diff --git a/.tekton/deploy-infra-to-openshift.yaml b/.tekton/deploy-infra-to-openshift.yaml
new file mode 100644
index 000000000..73f08db6f
--- /dev/null
+++ b/.tekton/deploy-infra-to-openshift.yaml
@@ -0,0 +1,88 @@
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+ name: openshift-redeploy-infra-task
+spec:
+ params:
+ - name: source-branch
+ type: string
+ description: "Git branch name"
+ - name: prod-version
+ type: string
+ - name: dev-version
+ type: string
+ - name: prod_image_tag_base
+ type: string
+ - name: dev_image_tag_base
+ type: string
+ workspaces:
+ - name: source
+ steps:
+ - name: redeploy
+ image: quay.io/projectquay/golang:1.24
+ imagePullPolicy: IfNotPresent
+ securityContext:
+ privileged: true
+ workingDir: $(workspaces.source.path)
+ env:
+ - name: STORAGE_DRIVER
+ value: vfs
+ script: |
+ #!/bin/bash
+ set -e
+
+ echo "📦 Installing dependencies with dnf..."
+ dnf install -y make jq curl gettext && dnf clean all
+
+ echo "📥 Installing kubectl..."
+ curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+ install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
+
+ echo "📥 Installing kustomize..."
+ KUSTOMIZE_TAG=$(curl -s https://api.github.com/repos/kubernetes-sigs/kustomize/releases/latest | jq -r '.tag_name')
+ KUSTOMIZE_VERSION="${KUSTOMIZE_TAG##*/}" # strips prefix like 'kustomize/' from tag
+
+ curl -LO "https://github.com/kubernetes-sigs/kustomize/releases/download/${KUSTOMIZE_TAG}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz"
+
+ tar -xzf "kustomize_${KUSTOMIZE_VERSION}_linux_amd64.tar.gz" -C /usr/local/bin
+ chmod +x /usr/local/bin/kustomize
+ kustomize version
+
+ echo "🔧 Getting namespace and project_name from Makefile..."
+ DEFAULT_NAMESPACE=$(make -s print-namespace)
+ PROJECT_NAME=$(make -s print-project-name)
+
+ if [ "$(params.source-branch)" = "main" ]; then
+ NS="${DEFAULT_NAMESPACE}"
+ IMAGE_TAG_BASE=$(params.prod_image_tag_base)
+ VERSION=$(params.prod-version)
+ else
+ NS="${DEFAULT_NAMESPACE}-dev"
+ IMAGE_TAG_BASE=$(params.dev_image_tag_base)
+ VERSION=$(params.dev-version)
+ fi
+
+ echo "🔧 Using namespace: $NS"
+ echo "🔧 Using project_name: $PROJECT_NAME"
+ echo "🔧 Using image_tag_base: $IMAGE_TAG_BASE"
+ echo "🔧 Using version: $VERSION"
+
+ # echo "🧹 Uninstalling existing deployment..."
+ # # make uninstall-openshift NAMESPACE=$NS PROJECT_NAME=$PROJECT_NAME IMAGE_TAG_BASE=$IMAGE_TAG_BASE VERSION=$VERSION || echo "❗️ Failed to uninstall deployment"
+
+ # (make uninstall || echo "❗️ Failed to uninstall") && (make undeploy IMG=$IMAGE_TAG_BASE:$VERSION || echo "❗️ Failed to uninstall deployment")
+
+ # echo "⏳ Waiting 3 seconds before reinstall..."
+ # sleep 3
+
+ echo "🚀 Reinstalling OpenShift deployment..."
+ INFRASTRUCTURE_OVERRIDE=true make install-openshift-infrastructure
+
+ echo "⏳ Waiting 20 seconds before verifying resources..."
