSTvYRhCqVJ4pvyS9KPglPvB1YBey+IvIudzoSRT5nkm7vY+PQIw1540NwYE4zI3hLX527H/or5Lb6kbwkgpjIQUBErjjBEe0Zwf6YXOjTGFNC9qvEajQLFbEvByT5eP48l4/fajQOIYj8gUC0ysB5rmMqvxGJdmiVAVrP8OC1KwJOOSCo8bn1QoTjGTGNRWY+lMO8Myyx8XtQ4hrl/mjnX5ObmdUJ0BKflA+Rg44LACB+zOhwMuiQm26LNQnvsFgoDXOYkezhDo6woM0EKAFgKUQQCYWDpECPuWcgmxxh6SIeNjuzeWRNzjIAAkoBGCC1BgCQAAlJdZUBk42J0KDr4Y+tBHTV8FQjjLlisBqYZnevm8MABKgHZ8Wbc0FuL4MiJiOsu/rchynykmQU1S2AOCA1uMRU38lk6/F5eDogoBVXOgwkV5xZ7HnAZyq+mq4PdkOX7rZHVBlo6mcPO+bvOlfihIvSpd2Xf9pnRK/W2grEIMpzWKQQeLWuWwILtXioDp/H5YkV+HQZyGuMdjD33H+A31+0C+jJiePPLr/75bLhUOg6A7/m5toYC5qszIY3vnn//Vn7b1hBe+PqWlnMR0oo0J/ZsVMnz3yDKMpMTZaF1SXDBfcAVCdzCfQ1THDckc5CJ5mzFYKmOgbbPNGDQwY/BiZtWH882q28R6O6uuTqxzLEkSm2wnCO1Qpakg9kGpK2ytrlSQXRinfOsOf2yuPS+/CChZYDZm5BNPuZV0snLJoVbNaxOAWURxNdZYDZYtazoLw7Mljacuic6P3mYC3aeEdMcXn1s8164APSKdLZxbGM51d+fDc69bPNfiuem5kmsRReJ8hmT9SaZlIcva80dTZNLUpFHDt5iA7m5aWLG2NJFlPTGoABukQ+yJsnYSDnzmk0UZ6KS3XLQJpCdDHG/mQxz7T4048sUt5GgI5Ogzu884C6WS7GMv4f0eDnuEI3aNPkxoqAyZDZ6dl1DfRtO6J+lPHk3/xlP0x9ij2d2v2FP4Zr5Nmma/9EUoBujMN7pSp1/q26yZCTq1g4LciZ0rULhA8AxSSVrlIvXsBQWhbn8JLPEmp5A3s/RxULVpdvdl5S+ymloNTSAs0F+EsxSqqIjpzUcbGXuveb1KG7M9coVtDPpejU6AHo4rHm3B6dgLgSs+x2aOrVXZIo/I1qnvRoay8s6+2Yx5j8jYOeBS4hNewxbN2YzxR2TsEsBjJfA9rZMrUclVTHIJ0MqntojDSaV1vauTXL8GctUpcH2UVVTuDW3Sea+LXHyfPo0oxMcXNY9Iq8vE+EnJClMMFqx1V5fVsdpNXc8vJ5eD38c4kCEMfYTRLQYHL8cJBAc0xfhaIPibeSF4vSuIaq/F6TCQ4/K7Db4qPFuoaZcdX9Q2siQEAwS3OfkPcWQ+HbiJGEcbuCdAQnP+YDt70UXde39m4CpNFHHR8cmVuvzimvZFPWg/YZ4sKi3SeGmdzpTWybLS4otKizdeWpczpXW0rLS8RaXlNV5a5zOlteAEIjd/uONUAtoFfmBOVbq3c+2zuT8VCeiTIWGeScdiXOqoqXnVdPnwxQCSmritS+VnEXXoNAuX8udKV5eDsfim8W+sHBnLV7crXQLt9czxS+bMttoNQ0aymbagk/LHhsLp9vCv5z76NaszBv+HRmUccvpoFy7b3cXt7uL1L+vp+IWU3SIqkcQ3BMqZXt9DGDkmeoSBq1b/oBwjvbtxHVmH7uHcK3/77c7l+lIIuy8ohTCAMMvAjw/tnyH2JfXIRmfnYAvlgrS2YYVVgHKwH8cEa9u4dxOg9T1wHll/pA4OOmj1GVsp42+bzfjbzupzr3K+m87429XTPxWMN57znbdzJHOeFI0qeaEJfm4B6YqAtAWjLRhdeuN5HjNmjraV7Rbb3avYeX7QLlXViTNLNpj9Le8T1CFWzZI86kib+j0W+q7tRVuEHvFOrllZUE0YmrV3aQHklWOdhTLLuz2QMrDVkTw7Gke2dILGSOSPiN5EJGhDUYwUxSiiGAHFNdz9MFNU0M3zkhTQN7egjtcpKKWy5yUpRfFmwzHwcaSBNh3bpmPbfV4Nh8CF6x4qMXB74UO786o07oLqo2yRuhhbxchb6hTPYa49PxRfe30VEbA69Eo4ezKmZjDzbsltOcWtNSqLFzB3/QdWmO9HW7TiMx7o/h56rnyXyWlDcM3RyRX6yHwKXFK/34KbFty0x2SXPCa7V/H6rcP9+Y7Jnvq3bLymE7JPsZbuEompJxCGGaBEhju19ALOFlFfL7UPwc09xonZvd0K/Ndp8V+L/6YfgSPKcG3HHEm1w0BITvDQdkbxHZxRjQo2gD4Ah2z3eeA8/d6+f5sdvb7Z5SjqPE1bLRPHdGhfw9B/LqJB74FYdaaopuOrvgPSELGUFMpWuV/AqNAFGKC0ScCcwWOdOVZu99J0PA/gfkowaog9MXGjxaKrYdE1n6asCYk+EZVtkq3uE5GVEKvbQqwWYlXFymogAeGN3pIpEGJz3XegKZBwpKmYC0Y1+Ba0GZy0AbZN9rR7udZ/sEDQv/R9YWo4cvITLFAKhH0XvogABuR6bg8rHCKojNS7a9sQVlYX7QhrA/yLDfCgyo0Z6QI+MneGP4dcymU0StE7RTH6CIa68iH87JmMlyusI7DK9Au6l17wm8Om5JrFtJQ0tLefaTlHS1jOHIbTeIlMN4+mvL0xRbdAVxDMWwS9GoJ+16aoGpiiql4rzWDfzBipbxV1v1N1xPVwvmXUP0lvwNiNaOTqaUZoBYyvCj4oKGgQdWcNp0H2i4vUEPZd4l8Zv56nPpL923ZqMN/UYMY8gAUyijwp8SkLOZ9MKQq9/y2PLU+ObPax55GxDRqirt4VYQdYgHNa7e7RL5PmBNq4Cp1pL3Q8WuLmkyLVakG0PqrRRrRmudnwJT1z2U7IDdUJAy10apOPbfKxPiyRSzpajwoyCvvtl0MZe53aUUaLJFokEcdkYd78Z1M/uvjNFibwm7TIaqH5LG50PXiiSPu1if910/5MYEX88ugJ6S2eaPHEy8ATr6Jm1aBT40lxvdcx6QxLOAMyxF8IFybQm9cMgqMcm3HhYm7eGwr+sZ8o3jpTZ2KsSdOSDAMPcLjfn5BsqRPFKUu5LwuxGaUI4ukzLwWL1B2MtLpcco1DL6cwbbDp2jL9x6sR6aFJfccLXXLklUXecjOwhtABLXk8GmFpSJWqTaJr4paQSrqr1+mqY9nFdd+4+kvMXbom0WU3U9ono/yj4oYGn7l3NfadstczRj4nRXbGfJQLeDA6pprBSLvXxv9aPrvb7sbOCnxlVGZlfhZQcFc8+XFEvR2HlLRHsQ5SmbZuJ/VlL/2lO0w+H6Q+d9Nf9jrpmpRL3U197rqG4x8xD2pVIqWvmb2kGz5MN5zuZXc//cVNPr920/TGtGTE9xfTeMXqcXYnotcYJaFLD0V95ypnHrrwsE/QCcD9HsPctG2FGg9be9vbH8+/fP0ajejbZNR3Xz38H2KxXAX6owAA istio-mesh.json.gz: - H4sIAAAAAAAC/+1de1PbuBb/v59C1/sYugNJnBBK2NeU0m27U7pMYXvn3tLJKLaSaPFrJTnAMtzPfo9kO5ZjJYRAW5qqMw2JjqzHef70sHT1CCGn36dRkgru7KH38BuhK/UJlAiHBFKdg+P+0ds/Dp+fvHz+57GzWZADPCCBpB+xOCRiTFJeEn3CPUYTQeNIZikJ4jJRhfpYYB6nzCMlLQnSEY1e+ZKeGArN6G/yZmnVqgzX8PlhM+sSI3+nlBFDp4r6RwwPcYTLwqlvTC6Y8GKWMCGM573baWw3OnkjNs3VJTgCZtUrS8bGqvRkraLFdZhYSucyM6qz0VRlt9FqtFbom8CDgNRrO6km1/s2FSKOolhgqUBSilmlTkC5mMq0bApQBikNxCtZkrtZpmosgSq+NXAIMpFINWoPCZYSLX1MfUMq9eLoWRzETJbIRgO80dpEbdeFj253E7mP9aKLbj8tO4O+R08DwgTX85Ui5ONBjJnv5LRr9ffDo5z7s3b1isM3dEj4GB0Uj6Kcqcht9EAt1WPEpyLv5BAHXPXHGUVEKGN7stPpZSlS807iOBA0gfSWSlTyjNIgUL8CGp0ps8qkpGRvMDNgkiCRlJXzk08nv5xGCMkviIvLgPx86iQxp7IXewgPeBykgvyIBrEQcQj1njrqAXgEozEjQ8g/FiLhe80mlT1u0PjUQQKzERFA6w8CHJ1BSlH4EGrf4vQfsoc6reTiRyTIhdjyiRcznFUaxRFU6Ek57iEajQmjAmr9iYYjxJlnqLAZYEG4aEKOLG1rEKQkiEfxVhQPsHc2YnEa+VtpNGQgdb/BJyOtSWNCR2Oxh7rQHqgIKcn91MQZZ5q359GPiGUlwjetv25XlZ+xL1MPyhGODKwcUTFOBw0vDrMOZZ8mxv4SJyRCCXBgGLNQthqJMRYI/MoEjATKR2lEJQ2d40skYuBsFBFPbN4kxqYfe7wJuT2SCN4U4GWH1NsKwdWOSAga1IxBnSeUnDfGIgyMjcsyy1ZtQkd9dMs6wQrOY3a2BY9u4VSMm/Jjfm2ceClTtaGQeizmsnke4Y282gHLmf+GEB+NSZD8in6PaQQcI4saBWIIgYnismmsNhPlNJOsv6GrTva39KwjRv2juHSdmUeDnx3N7ZzD7/a2lnBRWH3++1L+LlzRtOxMl1V0AG2e8fxup0QIFV+hksJY+VRHsrd8UCl8talTlZa53d1EOLVmCCrUUzq6YDjiCWaZ69E999TFSldgjmce9sbkhIYkToXm8nJ/Bp5if2rluh8t6e8weAQziWtRC+Vxo70N8aK7nf1vNXqVyJHl6DyBiNLubaLtlsyya8jTBYr7pA1ZuqqUJ48LTpVcvzkMOtJ4sZJpnGhIYITT0YxkQnxRdNRt6coS0qgg6Ml8HJ/PMkXKAwwBSIH/WuJIvijHIWZnRLFQSrSmB0ur+s4Nmt6pFa00ut0qf0NUYxMczKqHQdPjpIpdSl04zG1gopiltUGF34IKSox14l8peIDh5ZScilgnx4yC0uMCGIzh9z9gQjioKAzxU4/8YWiZUv/Aq6ppDvO5eBOLN9BdR6N82NSfHVIS+Lxiixm+k12cynZKudalDPZY6VRNCCFOEhqNTjIDdk3p1XZXulVAMNUUGZqUA6i3UhZtaqCxMHAzoxsKa5eF1ewRTOgAbPAIwoIaeGl25Ei9UoSCKXkoJb5TyXMia55RQwAMYkgvqj4xT/wNtOE496fd1ncaHQJS7RmVNvcR1f1DnCxg+xCGFfI52b4qg0TWcOdN8+kMIZ4+sIB30r2