+ sleep 20
+
+ echo "🔍 Checking status of resources in namespace: $NS"
+ kubectl get pods -n $NS || echo "❗️ Failed to get pods"
+ kubectl get deploy -n $NS || echo "❗️ Failed to get deployments"
+ kubectl get svc -n $NS || echo "❗️ Failed to get services"
+ kubectl get routes -n $NS || echo "❗️ Failed to get routes"
diff --git a/.tekton/infra-pipelinerun.yaml b/.tekton/infra-pipelinerun.yaml
new file mode 100644
index 000000000..6d904782b
--- /dev/null
+++ b/.tekton/infra-pipelinerun.yaml
@@ -0,0 +1,182 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+ name: modelservice-infra
+ annotations:
+ pipelinesascode.tekton.dev/on-event: "[push]"
+ pipelinesascode.tekton.dev/on-target-branch: "[infra]"
+ pipelinesascode.tekton.dev/task: "git-clone"
+ pipelinesascode.tekton.dev/max-keep-runs: "3"
+ pipelinesascode.tekton.dev/git-status: "true"
+ pipelinesascode.tekton.dev/on-cel-expression: >
+ (!has(body.ref) || body.ref == 'refs/heads/infra') &&
+ (!has(body.head_commit) || !has(body.head_commit.author) || !body.head_commit.author.name.matches("(?i).*ci-tag-bot.*")) &&
+ (!has(body.pull_request) || body.pull_request.base.ref == 'infra')
+spec:
+ podTemplate:
+ serviceAccountName: pipeline
+ securityContext:
+ fsGroup: 0
+ imagePullSecrets:
+ - name: icr-secret
+ params:
+ - name: runOptional
+ value: "true"
+ - name: repo_url
+ value: "{{ repo_url }}"
+ - name: revision
+ value: "{{ revision }}"
+ - name: deleteExisting
+ value: "true"
+ - name: source_branch
+ value: "{{ source_branch }}"
+ pipelineSpec:
+ params:
+ - name: repo_url
+ - name: revision
+ - name: deleteExisting
+ - name: source_branch
+ workspaces:
+ - name: source
+ - name: basic-auth
+ - name: git-auth
+ - name: registry-secret
+ tasks:
+ - name: fix-permissions
+ taskSpec:
+ workspaces:
+ - name: source
+ workspace: source
+ steps:
+ - name: fix
+ image: quay.io/projectquay/golang:1.24
+ script: |
+ #!/bin/sh
+ echo "Fixing permissions on /workspace/source..."
+ chmod -R 777 /workspace/source || true
+ workspaces:
+ - name: source
+ workspace: source
+
+ - name: which-branch
+ taskRef:
+ name: print-branch-task
+ runAfter:
+ - fix-permissions
+ params:
+ - name: source-branch
+ value: "$(params.source_branch)"
+ workspaces:
+ - name: source
+ workspace: source
+
+ - name: fetch-repository
+ taskRef:
+ name: git-clone
+ runAfter:
+ - which-branch
+ workspaces:
+ - name: output
+ workspace: source
+ - name: basic-auth
+ workspace: basic-auth
+ params:
+ - name: url
+ value: $(params.repo_url)
+ - name: revision
+ value: $(params.revision)
+ - name: deleteExisting
+ value: "$(params.deleteExisting)"
+
+ - name: extract-version-and-registry
+ params:
+ - name: source-branch
+ value: "$(params.source_branch)"
+ runAfter:
+ - fetch-repository
+ taskRef:
+ name: extract-version-and-registry-task
+ workspaces:
+ - name: source
+ workspace: source
+
+ - name: tag-version
+ when:
+ - input: "$(params.runOptional)"
+ operator: in
+ values: ["true"]
+ - input: "$(params.source_branch)"
+ operator: in
+ values: ["infra"]
+ taskRef:
+ name: tag-version-task
+ params:
+ - name: source-branch
+ value: "$(params.source_branch)"
+ - name: prod-version
+ value: "$(tasks.extract-version-and-registry.results.prod-version)"
+ - name: dev-version
+ value: "$(tasks.extract-version-and-registry.results.dev-version)"
+ runAfter:
+ - extract-version-and-registry
+ workspaces:
+ - name: source
+ workspace: source
+ - name: git-auth
+ workspace: git-auth
+
+ - name: openshift-redeploy
+ when:
+ - input: "$(params.runOptional)"
+ operator: in
+ values: ["true"]
+ - input: "$(params.source_branch)"
+ operator: in
+ values: ["infra"]
+ taskRef:
+ name: openshift-redeploy-infra-task
+ params:
+ - name: source-branch
+ value: "$(params.source_branch)"
+ - name: prod-version
+ value: "$(tasks.extract-version-and-registry.results.prod-version)"
+ - name: dev-version
+ value: "$(tasks.extract-version-and-registry.results.dev-version)"
+ - name: prod_image_tag_base
+ value: "$(tasks.extract-version-and-registry.results.prod-image-tag-base)"
+ - name: dev_image_tag_base
+ value: "$(tasks.extract-version-and-registry.results.dev-image-tag-base)"
+ runAfter:
+ - tag-version