fgb3NxgsaBFVY3gFI7rq78LHbk57R3a04z6Gsp4buZcF6MVkpbelje53K87lbM3okhbWhmDScHf2quL6AbeQiyaqWUWaDp+EGBchKNhRMUMNawKC8L2A0EVwxksQMHBLghMydnzrX793ww+PHsr+tVmUsonmv37AnVA/dChlkno29Z+TCBZGjge0FQpm6aj7T3yJEvwgAIwfobdYB9E7yhtRnBTjYcwAZsNDGiNKgdFXc1VVRURerYixb7/y8pBYW9nujIqqMxWQEnowsqFgAKhIChEhI7HpncLH7sdCFHqTuAV7sLAkvXAsvLLyw8MLCi08HLySwuBWu2ETgLRMwa9L3QHH+9b9Tp9v4YYo3UBPdusj80aqQyoghIGb2OQG/wz8PiulB6Ov15P9Gdz6iOU49j3CO3kLX0UYUR1vdi4sps/hji3HsxMnaTZy47SWhTdtCGwttLLSx0ObTQht6F2zzM2CbbQ3bPFiAYgAl2xcX3CIOizjWD3HsLok4OhZxWMRhEYdFHF8Y4uh+oYijaxHHfSOOb9q9nre9c1uI8Y2/vY07+I6QQm6M+0q3f+yYIYXrWkxhMYXFFOuJKWa9zkMBFaAiGwkNYtE/2+V9bzjqkwkYOL+SIRagxDvKRIqD42z3qYQUig4U7PuAJB6jLbSxeiE+CYggqpyYIVlOmqAfUOujgpOVcEhIfstUrWIJMv14TIeiTsiBS953lHd+nUCMlzK1A9YCma8DyOwsC2S2LZCxQMYCGQtkHhCQOYAISyNl72/TYFUks6CU9YcyWueR7L3FMhbLrM3WkrlgpmvBjAUzFsxYMPOAwMwLLMg5vlwRxBieXn/wknfaYhaLWdZmc8pczLJjMYvFLBazWMzygDDLv2PgQoz955FgqyKXuWWsP34puo5k36mde7E4Zv03xDyxMMbCGAtjLIx5QDAm38dxFxQzr4j1BzF5zy2GsRjm69gL07NnulkIYyGMhTAPCcIcEcKepmIMadRTZr8ikFlc0PrDmXr/0VEcUM9CGwtt1n9rTM8eKGexjcU2Fts8JGyTn/x6L/DmxrLWH+EYWWBBjgU5X8temp49Ws6CHAtyLMh5SCBHhmNp48riVTBedSnqhpLWH+BUGPD1ARulpTPBaynIUHYa/Nd3S9wH1XZveyFUr34hFPUVDPtjQhjLbs2rIioVsp8svBkqwSOSN72iEYwkBAtz6gFl4ITz6DrR7pPyWFw7MUr5hpcE+4TVKDETNUwACV39KkHCvXmeRd1ftUCfcEAx1zeLVRVIByB6L+eBUQ19LjiXcFmMWuabfz5hHVyA9oGJFd7lP/Bv6/Bw6+AAvXy5F4Z7fMbL+MSjIVaQsl0hSE2oe/yccKIc8768Am1+nul1heVWvPIaxVr2P5m6s7Q5zdL0B/l9fuf541tT2q8TzLYkvID45pGfv73q9z0SBP3OHsPn199LavFQSWwrYrXmBAvwskpN/fJlzf65UR0gzstL5Ur21jvOcURFZix1YsUZv6+KrXCbYLE+iar1qss59pSdMOHcCLumSm2V2SBm6Q6dzyqWfIqAW/EYxKMGxeibp7cXUZSGA4ggRhHJ81iXF9BRt4VeQ9ci79LKaL6M9u9XRreSUM9KaAkJPfucEupZCd0soYPPJyH9gpT5InIkdHK+biE9XySkaqsbve5sR5DbaLXmN3sZseqXtC0vYDummTOmqR5XXB+ufJsNGO53tDJvPPL9wqHMrUYrfSjqnv3JLaFtvl3Zatwn1bj8pvMZhctTS41yl9cobpLjMsrEBaPRyA5fP1pIMtr91H183IFtfXZ52fn5QC5b9v+KabRx1xvugNJutcoL7gaXaMPElE20mFVVeq7wjzfR6VzXKpty6jSyP6ZM8ylltafO/JUAuQxSJY4Nc7b54gAXOBIm13LDukFARiTyS628ujIy6vq6MYdS9gVdz3gT45rE5tKqsTEGnYhHDIf9v1PoHQ3IRqshDc6sNH0/ZVnbQhoElBMvjnzeH6TeGRELbjZUOhMQs4bcpDfqTkW31WqpFZ6VW/ypGmsV+l4Uev8eFbr3xSl0zyr0w1NodDeNfnafGt374jS6ZzV63TT6YDWNvvcrl1dFpHe5rHn1StdJ/eqjxgehmM8XjqHm7sTJN9y8PDk5ar54e/QMFRN6+m4bhiMu+Vnn5nSIlyV/7u0slf2jS21n6bRW3M/itnqrb2ixW1fs1pWPPRdsd67coNP7l4JwdCy34VmtXm2TRLXVd1t/2r/V9olMeG+JR+iEWLf06XZQ3E5MVjAPcneYDecPadX2E0Tq1VZt7ULbGi+02WV2u8x+b3s2PsaqrfCSPssBXn8g8d7Hm6GyC7U3zU3d6yKsQdIcxmFWyg9Uyvt3mlw8eXb0EaYVVaB6VoScq3JSa4BZ7eV1R/rT1yQaCTVN2KqkE1P2m6cnqZqpc2+elezddlJye3fe2ctlbZlMq5UBS0bRU36imFZ/kVZeb19PLV5FrFNCfGFKpZEhldHRWBwbVVd/LVd/y1xauSG38QX1a32ulfDZeVCZeE79TLiLpmVrr3JXXoYu9sDiUX3SN5FPMezTlOsTrFl6XYGApT5hasbWGQax9n5q9hpuMbk80z7lL0x6Cqbv1eYSIZUkCfFfZ+9eV2lLR2DpjDM/PEhp4Gfu1YvDJI6AF5sI2HHvLxYbPNK0RnBDoNVXst7l4s7iF5Lff1jqheS3ZJQfwTDzwOI3lV9JxqFnRdu5ZN47wric2y9zT9HhlW4VmBG/bhf5nH5r1iT6hU+kkU8n1E9xUD+Yocijzq0oG3CBL+iMY8oWnHkNxzthbhmiOktRHLQwk9ts21Mbfv+h1sRLfLFoyaHUrQxjVtVGQgjT0COIR/uYk5qeZS6slj3zYbXk+vkB81HNA2jnzAkeNTO4rEtdRQhTaJDpr8lk2upHeqHyUxUr7U+alux2p5WZvMO9MQlxofTFIly2tqQGI5idZTnBokvJZ6bjTIsWJEwCACTRaNpk8OBcaKpyZYpaFalwEmQHcxhAUvEKv0+GOA3mnBEypRpPRsmxmW6bNPKC1CdPzUdXGPXACaECashenGVigBuV42v0AZvzd0rYpXqBAzwbEWOS6q44IxenADnVo2cKWbqV1BG5mM3Kz2gCg9bjy8gzHQuUOx2t2RX1kT7gOpMxDctDQsoDSeLzLbfwVsWZI6DhlccSCv6KlQ/nre8XgUZ3KU5Xg5luS/vR0X+4Yfm9q3139R+dlk7RfGpb++76WY8/FH2QYVGT14216AXv6AXrtbS39R/a4TNPfL29RVsq7PsnVhDBGbD4nOej+tkodgj8RAeVaQsnVcDTebF7/pr9/uq/uSFPpsbefXT9f8ToGnNJtAAA + H4sIAAAAAAAC/+1de2/bthb/v5+CV9uKdEhsy47TOFs3NE3Xdmi6oMl6cW9TGLREy1z0Gkk5yYLcz34PKcmiLPkRJ2lTlwXq2DwUyfPkjw+RV48Qsvp9GsaJ4NYe+gi/EbpSn0AJcUAg1To47h+9/+Pw5cnrl38eW5s52ccD4kv6EYsCIkYk4QXRJdxhNBY0CmWWgiAuY1WoiwXmUcIcUtBiP/Fo+MaV9Lim0JT+LmuWVq3KcA2fnzZTlhj5O6GM1DCV1+8xPMQhLgqnbm1yLoRX04QxYTzjbqex3ehkjdisry7GIQirWlk8qq1KT9Yqml9HnUjpTGGGVTHWVdlttBqtFXgTeOCTam0n5eQqbxMl4jCMBJYGJLWYVmr5lIuJToumAGWQUF+8kSXZm0WqJpJ6ViEPCVWb9pBgCdHSR9StSaVOFL6I/IjJApk3wButTdS2bfjodjeR/UQvOuf6ecELeoye+4SJUhMKDfLRIMLMtTLatfr76VEm/Gm3esPhGzokfIQO8kdRJlNkN3pgleox4lKRMTnEPlf8WF5IhPK1pzudXpoiDe8kinxBY0hvqUSlzjDxffXLp+GZ8qpUSUr1NV4GQhIklKqyfnbp+JfTECH5BXFx6ZNnp1YccSq52EN4wCM/EeQnNIiEiAKo99RSD8AjGI0YGUL+kRAx32s2qeS4QaNTCwnMPCKA1h/4ODyDlLzwIdS+xek/ZA91WvHFT0iQC7HlEidiOK00jEKo0JF63EM0HBFGBdT6Mw08xJlTU2HTx4Jw0YQcadrWwE+IH3nRVhgNsHPmsSgJ3a0kHDLQutvgY09r0ohQbyT2UBfaAxUhpbmfmziVTPPmMvoJsbRE+Kbxa3dV+an4UvOgHOGwRpQeFaNk0HCiIGUo/awT7C9RTEIUgwSGEQtkq5EYYYEgrIzBSaB8lIRU0tA5vkQiAsmGIXHE5iI1Nt3I4U3I7ZBY8KaAIDukzlYAkdYjAVhQMwJzHlNy3hiJwK9tXJpZtmoTGHXRDesELziP2NkWPLqFEzFqyo/ZtXHiJEzVhgLqsIjL5jmEN7JqBywT/jtCXDQifvwr+j2iIUiMzGsUqCEAIYrLZm21qSonmWT9Dd100r9FYPUYdY+iInKmEQ1+drSwcw6/29tawkXu9dnvS/k7D0WTslNbVp0DWPNU4Lc7BUAoxQqVFEQqplpSvMWDyuDLTZ2YtMxt78bCqjRDUKGe0sEFwyGPMUtDjx65JyFWhoL67szBzoic0IBEidBCXhbPIFLsT7xcj6MF/QOGiFBP4lqnhbJ+o70N/UV3O/3favRKPUeao/MUepR2bxNtt2SW3Zo8XaDYT9uQpatKefokl1Qh9YW9oCV9FyuVRrGW7OHEm1JMgC9yPu2WbisBDXOCnsxH0fm0TKQ6wA+A5LtvJYrk83IcYnZGlASlQitmsLSl7yww9E6laGXQ7VbxGzo1Nsb+tHXUGHoUl5FLYQqHmQuMlbC0NqjeN6eCDWOd+FcCAWB4OSEnItLJEaNg8zjHBSP4/Q94EPZL9kLcxCF/1LRMWb/vlK00A/lcvIvEO2DX0iifNvVnh5T4Li+5YoruJIsT3U4o17qWwR1LTFWUEOA4pqF3kvqvXZdebneJrRyBqabInkn5f7WVsui6BtYWBlHGW1BYuyis4o7gQgfgkUfQK6hhl+ZHlrQrRciFkvWkxLVKeU5kzVNmCHhBDOlFOSRmib+BNRxn4bTb+kGjQ39UeUalzXxEsX+I4zliH0KMkc/J9pUFJNKGW++az6cI0eSBObKT0f0M/G26u6C+X0blHUDktr0LH7s9GRjt3VLsHMp6KuBeFqwXk5bSliG21yk9n4W12oikoDYUkwTTY1/Vrc8RG7mI06plJ7PBk2CDAmIlGwolqEEtQFDeFzCY8K8YiSMGAQlgQhrcT63rj3bw6ckTyW+rVRqKaNHrN+wIxaFdIoPO05H3lF64IHIwsD1HKZNQzaf4zXvoVz5AZB+9TxlAH6RsSHVOgIM/+5ABC22EKB1KN8Vd3RQVdb4pRrL11rMlrTD334WGqDLmUxF47BlMMRtTxASyhUIi11tji937Ahd6H3UH6GJnSXRhG3Rh0IVBFwZdfD50IXHFjWDFJoJoGYNbk74DhvOv/51a3caPE7iBmujGRWaPlpVU9BgCusw+JxB3+JcBMT3o+Xo9+b/RnQ1ojhPHIZyj98A62gijcKt7cTERFn9iII6ZNlm3aRO7vSSyaRtkY5CNQTYG2XxeZENvA22eAbTZ1qDNg8UnNZhk++KCG8BhAMfaAY7dJQFHxwAOAzgM4DCA4ysDHN2vFHB0DeC4a8DxXbvXc7Z3boowvnO3t3EH3w5RyD1x3+jWj516RGHbBlIYSGEgxXpCiumo81AwBZjIRkz9SPTPdnnfGXp9MgYH51eyhwUk8YEykWD/ON14KhGFogMFuy4AiSdoC22sXohLfCKIKidiSJaTxOhH1LpXbLISDAnIb6mplTxBph+P6FBUCRluyXhHGfPrhGGchKnNrwbHfBM4ZmdZHLNtcIzBMQbHGBzzgHDMAXSwNFT+/j7xVwUyc0pZfySjMY8k9wbKGCizLttKZmKZrsEyBssYLGOwzAPCMq+wIOf4ckUMU/P0+mOXjGkDWQxkWZeNKTMhy46BLAayGMhiIMsDgiz/jkAKEXZfhoKtClxmlrH+8CVnHUneqZl5MTBm7TfDPDUoxqAYg2IMinlAKCbbw3EbEDOriPXHMBnnBsIYCPNN7IPpmaPcDIIxCMYgmIeEYI4IYc8TiOKhoI5y+xVxzPyC1h/NVPlHR5FPHYNsDLJZ+20xPXOOnIE2BtoYaPOQoE123uudoJuFZa0/wKkVgcE4BuN8I/toeuZEOYNxDMYxGOchYRzZG0sfVx6v+uJV16EWlLT++KYkgG8P1ygrneq8lkEMBc8Qvn5Y4gqotn3TO6B61TugqKtA2B9jwlh6UV4ZT6ke++ncy6Bi7JGs6SWDYCQmWNSnHlAGMTjrXMfaFVIOiyoHRanQ8Jpgl7AKJWKiAgkgoatfHki4MyuwqCur5pgT9inm+j6xsv3o+EPnchYU1bDnnNMIl0WoRb7ZpxJWsQXYInhYHlz+A/+2Dg+3Dg7Q69d7QbDHp4KMSxwaYIUo2yWCtIRqwM8IJyou78tbz2bnmdxQWOzCK25OrGT/k6lbSpuTLE13kF3hd549vjWh/TrGbEuiC+jeHPLs+6t+3yG+3+/sMXx+/VhS84cKYlsRyzXHWECQVWbqFm9p9s9rzQG6eXmPXCHeKuMch1SkzlIllmLxx7La8qgJHuuSsFyvupFjT/kJE9ZC1DUxamPMNWqW4dD6omrJJgi4UU+NetSYGH33/OYqCpNgAD1IrYrkMazLK+io20JvgbXQuTQ6mq2j/bvV0Y001DMaWkJDL76khnpGQ4s1dPDlNKTfijJbRZaETta3raSX85RUbnWj151mBNmNVmt2s5dRq34z2/IKNmOaGWOa8inF1eHK9+mA4W5HK7PGI4/nDmVuNFrpQ1F3HE9uCG2zrcrG4j6rxWWXm08ZXJZaWJS9vEXxOj0uY0xcMBp6Zvh6b11Srd9Pwsf9Dmyrk8vLTs/7ctWy/1dEw43bXmsHlHarVdxqN7hEG3VC2UTzRVWmZwb/ZBOdzgytsimnViP9U5dpNqWo9tSavRAgV0HKxFHNnG22NsAFDkVdaFmwbOATj4RuYZVXV7WCur5uzKAUvKDrqWhSuySxubRpbIzAJiKP4aD/dwLcUZ9stBrS4eqNpu8mLG1bQH2fcuJEocv7g8Q5I2LOdYbKZnxSbyGL7EZdpGi3Wi21wLNyiz9XY41B34lB79+hQfe+OoPuGYN+eAaNbmfRL+7SontfnUX3jEWvm0UfrGbRd37P8qqI9DY3NK9e6TqZX3XU+CAM8+XcMdTMjTjZfpvXJydHzVfvj16gfEJP32zDcMilPKvSnAzx0uQvvJultHt0qd0sndaK21nsVm/1/Sxm54rZuXLfU8Fm48oCm96/FISjY7kJz1j1anskyq2+3fLT/o12T6TKe08cQsfEhKXPt4HiZmoyinmQm8NMd/6QFm0/Q0+92qKtWWdb43U2s8puVtnvbMvGfSzaCifuswzg9QcS793fBJVZp100NXWna7A1muYwDjNafqBa3r/V3OLJi6N7mFVUHdWLvMu5Kia1BphVXl23ZDx9S0JPqGnCVimd1GVfODtJ1USdvXhSsnfTOcnt3VmnLhe1pSotVwYS8cLn/ETJrPoWrbzTvpqav4dYpQT4oi6VhjWpjHojcVxrufo7ufor5tLJa3LXvp1+rU+1Ej49DSoTz6mb6nberGzlPe7Sm9D5DljsVed8Y/kUwy5NuD6/mqZX7QdE6hKmJmytoR9pL6em7+Dmc8tT7VPhos5MwfOdylQipJI4Ju7b9MXrMm3pDljG4jQMDxLqu2l0daIgjkKQxSYCcdz5W8U1AWlSI0QhsOorWe9y3c78t5E/flrqbeT3xMvOX5h6YP5rym+k4NCLvO1cCu8DYVxO7Re5J+DwSvcKzIhb9YtsSr817RL9PCTS0KVj6ibYr57KkOdRh1YUDbjAF3QqMKXLzbwC460g8wxRnqTIT1mYyl3v2xMf/vip0sRLfDFvxaGwrRRils1GIoi6kYcfefuYk4qdpSGskj2NYZXk6uEBs0HNA2jn1PEdFTe4rGpd9RB1XYNMf0vGk1Y/0guVn6pY6X/StSTbnVbq8hZ3RiTAudHna3Dp0pIai2B2luYEjy40n7qONSlakCD2AY+E3qTJEMG50Ezlqq7XKmmFEz89laMGI+Xv77tkiBN/xgEhE2rtsSgZNNN9k4aOn7jkef25FbV2YAVQAa3Jnh9kooEP/TCZyQkx+njN+jsh7FK9vlEFKTk5PwLIKp87k+vSLqV65GI6Kz+jMYxZjy9Dp+5MoCzoaM0umY+MAdepjmlQnBBSnEYSnW/ZebTKDxwBCy89FlOIV6x4OGt9P+9o9JBidTWcZre0Hx39hx0U37vad1v/0WnpFC2mtrXvtpty/CnnQXaLmr4W1qIXvKMXrNfS3tZ/aCfPPHX19uZtKYnvn0hBBGvAonOeDeqne7FDkCc6KM1aWIkCntar3fO37Pc3/80ceTxx9u6j6/8DB3BWLzm0AAA= istio-service.json.gz: - H4sIAAAAAAAC/+1dbVPbSBL+zq8Y6/auIEWIZTBYW9lUgSHZ7LIJh7ls1S05l5AGW4csOXohEIr77TczepdGRvKLLNv9IQQ0I81bd8/zdLc0T1sICf2+ZoxdxxZ+Rn+RvxF6Yj9JiSGPMLkqnPb6F5ef/zi7+vXsXz1hNyjW5Rus0/ILyxxhZ4hdOypUsa1Y2tjRTINWiQqcxzF7qCo7sm26loKjsrHuDjTjo0rLx5yHeuWf/G7FmmUVnsnPr7vekCz8zdUszBlU0P7Akm9lQ44erqncy8EkfEgX3GPL9kd3uHewt+93Ypff3Fg2yGRlGxsPuU3FL8camtwGb0q13Mk0stPIa7K919xrTjE2R77Rcba1q+Tl7NjCRZQNw3RkKkB0Fb1GBV2znXBNo66QkhtX052P9EnibnQ1NiWkiZ84M0QqYYN16mfkWC6OXR9qKueqpphG19RNiz7RGtzI281d1BJF8qPd3kXiTvzRwbCPo8Ggf6BjHVuOHa8XLaE9vDFlSxX8smf2/9ctf/bTevXRJr+hHrbuNQWj0+Bu5M8rEvckIpnsTqxqjj/OW1m32ZCEgYEdpm9Hh/uH3hUqfFemqTvamFxvsouagy3Zb1NsS+22JLYk8Ug6YqW6ZtwxTfMWjokDR/MUU9flsY3V1JySJjX1woxW2Zv81Ep+J3+3DmIXHoLe+X8/0r+DWUsKo9g8jGxIsndJKWK9NBxsUCET3qraPVJ02bZ/uY5W5vUQyyq2kIMfnNcKqYqta+HdtfHWJo9+1zu7/PKxe/Yz+sn2FuXtG3adlL8hj3sXW3TS2K2GdbVrGrfaIDF634Teyq7u2JkS2kvXdswRLXlOFD3vJp9hEkEgs+sZwq9bORW5KxCuwn7qmemV4K1GuCJibptsZTpS4lpSksLLI5MpojB0RnpyAs1x0kAsZRnTPcwdsrd/fYls3tGeSIxroo6jOUxHhdRlSzZIDyxvTEmTFLMfdDRR+7HWkzIuK0N8pY2w6dKnGa6u7yZ1gJi3E1m5G1ima6hxi5Gs80XWXZxfnFQzdp0ZzNYBMZTtA+9fc0/aSU+nV2v/iJjTlrSLDpq0WienXpuUikctUq3Nnna0E1+BpCQV2Q9qpJe3pjWSmRCbYzvZxYHsDnC2cyP5IVgUsZlWyBERPr8wXWQPze+8haSyNSRAamjq6jkFfPZLtf6QrTvMlp5K6XQm54Bjcg4LWpyDyRZHbCWvUcW/l3WeGuRYowk2h8j8H74luGcTneof21yDGkSZ5XSF/xL50W4fwyquY6armJZGjECwGwtD8vcPYuxkPaMcWHUV/Dmnt8wM6EpWRX1sbzufTOcTmRIhVfp1N/0cpi12xmZ5AI9OQygzE3WC2q7EwHMXciSPx5oxuPKMnphXlh1bZgoCfMa6iRyTbQc5o0jtZpkB5D6cmO5BgYe3kg/PtWFExU+J3bowiezaWT0XqByzwmAyyV5oYMUhwCtT74r2iCP6Y9N2brWH7D7kF7wnEtfTfrDHt5t/T9WxMP9edn3irWyq/iAo8eWlu7WYoWXDyE6q4w1M+PTmmFNohjcWnHO69d4Re8CxuLearif5wD7hAqLYIT8IvCE7ktjJbFy3tO3sPu4ZHRx/nPe0Ft3jpP3Mc3yzPdHSMtRPHumODA6ukK0BdgpMN34Ye12iiGDbdkfbGqEEeFujDITxbWw7dt8hNEd/svDYtIhhJYDrp2/kj2thl+x1jmYws9X3MdUv/yPF/u/XwvNf7dHXnR06Yc2muJNdtWgzdAh0oQ/RsJ2tFlj097LisFkUM1WIHHpOBo5s2A4ep3aRSYIRbns2Z24DKNfVqclGl94koS90LVKIIwBwNrFdOqkkJw2FZyTiqtNJqw6rUUx1TDpC4ZeSWhPYqVKKw24KPDaKazEAW3uAyoGUsyDULN6dFaCqWNFGMgNjmcmpH3gdY4syLNfQnLmC2E4VKDYNXBYAYw+ngLEHAGMBxgKMBRgLMHYaGLsAALtLto4xsVG4rxCJbZCy9t6rENeiN2hxoLkisDwVJpYI9pEk+m+vPRkf91xFwbaNLskUoW3DNF63Hx5QMKv2zgYiZvl+8DJalnVNtrsBnn1Kqs2NbHHBDvOEn2Nj4LBISzNThvNuWy0PqsYslJi5+MGSVc3zpjfnj+iSXsYXId1QU1Vs9Dwl5c26Fyw5SuI6PMCM+6T6ScRhYBzbV+lgX7zK/SCnJKBo/FIaET0bjZ3HCeX/xpaZU0y2/LwSzcgpsbTBkKgwJxKb3jnSOIwa1ZyH5sK55zRyxjYv3EILvmuqM8yIVg7YzoCZzHYfkCR5wOerRWJHY9oClWuXdqGdLeMLF1lwFVuY7Yu3upmyo97W8TmhbmlQoeA8S0LssnLHbZU6WsZYPffQSLa89Ja+PSTbqkm4yaj/zZUNR9PxdnOPUvmcjbevul5Uuz8iBkGzMUGYqt2/cZU77Ey5HYtsr795RNs6Zps+gbXNHWRaaPreLaBjMwMGPk0qACc8q/U+bO2i3RSKY47dWURBqrUoSKsmCn56DMe+TikJ0iRJOJmrJEi1lgRp4yVBmiAJ3al4SGrTouN571HvjNeAll3ige9v4tzYG2q3Dv9Ovsf/1F+1FIMJs6ye0qBGtjJpUkEZWWZO5Jshmn7AiTRD1e411ZUnJKPEEiFj2YYegpUfNA4A9kSN53OOZcDQ+UnTe9+DxLkrH76FEG0CuH+UH4p4xyIp5shukMWa7RwtNAcnso25QuuBWe5tHprlFvE9HS/bs9gYhlQCajIOjjs0Vx0f+VLF6EoeT6Fl5/g+HNkWr6EaRpH+1pIk5eBw2qjR39SDA3lfXsM8phPIY+K5CzrlI0AdiABBBAgiQBABggjQXCJAjjImLEvB2j1W+zePDp4Ql0FFuVVtKJUw97hOTiznqntBaI83jeiETiOEbSALH7LwNywLvzMZvEpHAF4BvAJ4BfAK4LWKLPwYXt3wXHz6rjS2IBcfcvEhFx9y8Yvl4r8EZjsAZgHMApgFMAtgdrG5+CVh7Bwz8qcD0Cuel+9jZcjLh7z8dc7L78yYly9JkJcPefmQl195Xn7pTbna7PwZuwc5+jUVC2k1xWLD8/UXLhUSSMVa5O6nIgSQuw+5+5C7D7n7kLsPufuFc/dfiBil/esQMoKQEYSMIGQEIaMZkvdtYpAgcX+mxP0efWkZkvZj93yNDq4JJuoDNrAV2+jC2bGIFnAPSqng5Asx7+SLg6pOvuiefzz7dIX+/Hz5+/nn49Pehh980ZqMAA/a9Tz4oswqrty5FxCQfTEg25xTQPaQozuZ4Gue7rRnDMi22sUCsnOItnKw0zTR1FUOlyLZRj9ocBnCpvMMmxZK8fdJlR9acC3NeeyPTV1THonJH7mOK+t9R7cLJktl4LJnsPrfTUI7TFn1brCU73q2rE95Jpu7oJZhR6lWNEyRumEX5T5hFyUStyp5DyGNu5+e0v1Dz8972atRr0k5IjbmKdl5enX72lU7+yr5qYrN0dV5b0eY5j2I1lQRtRnlqJEWpJcpFF2+LPOaJEtolYRp3gxvjpI2MR5bUKzqGJL7aCgm2TwHQVDOJiQV9dj0oGNDJZe9eUBdui+VDNRx9+ONi9RlvVOOnOLRcwzmpV+kXnAYTOBkKkA0r7poHhCvyjJhCxMvbirszMzrcJnMawFprpDHCoRs6iMjUHF6hqZ9mWV5wHq6Iy3mOyfLG/yK04elUtK5Sk0DVGlOrB10aSpdWnvS/dL7fxEZhxzZ5ebI5n3cYR68VCBwUBSAYAPBLvxdFFuxtHGQIrix7LtTMOopirOS71qdD1UNP4+/hgr8Hfj7Us+HqiG3FaeKmFV5dtVaTVqNmEyqp4zH5Pb++RldtJvL9Qos/tCuzdJPCfRzrfRTKqmfJ9XoZxv0c0r9bIN+rpV+tsvpZ7ca/ZRAP6fUTwn0c630Uyqnn6eV6GdF/LMBBHQzZm21GegEdTxbJ7rZAL4J6lh/wjlBHd+vE7tsAL0Edaw/v5ygjh/WiUw2gE2COtafTk5Qx1/X6W2r8BOIkOi1kR9DhOQuSO7a4LenePlbnYXkb3Vqnr8FCVqQoLXABK3STl7vY28QeoHUomkkSwLJWnnJWn5WTGnfG4gW5HPMIFkSSNYaGK0lpyJUibTALbm+MfQqcRXI0foGf6sEUSBH6xu1rBIygRxBuG0x4Tb6EX0ItdUl1KZi5SZzIgJE3CDiBhG3KiNu4uEiQm6HEHKDkBuE3Io4gvwvpoGTEWJu8/YNgWhB0G1R/iKQLYi6LciFBKIFYbdFhd1mly3wT0LcDQQJAm/1AVIgSBB5A0GC0Ft9Qm/huWEQcoOQG4TcIOQGR4TFY27cr5QfzRhy6zQXekQYHPIFAbEZAmL803IdZUyAq4K1e6z6wHWVDriaBrauwzm59Tx6eU7C1NgsaapIYNb1MKcTKmfo0hc7dEtaQmHi4VX3AnVDQQP2s1z2cwJnI8+Z+GTHAbwHeE/Jo5FnJz4tID5AfFaP+NhkXhM4tQTB4UFagKnry2tKyEoDhAU4zRw4TY+IHHJMYDPAZoDNVMZmtlLNRVrZ1SkyR3/6hiha/VD8LTKMrdgCBL0TFFPX5bGd0UMurBdS8JHB+dZB7EIqhMFQfGDWwrX3sLnYDMG5MJYNrCdlPMHYyJbmeDBceEt0Him6bNtkz6K868aULfX1EMsEEiIHPzivKSrF1rXw7tp4S+yx8a53dvnlY/cM/fn58vfzz8envbdv2HVS/oY87l09qdhEYrXPIVbxlZgYUNrPbdN7Q0sqwhACUzh0RiliYLIDiDkdr3IZ0z3MHXIRnhJqWuqyJRukBz5DzJCuQPnoaATwSszulWjWIRp7OKNPQlpsMHYBLzeusssCyTb6Qc+/BtfF4l0X/ic+yjstXqacMaIaq5y6NcFHVdthfJRXIcVJSVWPk7ZDTsq7K0mNeWmHYaalQkRwWWSV10mfsU7uP6mEiB16Sg4D1dP1UVjWpgra5oobelHe0AoL3ALyB+YvjevqW0l/lMam2bGn0RyF/A4dGyoK82i7dLcr6XHh7vIb53JJi4qHZhJX5+iVMcErA8m1QOdqF2Semc+Jy+RztPjflN9AhBoi1HOneS+A7nyUPNeE3AQAbJCy9t6rukFxehpdPWarXtOyNlRkqRR4AZLVAEVc9HSBJi5CE9ee/vdcRcG2jS6JAKNtwzRetx8eQi+IvZPnFoC0i+WmXfho0zW0+TNkgQBTUQCqD1S/INUnZlSxNBaIz8atN/y7ttx3bFuzugEOav5Z2wV4CuCrt+BJ+GuWw+0nnX9U9HD7FeLS4ozRvkKn3heaU5jO+n0kaDb/xNI/Prxd+mQq0PDpNFwCDd9IDV/2J6C3S58ZBho+pYa3QcM3UsOX/CXu7dKnuYGGT6nhEmj4Rmr4kr+HXgMe3gAiPlcVb4CO142JV/hd+hrQ7gbwblDo9SbeFZ4PUAOW3QCaDQq93jy7wnMaakCqG8CqQaHXm1ZvzFH1p74cs7MzPOmCFMCapADCG36Q9gdv+C0vs6+zkMy+NhxYD6l7cGB9Yed23jFzELSC1LJFn70KEriOErj83KfS/kMQQcjNWdZxryCBa2oEl5w8Uj0SBEfrJuc2VI/7QN42OfRePcgDedvkyHD1kA7kDQKXywpc9rQfGIKW9QtaqlhhdgVilxC7hNjl0mKX4uFCgpeHELyE4CUELwu4rPxvG4LbFKKXy/JigQhC+HLZ4UuQQYhfLjl+CSIIAcxlBzDnJYPgcYUIZqXYDwQOQpiVAj0QOIhhVgrrQOAgiFlREDM8ZRGClxC8hOAlBC8heMk/WpF7pkJn1uBla6FHK8LhiBBanCG0yD+X3FHGBOoqWLvHqg91V/n4v9mA7nqdSL7sUwArELgGSFzlQrWuB9qdUFlEl75oolvSEgqTQq+6F6gbiiGwqOWyqBM4m37OBCo7DuBPwJ9KHk0/O4HaBwIFBGr1CJRN5jWBZUtQpHzYC1B2Rihb81PS5yJPDRCoGgnUenOjHhFL5JjAioAVASuqjBVtpZqLtDId3I2WP5R/i4xjK3gMewS1SNSO0NL9pneLYCtDPJIj8Nc69C47j15LqmzdeTUJfoyEUvhItywhfLSDR2OdmEcjIkUEsNpOTIqj+YmB9ackHtSJPeFaCNLAgx9GZQwrqdhMqeKlPGYZeGhjJoYYFEV3VXysc+B8juSRPZdYN0513xoIXOIomOyE87QZFr652KIEShgTE46dIXbjmuwVfwlGFy+J1lJMXB3gh3RV+04b/8vSe4+Gwul2IC+xbm+l5i62crKuB91JTUtsTeOTXoRV02XTDI1zBPzUaxZoiFBi4ezsLS+tGmuu79n0bQ7I2lnIkmX3SqqcbF3sfwZdE5KlmTHQa/zKvkB4g4wVuDa+8h4U57ZTS0l5zQ+nN1f7oxpcC7AsYbz0gTlPGpPjDYXxGwHzU0tiQAQWKn6t1Ra/CuUitcShWHR16qcLN3H0KeATJeTEthTDLiMo7Bea40ie61HQ+IdbOCG5n6go5pHIOId89gifN3M8VkdPw4ha5NLdou3+r1TDZfTgzd6riNNeC9t//eda+PpqZ+/VG9CQZWtIOb34ri9PL1LOlVzR9CpSHc4T44VpzWy9KqlSoUdpNo3aB42aUaPSzHGqTYe5+RaqXAX8l5wd4AWvYjlNKutCLdYH2IrWRHHKqcsMexGak74U8PfnePPzBXvBKjWvXm70ZsX+p87mZ89TpzGh9H10t17kQDDM76/FwF0uOKZ/TUjcNtaUOxbL9W/2Z7IfBFviPmuhPYp8kmL8j/1mvCRy0Qut2O+i6jH4r0GPaLAnpjYvthJ/8GH8wfFWWgfxPyKVFo7UeH+DviQm44dpRE652McEqSKEL9+cyvbwxpQt73GCy3IdhPPf+u5vx/cj37F6Hzpfxa3n/wMhOAi8d7EBAA== + H4sIAAAAAAAC/+1dbVPbSLb+zq9otHNvQYoQy2CwpjKpAkNms8skXMxmqnbIdQmpsXWRJUcvBEKxv/12t96llpFsS5bt8yEE1LLU6j7n9POc51j9vIWQMBhoxsR1bOFX9Bf5G6Fn9pO0GPIYk6PCWX9wefXlj/Prv5//qy/sBc26fIt12n5pmWPsjLBrR40qthVLmziaadBTogbnacIuqsqObJuupeCobaK7Q834pNL2CeeiXvtnv1ux27ITXsjPb3veI1n4u6tZmPNQwf2HlnwnG3J0cU3lHg4G4fd0wwO2bP/pjvYP9w/8TuzxbzeRDTJY2ZtNRtxbxQ/HbjT9Hrwh1XIH08gOI++Wnf3WfmuGZ3PkWx1n73adPJx9tnASZcMwHZkaEJ1F76aCrtlOOKdRV0jLravpzid6JXEvOhobEv6jknOwwfr0K3IsF8eOjzSVc1RTTKNn6qZFL2gNb+