+ workspaces:
+ - name: source
+ workspace: source
+
+ - name: pipeline-complete-infra
+ when:
+ - input: "$(params.source_branch)"
+ operator: in
+ values: ["infra"]
+ runAfter:
+ - openshift-redeploy
+ taskRef:
+ name: noop-task
+
+ workspaces:
+ - name: source
+ volumeClaimTemplate:
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 1Gi
+ - name: basic-auth
+ secret:
+ secretName: "{{ git_auth_secret }}"
+ - name: git-auth
+ secret:
+ secretName: "git-auth-secret-neuralmagic"
+ - name: registry-secret
+ secret:
+ secretName: quay-secret
\ No newline at end of file
diff --git a/.tekton/pipelinerun.yaml b/.tekton/pipelinerun.yaml
index ed1c65384..c8fb0c38a 100644
--- a/.tekton/pipelinerun.yaml
+++ b/.tekton/pipelinerun.yaml
@@ -6,7 +6,7 @@ metadata:
pipelinesascode.tekton.dev/on-event: "[pull_request, push]"
pipelinesascode.tekton.dev/on-target-branch: "[main, dev]"
pipelinesascode.tekton.dev/task: "git-clone"
- pipelinesascode.tekton.dev/max-keep-runs: "5"
+ pipelinesascode.tekton.dev/max-keep-runs: "3"
pipelinesascode.tekton.dev/git-status: "true"
pipelinesascode.tekton.dev/on-cel-expression: >
(!has(body.ref) || body.ref == 'refs/heads/main' || body.ref == 'refs/heads/dev') &&
diff --git a/.version.json b/.version.json
index 905c3ab95..a188d2583 100644
--- a/.version.json
+++ b/.version.json
@@ -1,6 +1,6 @@
{
- "dev-version": "0.0.2",
+ "dev-version": "0.0.3",
"dev-registry": "quay.io/vllm-d/gateway-api-inference-extension-dev",
- "prod-version": "0.0.1",
+ "prod-version": "0.0.2",
"prod-registry": "quay.io/vllm-d/gateway-api-inference-extension"
}
diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
new file mode 100644
index 000000000..b1a5c4099
--- /dev/null
+++ b/DEVELOPMENT.md
@@ -0,0 +1,73 @@
+# Development
+
+Developing and testing the Gateway API Inference Extension (GIE) is done by
+building your Endpoint Picker (EPP) image and attaching that to a `Gateway` on a
+development cluster, with some model serving backend to route traffic to.
+
+We provide `Makefile` targets and development environment deployment manifests
+under the `deploy/environments` directory, which include support for
+multiple kinds of clusters:
+
+* Kubernetes In Docker (KIND)
+* Kubernetes (WIP: https://github.com/neuralmagic/gateway-api-inference-extension/issues/14)
+* OpenShift (WIP: https://github.com/neuralmagic/gateway-api-inference-extension/issues/22)
+
+We support multiple different model serving platforms for testing:
+
+* VLLM
+* VLLM-Simulator
+
+In the following sections we will cover how to use the different development
+environment options.
+
+## Kubernetes In Docker (KIND)
+
+A [KIND] cluster can be used for basic development and testing on a local
+system. This environment will generally be limited to using a model serving
+simulator and as such is very limited compared to clusters with full model
+serving resources.
+
+[KIND]:https://github.com/kubernetes-sigs/kind
+
+### Setup
+
+> **WARNING**: This current requires you to have manually built the vllm
+> simulator separately on your local system. In a future iteration this will
+> be handled automatically and will not be required.
+
+Run the following:
+
+```console
+make environment.dev.kind
+```
+
+This will create a `kind` cluster (or re-use an existing one) using the system's
+local container runtime and deploy the development stack into the `default`
+namespace. Instrutions will be provided on how to access the `Gateway` and send
+requests for testing.
+
+> **NOTE**: If you require significant customization of this environment beyond
+> what the standard deployment provides, you can use the `deploy/components`
+> with `kustomize` to build your own highly customized environment. You can use
+> the `deploy/environments/kind` deployment as a reference for your own.
+
+#### Development Cycle
+
+To test your changes to the GIE in this environment, make your changes locally
+and then run the following:
+
+```console
+make environment.dev.kind.update
+```
+
+This will build images with your recent changes and load the new images to the
+cluster. Then a rollout the `Deployments` will be performed so that your
+recent changes are refleted.