Wd1h5qiyL50ensIXE3fungqU+iZ0H/jU50bDmJLkQzaI9uTdlSBb/thf3/bcsf/LRbfbLJb6iPrQdNwegs+DTyhxWJ+xIxTPZJrGqO/5x3sm6zRxKGBnaYux0fHRx5R6jtXZum7mgTcrzFDmoOtmT/nmJH6nQksS2Jx9Ixa9U14545mjdvzBo4jqeYui5PbKymxpTcUlMvzWiSvcFPTeQP8nf7MHbgMeid//cT/TsYtaQtiq2jKIQke5c0ItZLw8EGtTHhvao9IEWXbfu3m2hm3o6wrGILOfjReauQU7F1I3y4Md7b5NIf+udXXz/1zn9Fv9jepLx/x46T9nfkch9ik05udqdhXe2Zxp02TDy9H0HvZFd37EwL7aVrO+aYtrwkml72ktcwiSGQ0fXi4LetnBO5MxDOwkHqmumZ4M1GOCNi7j3ZzHSlxLGkJYWHxyZzRGHkjPXkAJqTZHxYyjSme5j7yN7y9TUKecf7IomtiXMczWE+KqQOW7JBemB5z5QMSbH4QZ8mun/s7kkbl5URvtbG2HTp1QxX1/eSPkDC26ms3A8t0zXUeMRInvNV1l2c35x0M3acBcz2IQmUnUPvX2tf2k0Pp3fWwTEJp21pDx226GndnPM6pFU8bpPTOuxqx7vxGUhaUoHloEFueWdaY5nZsDlJdXEou0Oc7dxYfgzmRGyl/XFMbM9vTDfZI/MHbx6paY0IjBqZunpB4Z792ll/yNY9ZjNPjXS2iHPIiThHBQPO4fSAI7aTx6jfP8g6zwtygtGUkENM/g8/EDywgU71j62twRnEl+X0Cf9H7Ee7ewpPcR0zfYppaSQGBIuxMCJ//ySxTtYzvoFVV8FfcnrLooCuZD3UR/a289l0PpMhEVKt3/bS12HeYmdClgfv6DCENjPVJ2joSjx47kSO5clEM4bXXswT89qyz5YZggCesW4ix2SrQc5TpBazzAPkXpxE7mGBi7eTF88NYcTFz0gUuzSJ7dpZPxeoHbPGYDDJUmhgxSG4K3PeNe0Rx/Qnpu3caY/ZZchv+Egsrq/9ZJfvtP4rdY6F+Z9lx6d+lA3VHwQkvj51dxYLtOwxsoPqeA8mfH53wmk0ww8WHHO68t6TeMCJuHearifpwAGhAqLYJT8IuiELktjNrFt39N7ZZdwLOjh+Oe9qbbrESQeZ6/hhe2qkZaCfXNIdGxxYIVtD7BQYbvw48bpEAcGO7Y53NMII8I5GCQhj29h27IFDWI7+bOGJaZHASvDWL9/JHzfCHlnrHM1gYWvgQ6rf/kOa/d9vhJe/OuNvu7t0wFotcTc7a9Fi6BDkQi+iYTt7WhDRP8qKw0ZRzJxC7NBLMXBsw3bwJLWKTDOMcNmzOWMbILmeTkM2uvIGCX2lc4EFLn6zSezSyUlyMlB4QSLuOt2067AzirmOSZ9Q+K2k1wRxqpTjsA8F+RrFtRh+bTw+5SDKeQBqFu7OiU9VrGhjmWGxzNg0D7tOsEX5lWtozkIxbLcOEJvGLRWg2KMZUOwhoFhAsYBiAcUCip0FxVaAX/fI0jEhMQoPFGKx26Sts/8mhLXoHaoOM9eElWeCxBKBPpJE/+13psPjvqso2LbRFRkitGOYxtvO4yMKRtXe3UDALD8MXwfLsq7Jdi+As89Jt7mVLS7YYXnwC2wMHaaztDJtOO9jK5U/1ViAEjMHf7dkVfNS6a3FA7pkjvFVRDfSVBUbfc9HeYPuKSXHSViHh5gxn1Q/iTUMjRP7Oq30xU95GOa0BASN30rl0PPxxHma0v5vbJk5zWTFz2vRjJwWSxuOiAdzZNj0wpGGYTSm5lw0F829pIEztnlaC234oanOKGNaOVg7g2Uyq33AkeQhn60WEY4m9A7Url3ahU62jW9cZMJVbGG2LN7pZiqMeivHl4S7pTGFgvMCCQnLyj33rjTNMsHqhQdGsu2lV/SdEVlVTUJNxoPvrmw4mo53WvuUyOesuwPV9STtwZgEBM3GBGCq9uDWVe6xM+NqLLKl/vYJ7eiYrfkE1bZ2kWmh2XtXQcfmxgt8llQATXhR62N4t8tOSygOOfbmMQWp0aYgrZop+LUxnPg6oyVI0yzhdKGWIDXaEqSNtwRpiiX0ZqIhqUWLPs9Hj3lnkga07QoP/XQT54P9kXbn8D/Jz/ef+bOWIjBhidVzGtTIVqZGKmgj08zRvRmiGQSUSDNU7UFTXXlKJUqsCDJWaeghWPlR4wBgz9R4KedY+QsdnzS79xNInE/lw7cQok0B90/yY5HkWGTFHNsNKliznaON5vBUtjHXaD0wy/2Yh2a5TfxEx+vxLPYMI2oBDXkOTjY01x2f+FbF6EoeT6FtF/ghfLIt3o0aqCH9rS1JyuHRrJrR39TDQ/lAXr8iplMoYuJlC7rl9Z8u6D+g/4D+A/oP6D8L0X8cZUJIloK1B6wObp8cPEWVQUWpVWMYlbBwVSdHybnuXRLW4w0jOqXDCKINVOBDBf5mVeB3p2NX6RiwK2BXwK6AXQG71lGBH4OrG16HT78mjS2ow4c6fKjDhzr8QnX4r2HZLmBZwLKAZQHLApattg6/JIpdYDX+bPh5xWvyfagMNflQk7/GNfndOWvyJQlq8qEmH2rya6/JL70m11uZP2f3oD6/oWYhraZZbHitfuVWIYFVrEXdfkofgLp9qNuHun2o24e6fSh9Klq3/4pelM6ug2AEghEIRiAYgWA0R+G+TQISFO3PVbTfp99XhoL92Ge+RfvVBAP1OzawFVvowtGxiBdw90epYccLMW/Hi8O6drzoXXw6/3yN/vxy9c+LLydn/Q3f8KI9HQEedpq54UWZWVy5/S5Ajn1Njm0tSI494rhORnrNc53OnHJsu1NMjl2A1sqBTrNoqassliLZRj+ptAyi6SJF00Ll/T6n8oUF19Kcp8HE1DXliUT8seu4sj5wdLtgpVQGLXvha/DDJKzDlFXvA5byQ8+2DSjNZGMXnGXYUZ0VFSlSH9hDuVfYQ4mqrVq+g5CG3c/P6f6hl5f97NGo16QdkRjznOw8Pbpz46rdA5X8VMXW+PqivyvM8h2I9kx62px2tJ02pNcZFJ2+LPGaZktolYxp0QRvgZY2VY0taFZNFOQ+GYpJFs9hIMnZhKOiPhsedGKo5LA3DqhH16WSMh13Pd44nS6bnHLkFI1eoJSX/hJ1xSKYwKlTAC2vPi0PeFddZbCFeRe3DnZu4nW0TOJVQY0rFLECH5t5qwhUnJ2hWb/IsjxcPdtWFosdk+U9/Iqzh6Uy0oVazTa40oJIO/jSTL609pz7te/+RVwcCmSXWyCb92KHRdBSgcBBUQB+Dfy66CtRbMXSJkF94MaS725BzVMU5+XejdoXqh56Hv8KKtB3oO9L3ReqgdRWnEkvq3PPqrUatAYRmVRPGY3J7f3LC7rstJabFKh+s67N8k8J/HOt/FMq6Z+n9fhnB/xzRv/sgH+ulX92yvlnrx7/lMA/Z/RPCfxzrfxTKuefZ7X4Z038cxsI6GaM2moz0CnueL5OdHMb+Ca4Y/MJ5xR3/LhO7HIb6CW4Y/P55RR3/H2dyOQ2sElwx+bTySnu+Pd1+q5V+PpDqPPayBchQm0X1HbZUL4VK9/qVlK+1W14+RbUZ0F9VoX1WaVzvN6L3kB5gcqiWSxLAstaectaflFM6dQbmBaUc8xhWRJY1hoErSVXItSJtCArub4Sep24CuxofbXfOkEU2NH6ipZ1QiawI1DbqlHb6Av0QWlritKmYuU2sxsCCG4guIHgVqPgJh5VobgdgeIGihsobkXyQP7r0iDHCJLbolNDYFqguVWVLgLbAtGtogwSmBaoblWpbvPbFqQnQXYDQwLdrTlACgwJhDcwJFDemqO8hXuGgeIGihsobqC4wfZgMcmN+4ry4zkVt26r0u3BYIMv0MPm0MP4G+U6yoTgVgVrD1j1cesqbW41C2pdhy1ym7nr8oKMaXuzrKkmg1nXjZxOqZ2hK9/s0B25EwrLDq97l6gXGhqQn+WSn1PYFnnBvCf7HEB7gPaU2xV5ft7TBt4DvGf1eI9NxjUBU0vwGx6iBZS6vrSmhK1sg7EApVkApekTk0OOCWQGyAyQmdrIzFbqdpFX9nSKzNGffiCKZj80f4s8xlZsAoLeCYqp6/LEzvghF9YLKfjI4Hz7MHYgpWAwFB+EtXDuPWwutkJwLkxkA+tJG08QNrKkOR4MF94Tn0eKLts2WbMo7bo1ZUt9O8IygYTIwY/OW4pKsXUjfLgx3pN4bHzon199/dQ7R39+ufrnxZeTs/77d+w4aX9HLvehmVRsKrE64BCr+ExM1ZMOcu/pfT9LKsIQglA4csYpYmCyzYc5Ha9zGtM9zH3kIjwl9LTUYUs2SA98hpghXYHz0acRICkxd1Ki1QQt9mjOlIRUrRRbwTcbVzljgWQb/aRbX0PmovrMhf96j/I5i9cZZ4ynxk5OfTRBR1XbYXSUd0KKkpJTPUraCSkp71NJZsyrOQzLLBVigsviqrxO+oR1ev/JSYjEoefkY6BmZj4K29pMkm2uuaFX7Q2tsMFVUD2weGtc19RK+oU0Ni2NPYvGKKR36MRQUVhE26OrXcmEC3eV37iMS9pUPDSTOLrApIwJSRmorAU21zSJeW46Jy6TztHmf1N6A/o06NMLZ3mvYO58kLzQatwE/tsmbZ39N01D4nQfumaMVrOGZW2YyFIZcAWWtQ2OWPVwgSdW4Ylrz/77rqJg20ZXxIDRjmEabzuPj2ESxN7NywpA0cVyiy58tOka2uIJskCAqSgA0wemX4zpkyiqWBpT4bOi9Ya/0pb7/dr2vFmAw4a/0baCRAG88BYSCX/Ns6v9tJ2Piu5qv0JUWpxT6yu03X2hMYXhbN77geZLTyz9vcM7pfekAg+fzcMl8PCN9PBlv/15p/RuYeDhM3p4Bzx8Iz18yS/h3im9jxt4+IweLoGHb6SHL/lV6A3g4dtAxBfq4tvg401j4jW+kr4BtHsbeDc49HoT7xq3BmgAy94Gmg0Ovd48u8YtGhpAqreBVYNDrzet3phN6s98O2bbZnjWBRWADakAhO/3QdUffL9vaYV93UoK+zqwVT1U7sFW9YVz23kbzIFmBZVlVe+6Cha4jha4UhvfgwlCaU4FpTml811ggWsXBJdcO1I/EoQ86yaXNtSP+8DeNll5rx/kgb1tsjBcP6QDewPdclm6ZV/7iUGzbJ5mqWKFxRWQLkG6BOlyWdKleFSJdnkE2iVol6BdFshY+S82hKwpiJfLSmKBCYJ6uWz1EmwQ5Msly5dggqBfLlu/XJQNQsIVBMxasR8YHCiYtQI9MDiQMGuFdWBwoGHWpGGGOyyCdgnaJWiXoF2CdsndVpG7oUJ3Xu2yXem2irAxIiiLcyiL/C3JHWVCkK6CtQes+kh3lbf+mw/nrtdm5MveAbAGg9sGi6vdqNZ1M7tTaovoyjdNdEfuhMKS0OveJeqFZggkarkk6hS2pV8wf8o+B9AnoE/ldqWfnz8dAH8C/rR6/Mkm45qAsiUYUj7qBSQ7J5Jt+AbpC7GnbTCoBhnUelOjPjFL5JhAioAUASmqjRRtpW4XeWVa2o2mP7R/izzHVnAZdgkakWgcoa0HLe8jgq2M8FiOwF/7yDvsPHl3UmXr3juT4MfIKIVPdMkSwks7eDzRSXg0IlJEAKvtxKw4Gp8YWH9O4kGdxBNuhCA3ePRFVMawko7NnCreyiOWQYI2FmJIQFF0V8UnOgfO51geWXNJdOOc7keDOI2MtZpsd/N0GBa+u9iiBEqY8Oim1/w1eLp4SzSXYuLoED+mT7Xvtcm/LL3/ZCicbgf2Euv2VmrsYjMn63rQndSwxOY0PugFSDWdNc3QOLu/zzxlgYMIJebNzn7ktUljtxt4IX2Hg7F2K5mx7FJJfZNNi/0/QdeEZGvmGegx/sm+PXgPGWtwbXztXShObWc2kvKOHw5vrvNHZ3ADwJJs8cqH5TxjTD5uaIvfCZSf2RADGlCp9bVX2/rqM4vUDIdW0dNpki5cwdHngEyUMBPbUgy7jJ2wX2h5I7muxz/jr2zhyHG/UEvMY5BxAvnisT1vHHmUjm6DEd2Ry3WL3vc/pW5cxg3e7b+JCO2NsPPX/94I397s7r95Bw6yZAcp5xY/9OW5RSqxkmuZ3onUhfOsuDKnma9XJT0qzCbN51AH4FDzOVSaNM605LAMX6W+VSB1yYn/ryQUyzlS2expsT7AQrQeflPOW+ZYidCC3KVApj8nj59v1xV71KJ6udFLFfufpplfvBydxozSz87deZqBYJg/3opBolxwTP+YkPjYRFPumYrrf9gfyUEgs8Sz1UJnHGUjxfgfB614S5ScF9qx30XVI+/fgh5RmSfmNq/eJX7ho/iF43dpH8b/iFxaOFbj/Q36khiMn6YRpeNi7xCkjhB+6eZMtke3pmx5lxNcVuUgXPxj4P7j5GHsp1QfwrSruPXy/5MKGTNasQEA istio-workload.json.gz: - H4sIAAAAAAAC/+1da3PbOLL97l8Bc7O35FzHEfWwralMqmI7mUndTOxrOZmqGWdVNAlJXFOkwodjx+X97QuAbxKUST1ISuoP44kIEASB7sY53U3gcQchYTBQ9aljW8Iv6G/yG6FH9peU6NIEk6vCWX9wcXn+x/ur399/6Qv7frEm3WCNll+YxgTbY+xYYaGCLdlUp7Zq6LRKWGA/TFmjimRLluGYMg7LppozUvWPCi2fchp1yz973Yo8llV4In+/7buvZOLvjmpizkv5zx+Z0lDSpbBxVeFe9gfht2TBHTYt7+0ODzoHba8T+/zHTSWdDFb6YdMx91HRy5EHzX4Gb0jVzMHU08PIe2T3oHnQnOPdbOlGw+mnXcUvp98tmERJ1w1bogJEZ9F9qKCplh3MadgVUnLjqJr9kbYk7odXI0NCHvGCM0KkEtZZp35BtungyPWxqnCuqrKhnxqaYdIWzdGN1Gjuo5Yokj/d7j4S96JN+6/9LnwZ9D/onYZN24rWC6fQGt8YkqkIXtkT+/+3HW/0k3r10SL/Qn8a5q1mSAo6829H3sAi8aBHRJPdihXV9l50KGkWeydhpGObKdzRYbvpXqHSd2UYmq1OyXX3ompjU/IeKnbbYrvT7RyKncMuK9VU/ZapmjtzTB44qicbmiZNLawkBpU8UlUujHCa3dFPTOUP8rvViVy493vn/X6gv/1hi0tjrxvakHjn4lLEOqnbWKdCJrxR1Dska5Jl/XodzsyrMZYUbCIb39uvZFIVm9fC22v9jUWafvvn+eX/fTp/d/YLevHDm5WDF1QKSKmM37xmlUjl16TttxEJIE8eqlhTTg19qI5iI+HZ06HkaLaVKqFddizbmNCSp1jR0368DYMIBRlp1yp+28moyJ2NYEbaiTaTs8KbmWB2xMxnslk67sWuxaUquDwxmFYKY3uixQfQmMatRfVzmuxu5vu7K9vX0BoeHYjE7Mbq2KrNlFdIXDYlnfTAdF8wbqwiloW+Wvj8yNPj0i/JY3ylTrDh0NZ0R9P249pBDN+JJN+OTMPRlagpidf5KmkOzi6OKyC7zkxpq0NMaLfj/tc86O0lh9Ot1T4ihrbV20edJq12nFGvS0rFoxap1mWtHe1FZyAuVnlWihop6dAwJxKTaGNqxbs4kpwRTnduIt37kyI2k9o5IcLnFSaLrLHxgzeRVLbGBGKNDU35RKGg9VytPyTzFrOpp1I6n/3pcOzPcU7z05ltfsRW/Bq1AneSxlODDNM0wwARmf/DswR3bKAT/WOrrl+DKLOUrPBvIj/q8CGo4thGsophqsQI+Mu0MCa/fxLLJ2kp5cCKI+PzjN4yM6DJaRX1UL9lfzbsz2RIhETpt/1kO0xbrJTNcqEfHYZAZmbqBLVdsRfPnMiJNJ2q+ujKNXpiVln63VJD4CM31k1kG2xtyHiLxNKWeoHMxonpHuVovBVvPNOGERU/I3brwiCya6X1XKByzAr9wSQLo45lmyCyVL0r2iOO6E8Nyx6q9+l1yCv4QCSur/5kzXeb/0zUMTH/XnZ95q1sqP4g8PH5qRuazNCy10gPqu2+mPD59TtOoRHcmHPM6dJ7S+wBx+IOVU2LM4U2YQmieEz+EKxDViTxOLVwDemz0+u4a3RwtDm3tRZd43rtVDue2Z5paRkdIE06E52DKyRzhO0cw43vp26XKCJoWM6koRKugBsq5SaMiWPLtgY2IUDao4mnhkkMK0FfL76TH9fCPlnrbFVnZmvg46tBAK9+/Q+pGfzKqM4q+T+uhae/u5Nve3t0hJtNcS89zeHqaROsM7AwsZxWupq/BHyQZJsNu5iqQgTX9VdwhMmy8TSx7MySpGCdtDiT4WO/j7pskMV6hC7dcUVf6fQlQIqP+SxSUSOVpLhtce1KVNuOk9rGauTTNoO+o/BrQUXzTVshXWM3+e4f2TEZ5q09puWg0EVAbRoiL4ppFSyrE4nht9Tg1A/vTrFJGZqjq/ZSce9xGcA3iXVWgHyP50C+HUC+gHwB+QLyBeQ7D/KtA+bdJ2vNlBg1PJCJiO+Swu7BywAKo9eoRsC8JEA+F+7uEXTV69H/DrrPYfC+I8vYstAlGVXU0A39Vff+HvkTYe1tISqX7kbPI3JJUyXr1MfMj3HVvJFMLqBi3vpPWB/ZLDLUTJXhrNvWy7GrMisopi7+ZkqK6jr5m8tHjeJhIdg4VhUF631XTXmj7gZ0juLYEY8w41eJfhJxGOnvrKtkcDJa5W6UUeLTQH4pDeG+n0zthxnlf2HTyCgmsCKrRNUzSkx1NCYqzAkdJ1enJNajdjij0UzI+JRE59jiRYFowQ9Vsccp0coA9CnAlIIUPhGTRnxOnCekNaVPoHLt0C5002V84SITrmATs7V3qBkJO+ouHucxdUsCFxlnWRJil+Vb7lOpO2eKlU8u4kmXF4YNjTFZiQ3CfyaD746k26qGG80D6i7IWKsHiuNG4QcTYhBUCxMUq1iDG0e+xXbeFTyJG1CxZf7pb5EBipsH1NAwQxYEbDf3kGGi+d+nFq+yMCzh070coMW1jB+Cp110m0J+ZLO/iLj1Nkzcepsvbl5eEmedmFPaerOk7WSp0tbbMGnrgbQVlrbeDGk7nYu1JRZ4+j4fXFdIyotDyy7xyPP/cW7sj9Whzb/T439+6OXMm+AEzQtS5x6TyE8yU7lvfhmRCE7WAoN9A584qrqi3qmKI81IJIqkt0ZySF2YL92rHJbgSiXP+R/JXqIDk/SzeK48zl3ZGDfAsTMY0IN0n8dNGYovR2j93OR052ihMTqRLMyVVhfxc29zIT+3iO9yet5YRt5hTCWgJu/B8Utn6uEDX6oYp8sic7TsE74L3myH96AahvP+0er15M7hvOG7fyidjtSWNjAH7WTrc9DiyWMzktCOn8mBhVAchOIgFAehOAjFLSUUZ8tTwmx0e3DzYOMZsa6C7IpfPxXtcinY/yJer0wsY/UOKxX2rDacUFh6GC8jdHd1eoH6pHfYRFemNByqMsToAGYDzF5rmJ26mAdndwFnA84GnA04G3B2qTjbXWlzAdlE1dWg62X3Zzsx9alGVyPA1PF7voW7nviD9RvWsRlZpIPRMYkGc3fZKGHXBDFj14R2WbsmfPx8cv7l8xnyv7Tvb/tGCe3Z6LXTredOCYXmce02R4C01WfTVptLSls9XCTEIh4umLfa6ubLW11CUioH+s2TdLrOWaVIstBPmoML2aXLzC7N9Tm2xwm9LCXHVO2HwdTQVPmBGP2JYzuSNrA1a0Vu6H2UA5GzeyxT/qE9D9dJNd0KP3qhuU+JG2a0sI9in9CU8vl4ErQ/Pib7h56eDtJXw16TckQs02O88/Rq49pRjtsK+auIzcnVp/6eMM/n66250v8WlL5dEL+FxW/ZhHKJsjkz3TSnINYxMzC5O4OFTh5Qnw0Peqcr5LI7DuiUrn8F0wa56/7W5Q2mnXi2lKDsS0wtTG6uteKkPIGTiA25heXlFgLDK+3DxMOFonuLU7zDKineCj47hO8KgfnNvR0BqpgH8vcuqA6Lz7dfQtWjWN1wrTlHqZQpL1XOdkFd12cYQV/n09eN9x48t69M6FWATw+r/fQwazPCZRBsgcBaUQBPAXgKcu/jyT9zZ9vcCHn3g2+1FnUi1Gp/o3L8DNHtjcAPAX6ISvc3WpRxL7jHxnIQvDhXsLDMvZe2fJhrxJYSPWVcKbP3T0/ootus1rux+k2nwAaUsiEW2IC1tQG9gjbgpBwb0AUbUJoN6IIN2HIb0C1mA07LsQE9sAGl2YAe2IAttwG9YjbgrBQbUJI/YBeMQCkOgV2wAnX3CMxQ+febRP9B5cvh/6DytXcAzFD5D5vE9kHly6H7oPK15/szVP63TSL3oPLlsHtQ+drT+xkq//smfVYZnLwAiZBbeQYDJD9C8uMWfyaZ99TvxfMbj2ue3wgJjJDAuMIExsIudHezSQieQSLd0hPpCvt2QRY3VRarz+gq7HUEYYTMohVlFhV2h4EsbrBhrDjFpUzECA5ZyLSoBh+C5EHAvxowCJIHcedqoB9IHoQ/6xL+pAelQOizLqFPBcvMrkAEFCKgEAGtLAIqHq4iBHoIIVAIgUIINI9Dy9sTEtyrEAOtPgYKwghB0PoEQUEaIQpamygoCCOEQesTBl1cGsEzC3HQijAiiB4EQisChCB6EAmtCP6B6EEotKJQaHCAJoRAIQQKIVAIgcJZmdEYKPeUi+MFQ6DHzZUelQmHXUKAcoEAJf+geVueEqgrY/UOKx7U3exjG+cBuptwxHzVpzeuVPx2Qf5my19JIrapBw6eUMlEl56goiF5EgqSTa9OL9BpIJrAsKplWCdTIFfLJVfp9wBuBdwqm1ulLi6HXLWAXAG5Wj9yZZFxjSHbAiSKB4IB2AJ3mku6dkG8gDdVwpv6REiRbQBjAsYEjKk0xrSTeFz0M9kbuqCgPz1LFE5/IP8meY+dyAz43RNkQ9OkqZVSRC53EBIYlXGGVidyIRGLcanCTmLyXQLQCxoSppKOtbiMx1ghWQRtF+oLb4jOI1mTLIuscpTb3RiSqbwaY4nATmTje/sVRb7YvBbeXutviD3W355/uTo5//L5DPXfX379ePq+/+Y1u07KX5Pm3taT7s0kb20OeYtOxMzAmNjJfKj76V8vDw3xbeHYniTYhzG1vUUm0fMy5zHZw8xXzkOGAlVLXDYlnfTAo6EpZucrH30bAVwfi7s+mnUIK4tHC3o+jlYbVl7BZ7Pr7BhBkoV+YtMAB0kJDhJvu5k5XCOzWeOz6ZFRdhqhwW7VJK8lg3ynei0rpLd3MiWk3YCQcurSVr38UZkIV1VElNMzQkYRsR2P8Q6iero4csvH7tYLyAoyDIpIz6Z6MM4de2REthSyaC7tWTgw6B0hUkGy7SldSAq6M7gL6Nb5M5IS4gKF2NUlujwMcHlABi5QpdpFiRfnSmKVXIkW/0W5A8SYIca8dAr1DDjmotRKGFUMG+6Swu7ByyVAZnq249qMwcIvuwZEoFLCuFxJ2AV1WDGJ3nx92HgK3HdkGVsWuiQChxq6ob/q3t8HngBrL0GNIa5fbVzfA1yOri6fJQoEm4kC0F2guznpLjGZsqmyQG86LrrlG/JyP0ZtL8qEWzXfj3cFZBm26wUynZNMNwofQKV4R6kPJsQgqAQ6G7rC2xdmGcTzuQzavBm5fKAtzg5M0U1dCLcQm83mHjJMNP9IbfggrQFFr3wn4kbh47ZAzwqPFOhZ5XpW9R7LjcKHi4GeFR4p0LPq9azi7aMbhY9SAz0rPFKgZ9XrWcUbY1fLz3aBoG3EKK0HQytx0+9q6dgu8DFQq9IIWYkbmlfLvnaBfoFalca/StysvVqytQtsC9SqNLq1qRvRJz+gQWee3EG2UK2yheCDGMgQgg9iqksCOl5JElAbDuWGLB84lDu3ZzTrsCeIO2xJvkphpx9IzJZnXhT2Z4HEbHkOQWFXDUjMlkfDS8Ux4NFbu7BuqagF5GPt4pOlYhSQj7ULtJWKSEA+IGJUKGLkH2EM0SI4xxiCRhA0gqCRHzQSD1cSNepA1AiiRhA1yuFt8XZ2AgcdhI3yOmBAZCBuVNAnAyIDgaOCbhoQmVqIzFqFjpYgM+Db2+TYEQgIBI9WDVRAQDY5egQCAuGjFYePgsN4IGwEYSMIG0HYCA7fScWNuDsO9xYNGx2u9OwdOD0HgjoLBHX4B0za8pTAIt1PaCp8DCkXu5Z6asZMPFqzc0dreMJoQQHYBQmAI1LSnOOECg/qEzlCho6CBLar0wt0GsgSkI9qyccJHPq5ZN6Rfg+gHUA7Cp75uTjvOAbeAbxj/XiHiWWs3mElBj3X6gRL4B77dRCCXZAC4B+Ef1x6soSG5EnAQoCFAAspjYXsJB4X+5zthpp/1HfNUDj9gfyb5D12/GZYE9QuUWtCS9tN9xbBksd4IoVgq3XoXrYf3Ccpknnr1iR4LRRK4SNdbYSgaRtPphqxjHpIQghAtOyIFIfjEwHHj3H8pRF7wrUQ5AH3XrSPMZq4YjOlipbymJwfCY+YGGJQZM1R8DuNA58zJI+sisS6cap71kDgEjXBYMdUJo2x8N3B5gM7WJWYV2yPsRPVZLf4q/920ZJwLsXY1RG+T1a1btXpF1PrP+gyp9u+vES6vZMYu8jMSZrmdycxLJE5jQ56HhZLp03VVc45nnPPmfDZxyNCganTeTc9N3PsHzQNhTTuwjHOsdlpLJPGUWzL3bABnhc5VzN7BeTk9cHLCJC7Fhp//+ta+PZy7+Dl6/wilF67qbFgcmL9vz9MQrw0NZ70Gr+yJ6DugEcKHAtfuQ1Fue1aS+2f3mwWEdofnHsKyWym0D7OFrQk7n/Kls6EaCcek5tZeE9I1N9jrTdma87K3oX7sIXfqKAOB0xrMQ0W11uDi2OJjCSuCJ4Ia3AxRVWG4tJj8zxDEX/fwE58NwnzLGAj2LMGLl9p+N6DvZVgEE/8WrCA5JSLxBQHYvFRd2mBv46gmTAoQ1AsU9atpSOgqAPqBZXFpCMoYsMynUXzGtRCIKsuPS24BiwLxoEWLlsLi+neD21dde85HzEzLJmYpzaKudhrVIPc2qC0CyptJKPf96oV0Fs3crFSxc3MBJv/25Sn7BBLMW0st28FVYwXbVpM2zr10Db2fxpGeHJ9sCqTRc/7OnQjQ4Ju/Hgl+oEQwTa8a0Lstqkq37KouHezN6gDP04WjUYI3UnobRajP9rNaEkYfBFakX+Lisukvvk9onG6iLI8+5Row4fRhqNPaXWiP8IVWDhSov31+xIbjJ+GHrpbQ58783iHyPpMssY3hmS67QkOSxsRvtxY/b+uzlTPZ34X+NXFnaf/AluDM8vxjQEA + H4sIAAAAAAAC/+1dbXPbNhL+7l8B83o3cs5xRL3YVifNTGwnbebS2Gc56UzrnIYmIYlnilT44tjx+H77AeA7CcqkXkhK2g91IwIEQWB38Ty7S+BxByFhMFD1qWNbws/oL/IboUf2l5To0gSTq8JZf3Bxef77u6vf3n3uC/t+sSbdYI2WX5jGBNtj7FhhoYIt2VSntmrotEpYYD9MWaOKZEuW4ZgyDsummjNS9Q8KLZ9yGnXLP3ndijyWVXgif7/uu69k4m+OamLOS/nPH5nSUNKlsHFV4V72B+HXZMEdNi3v7Q4POgdtrxP7/MdNJZ0MVvph0zH3UdHLkQfNfgZvSNXMwdTTw8h7ZPegedCc491s6UbD6addxS+n3y2YREnXDVuiAkRn0X2ooKmWHcxp2BVScuOomv2BtiTuh1cjQ8J/VVIH66xPPyPbdHDk+lhVOFdV2dBPDc0waYPm6EZqNPdRSxTJn253H4l70ab9t34bvgv6B3qrYdOOdSGcQWt8Y0imInhlT+z/X3e8wU+q1QeL/Av9YZi3miEp6My/HXnjisSDHpFMditWVNt70aGkWeydhJGObaZvR4ftpnuFCt+VYWi2OiXX3YuqjU3Je6jYbYvtTrdzKHYOu6xUU/VbpmnuxDFx4GiebGiaNLWwkhhU8khVuTDCWXZHPzGT38nvVidy4d7vnff7gf72hy0ujL1uaELinYsLEeukbmOdypjwWlHvkKxJlvXLdTgzL8dYUrCJbHxvv5RJVWxeC2+u9dcWafrNH+eX//p4/vbsZ/TTd29WDn6iUkBKZfz6FatEKr8ibb+JSAB58lDFmnJq6EN1FBsJz5wOJUezrVQJ7bJj2caEljzFip72420YRCjISLtG8etORkXubAQz0k60mZwV3swEsyNmPpPN0nEvdi0uVcHlicG0UhjbEy0+gMY0biyqn9NkdzPf313YvoTG8OhAJFY3VsdWbaa8QuKyKemkB6b7gnFjFbEs9NXC50eeHpd+SR7jK3WCDYe2pjuath/XDmL4TiT5dmQajq5ETUm8zhdJc3B2cVwB2XVmSlsdYkK7Hfe/5kFvLzmcbq32ETG0rd4+6jRpteOMel1SKh61SLUua+1oLzoDcbHKsVDUSEeHhjmRmEAb00QXR5IzwunOTaR7f07EZlI5J0T2vMJkkTU2vvPmkYrWmACssaEpHykQtJ6r9btk3mI281RI5zM/HY75Oc5pfTqzrY/Yil+jRuBO0nhakGGZZtgfIvK/e4bgjg10on9s0fVrEF2WkhX+S+RHHT4EVRzbSFYxTJXYAH+VFsbk9w9i+CQtpRtYcWR8ntFbZgU0Oa2hHua37E+G/YkMiZAo/bqfbIdpi5UyWS7wo8MQyMxMnaCmK/bimRM5kaZTVR9duTZPzCpLv1tqCHzgxrqJbIMtDRlvkVjZUi+Q2Tix3KMcjbfijWeaMKLiZ8SKXRhEdq20ngtUjlmhP5hkXdSxbBNAlqp3RXvEEf2pYdlD9T69DHkF74nE9dUfrPlu8++JOibm38uuz7yVDdXvBD0+P3VDkxla9hrpQbXdFxM+vXrLKTSCG3OOOV15b4k94FjcoappcaLQJiRBFI/JHwJ1yIIkHqfWrSF9dnoZd40OjjbnttaiS1yvnWrHM9szLS1jA6RJZ6JzYIVkjrCdY7jx/dTtEgUEDcuZNFRCFXBDpdSE8XBs2dbAJvxHezTx1DCJYSXg66dv5Me1sE/WOlvVmdka+PBqEKCrX/5Haga/MqqzSv6Pa+Hpr+7k694eHeFmU9xLT3O4etoE6gwsTCynla7mLwHvJdlmwy6mqhDBdb0VHGGybDxNLDuzJClYJy3OZPjQ74MuG2SxHqFLd1zRFzp9WOBCPotU1EglKW5bXLsS1bbjpLaxGvm0zaDvKPxSUNF801ZI19hNvvNHdkwGeWsPaTkgdBFMm0bIC0JaBcvqRGLwLTU29YO7U2xSfuboqr1U2HtcBu5NQp0VAN/jOYBvB4AvAF8AvgB8AfjOA3zrAHn3yVozJUYND2Qi4ruksHvwIkDC6BWqES4vCY/PBbt7BFz1evS/g+5zELzvyDK2LHRJRhU1dEN/2b2/R/5EWHtbCMqlu9HzgFzSVMk69SHzY1w1bySTC6iYr/4j1kc2iws1U2U467a1cuuqzAiKqYu/mpKiuh7+5vJBo3hYCDWOVUXBet/VUt6gu9Gcozh0xCPM2FWin0QaRvpb6yoZmYxWuRtllPgkkF9K47fvJlP7YUb5n9g0MooJqsgqUfWMElMdjYkGc+LGycUpCfWoGc5oNBMxPiXBObZ4ISBa8F1V7HFKtDLwfAovpRCFz8OkEZ8R54lnTekTqFw7tAvddBlfuMiEK9jEbOkdakbCjLprx3lM3ZK4RcZZhoSYZfmW+1TqzJli5aMLeNLlhVFDY0wWYoPQn8ngmyPptqrhRvOAOgsyluqB4rgh+MGEGATVwgTEKtbgxpFvsZ13AU/CBlRslX/6S2R44uYBNTTMgAXB2s09ZJho/vepxassjEr4bC8HZnEt4/vgaRfdppAf2OwvIm69DRO33uaLm5eUxFkn5pS23ixpO1mqtPU2TNp6IG2Fpa03Q9pO5yJtiQWevs971xOScuLQsks88tx/nBv7Y3Vo8+/06J8feDnzJjjB8oK8ucck8pPMVOKbX0YkgpOzwGDfwOeNqq6od6riSDOyiCKprZH8URfmS/cqhyW4Usnz/UdSl+jAJN0sniePc1c2xg1w7AwG9CDd5/FShuLLEVo/LzndOVpojE4kC3Ol1UX83NtcyM8t4nucnjeWkXcYUwmoyXtw3NKZevjAlyrG6bLIHC37iO+CN9vhPaiGwby/tXo9uXM4b/Dub0qnI7WlzUtAO9n6BLR45tiMDLTjZ/JfIRAHgTgIxEEgDgJxSwnE2fKUEBvdHtw82HhGpKsgueLXT8W6XAb2T8TrlYllrN5hpcKe1YYSCksP4mUE7q5OL1Cf9A6b6MqUhkNVhggdoGxA2euMslMX88DsLsBsgNkAswFmA8wuFWa7624uHJuouhpwvez+bCekPtXoagSQOn7P13C/E3+wfsU6NiOLdDA6JtFg7v4aJWyYIGZsmNAua8OED59Ozj9/OkP+R/b9bd8joT0bvXa69dwkodA8rt2+CJCz+lzOanNJOauHiwRYxMMFk1Zb3XxJq0vISOUgv3kyTtc5pRRJFvpBE3AhtXSZqaW5vsT2KKGXouSYqv0wmBqaKj8Qmz9xbEfSBrZmrcgJvY9yAHJ2j2XK37Xn0TqpplvhBy808Slxw4wW9lHs85lSvhxPYvbHx2T/0NPTQfpq2GtSjohleox3nl5tXDvKcVshfxWxObn62N8T5vlyvTVX7t+C0rcL4rew+C2bTy5RNmfmmuYUxDqmBSY3ZrDQyQPqs+FBb3WFXHbHAZ3S9a9gziB33d+6pMG0D8+WEox9iXmFyX21VpyRJ3CysCGxsLzEQiB4ZX2UeLhQbG9xhndYJcNbwSeH8E0hEL+5dyJAFdNA/rYF1UHx+bZKqHoUqxuuNacolRLlpcrZLqjr+gwj6Ot8+rrxzoPntpQJnQrw2WG1nx1m7UO4DH4tEFgrCuAoAEdB3h08+UftbJsXIe9G8K3Woj6EWm1tVI6bIbqzEbghwA1R6dZGixLuBbfXWA6AF+cKFZa57dKWD3ONyFKip4wqZfb+6QlddJvVOjdWv98U2IBS9sICG7C2NqBX0AaclGMDumADSrMBXbABW24DusVswGk5NqAHNqA0G9ADG7DlNqBXzAaclWIDSvIH7IIRKMUhsAtWoO4egRkq/26T6D+ofDn8H1S+9g6AGSr/fpPYPqh8OXQfVL72fH+Gyv+6SeQeVL4cdg8qX3t6P0Plf9ukjyqDQxcgD3Irj1+A3EfIfbQgvTGS3ni8kvTG45qnN0L+IuQvrjB/sbAH3d1oEmJnkEe39Dy6wq5dkMVNlcXqE7oKOx1BGCGxaEWJRYW9YSCLG2wYK85wKRMxgj8WEi2qwYcgeRDvrwYMguRB2Lka6AeSB9HPukQ/6SEpEPmsS+RTwTKzKxAAhQAoBECrCoCKh6uIgB5CBBQioBABzePP8jaEBO8qhECrD4GCMEIMtD4xUJBGCILWJggKwghR0PpEQReXRnDMQhi0IowIogdx0IoAIYgeBEIrgn8gehAJrSgSGhyeCRFQiIBCBBQioHBOZiQEyj3i4njBCOhxc6XHZMJBlxCfXCA+yT9j3panBOnKWL3Diod0N/vIxnlw7iacLl/1yY0rFb9dkL/Z8leSiG3qYYMnVDLRpSeoaEiehIJU06vTC3QaiCYQrGoJ1skUuNVyuVX6PYBaAbXKpFapi8vhVi3gVsCt1o9bWWRcY8C2AIfiYWDAtUCd5pKuXRAvoE2V0KY+EVJkG0CYgDABYSqNMO0kHhf9RvaGLijoD88ShdMfyL9J3mMnMgN+9wTZ0DRpaqUUkcsdhARGZZyh1YlcSIRiXKqwk5h8lwD0goaEqaRjLS7jMVJIFkHbhfrCa6LzSNYkyyKrHKV2N4ZkKi/HWCKwE9n43n5JkS82r4U31/prYo/1N+efr07OP386Q/13l18+nL7rv37FrpPyV6S5N/WkezPJW5tD3qITMTMuJnYyH+p++NfLQ0N8Wzi2Jwn2YUxtb5FJ9LzMeUz2MPOV85ChQNUSl01JJz3waGiK2fnKR99GAM/Hwp6PZh2CyuLRgo6Po9UGlVfwzew6+0WQZKEf2DTAP1KCf8TbamYOz8hs0vhsbmSUnEZYsFs1SWvJIN+pXssK6e2dTPloN+CjnLq0VS95VCbCVRUP5fSMcFFEbMdjvIOonh6O3PKxu/UCsoL8giLSs6kOjHPHHhmR7YQsmkh7Fg4Mekt4VJBpe0oXkoLeDO4CunXujKSEuEAhdnWJHg8DPB6QfgtMqW4x4sWpklglVaLFf1LqABFmiDAvnUE9g425ILUSQhWDhruksHvwYgmImZ7quDZjsPDLrgEPqJQvLlcSdkEdVsyhN18fNp4B9x1ZxpaFLonAoYZu6C+79/eBI8DaSzBjiOpXG9X3AJejq8sniQLBZqIAbBfYbj62SyymbKosypsOim75XrzcD1HbixLhVs234l0BV4adeoFL5+TSjcJHTyneGeqDCTEIKkHOhq7wtoRZBu98Ln02bzouH2eLs8NSdD8XQi3EZrO5hwwTzT9SGz5Ia8DQK9+EuFH4oC3Qs8IjBXpWuZ5Vvb1yo/CxYqBnhUcK9Kx6Pat45+hG4UPUQM8KjxToWfV6VvGe2NXys10gaBsxSuvB0Erc77taOrYLfAzUqjRCVuJe5tWyr12gX6BWpfGvEvdpr5Zs7QLbArUqjW5t6h70yc9n0Jknd5AsVKtkIfgcBhKE4HOYynKAjleSA9SG47ghyQeO487tGM065gnCDluSrlLY5wcSs+WJF4XdWSAxW55CUNhTAxKz5cHwUnEMOPTWLqpbKmoB+Vi78GSpGAXkY+3ibKUiEpAPCBgVChj5hxdDsAhOMIaYEcSMIGbk76B2uJKgUQeCRhA0gqBRDmeLt60T+OcgapTX/wIiA2Gjgi4ZEBmIGxX00oDI1EJk1ipytASZAdfeJoeOQEAgdrRqoAICssnBIxAQiB6tOHoUHMQDUSOIGkHUCKJGcPBOMmzE3W64t2jU6HCl5+7AyTkQ01kgpsM/W9KWpwQV6X46U+ETSLnQtdQTM2bC0ZodOVrDw0ULCsAuSAAcj5KmHCdUeFCfyBEydBSkr12dXqDTQJaAe1TLPU7gvM8l0470ewDrANZR7LjPxWnHMdAOoB3rRztMLGP1Disx5LlWh1cC9divgxDsghQA/SD049KTJTQkTwISAiQESEhpJGQn8bjYt2w31PyjvmuGwukP5N8k77HjN8OaoHaJWhNa2m66twiWPMYTKQRbrUP3sv3gPkmRzFu3JsFroVAKH+hqIwRN23gy1Yhl1EMSQgCiZUekOByfCDh+jOMvjdgTroUgD7j3Yn2M0cQVmylVtJRH5Pw4eMTEEIMia46C32oc+JwheWRVJNaNU92zBlHaFik12BGVSWMsfHOw+cDOVOXRO7f4i/920ZJwLsXY1RG+T1a1btXpZ1PrP+gyp9u+vES6vZMYu8jMSZrmdycxLJE5jQ56DhJLZ03VVc4RnnNPmfDJhyNCgZnTeTc9N3HsHzQHhTTuojHOgdlpKJOGUWy33bABng85VzN7BcTk1cGLCI67Fhp//eda+Ppi7+DFq/wSlF66qa1gYmL92x8mIV6aGk96jV/Zk093wCMFjoWv3Iai1HadhfYPbzKLyOx3zj2FRDZTZh9ny1kS9T9lC2dCshOPyc0rvCck6u+x1huzFWdl78J92MJvVFCFA561mAKL663AxZFERgJXBE2ENbiIoiI7celReZ6diL9uYCa+EfpfxESwZw1cstLwXQd7KwEgnvS1YPnIJxaJGQ6k4oPuUgJ/FUEzMVCGnFimrFtLhz9R59NPVBSTTqCIBct0FM1rTgshrLr0tOAKsCwMB0q4ZCUspnrftXVVvefcw8yuZAKe2ujlYq9RDWxrg84uprORTH7fn1ZAbd2YxUr1NjMFbP5vUp6ygyvFlLHcvhXUMF6caTFl69RD2dj/aQDhyfW+qkwWPb/r0I0JCbrx/aXoh0AE2/CuCbHbpqp8y+Lh3s3eoA78CFk0DiF0J6GfWYz+aDejJWHYRWhF/i0qLov66veIRugiyvLsU6INH0Ybjj6l1Yn+CBdg4UiJ9tfvS2wwfhh66GgNve3M1x3i6jPJGt8Ykum2JzgsYUT4fGP1/7w6Uz1v+V3gURd3nv4Ps0DK0NeNAQA= {{- end }} diff --git a/charts/kubezero-istio/update.sh b/charts/kubezero-istio/update.sh index f7b2313..63f5bb9 100755 --- a/charts/kubezero-istio/update.sh +++ b/charts/kubezero-istio/update.sh @@ -4,14 +4,14 @@ set -ex ### TODO # - https://istio.io/latest/docs/ops/configuration/security/harden-docker-images/ -export ISTIO_VERSION=1.9.3 +export ISTIO_VERSION=1.10.2 rm -rf istio curl -sL "https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux-amd64.tar.gz" | tar xz mv istio-${ISTIO_VERSION} istio # remove unused old telemetry filters -rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.[678].yaml +rm -f istio/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.[6789].yaml # Patch patch -p0 -i zdt.patch --no-backup-if-mismatch diff --git a/charts/kubezero-istio/values.yaml b/charts/kubezero-istio/values.yaml index e1531d4..e248fd9 100644 --- a/charts/kubezero-istio/values.yaml +++ b/charts/kubezero-istio/values.yaml @@ -1,9 +1,8 @@ global: # hub: docker.io/istio - # tag: 1.9.3 + # tag: 1.10.2 logAsJson: true - jwtPolicy: first-party-jwt defaultPodDisruptionBudget: enabled: false