+
+## Kubernetes
+
+WIP
+
+## OpenShift
+
+WIP
diff --git a/Dockerfile b/Dockerfile
index ea9af50a1..a92cbb711 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -33,6 +33,4 @@ WORKDIR /
COPY --from=builder /workspace/bin/epp /app/epp
USER 65532:65532
-CMD ["sleep", "infinity"]
-
-
+ENTRYPOINT ["/app/epp"]
diff --git a/Makefile b/Makefile
index 1180b8800..cbafde83a 100644
--- a/Makefile
+++ b/Makefile
@@ -3,6 +3,9 @@ IMG ?= controller:latest
# ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
ENVTEST_K8S_VERSION = 1.31.0
+TARGETOS ?= linux
+TARGETARCH ?= amd64
+
# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
ifeq (,$(shell go env GOBIN))
GOBIN=$(shell go env GOPATH)/bin
@@ -393,11 +396,11 @@ SHELL := /usr/bin/env bash
PROJECT_NAME ?= gateway-api-inference-extension
DEV_VERSION ?= 0.0.1
PROD_VERSION ?= 0.0.0
-IMAGE_TAG_BASE ?= quay.io/vllm-d/$(PROJECT_NAME)
+IMAGE_TAG_BASE ?= quay.io/vllm-d/$(PROJECT_NAME)/epp
IMG = $(IMAGE_TAG_BASE):$(DEV_VERSION)
NAMESPACE ?= hc4ai-operator
-CONTAINER_TOOL := $(shell command -v docker >/dev/null 2>&1 && echo docker || command -v podman >/dev/null 2>&1 && echo podman || echo "")
+# CONTAINER_TOOL := $(shell command -v docker >/dev/null 2>&1 && echo docker || command -v podman >/dev/null 2>&1 && echo podman || echo "")
BUILDER := $(shell command -v buildah >/dev/null 2>&1 && echo buildah || echo $(CONTAINER_TOOL))
PLATFORMS ?= linux/amd64 # linux/arm64 # linux/s390x,linux/ppc64le
@@ -474,13 +477,13 @@ buildah-build: check-builder load-version-json ## Build and push image (multi-ar
fi
.PHONY: image-build
-image-build: check-container-tool load-version-json ## Build Docker image ## Build Docker image using $(CONTAINER_TOOL)
- @printf "\033[33;1m==== Building Docker image $(IMG) ====\033[0m\n"
+image-build: check-container-tool load-version-json ## Build container image using $(CONTAINER_TOOL)
+ @printf "\033[33;1m==== Building container image $(IMG) ====\033[0m\n"
$(CONTAINER_TOOL) build --build-arg TARGETOS=$(TARGETOS) --build-arg TARGETARCH=$(TARGETARCH) -t $(IMG) .
.PHONY: image-push
-image-push: check-container-tool load-version-json ## Push Docker image $(IMG) to registry
- @printf "\033[33;1m==== Pushing Docker image $(IMG) ====\033[0m\n"
+image-push: check-container-tool load-version-json ## Push container image $(IMG) to registry
+ @printf "\033[33;1m==== Pushing container image $(IMG) ====\033[0m\n"
$(CONTAINER_TOOL) push $(IMG)
##@ Install/Uninstall Targets
@@ -510,6 +513,8 @@ uninstall-docker: check-container-tool ## Uninstall app from $(CONTAINER_TOOL)
### Kubernetes Targets (kubectl)
+# TODO: currently incorrect because it depends on OpenShift APIs.
+# See: https://github.com/neuralmagic/gateway-api-inference-extension/issues/14
.PHONY: install-k8s
install-k8s: check-kubectl check-kustomize check-envsubst ## Install on Kubernetes
export PROJECT_NAME=${PROJECT_NAME}
@@ -519,7 +524,7 @@ install-k8s: check-kubectl check-kustomize check-envsubst ## Install on Kubernet
kubectl config set-context --current --namespace=$(NAMESPACE)
@echo "Deploying resources from deploy/ ..."
# Build the kustomization from deploy, substitute variables, and apply the YAML
- kustomize build deploy | envsubst | kubectl apply -f -
+ kustomize build deploy/environments/dev/openshift | envsubst | kubectl apply -f -
@echo "Waiting for pod to become ready..."
sleep 5
@POD=$$(kubectl get pod -l app=$(PROJECT_NAME)-statefulset -o jsonpath='{.items[0].metadata.name}'); \
@@ -527,12 +532,14 @@ install-k8s: check-kubectl check-kustomize check-envsubst ## Install on Kubernet
echo "To use the app, run:"; \
echo "alias $(PROJECT_NAME)='kubectl exec -n $(NAMESPACE) -it $$POD -- /app/$(PROJECT_NAME)'"
+# TODO: currently incorrect because it depends on OpenShift APIs.
+# See: https://github.com/neuralmagic/gateway-api-inference-extension/issues/14
.PHONY: uninstall-k8s
uninstall-k8s: check-kubectl check-kustomize check-envsubst ## Uninstall from Kubernetes
export PROJECT_NAME=${PROJECT_NAME}
export NAMESPACE=${NAMESPACE}
@echo "Removing resources from Kubernetes..."
- kustomize build deploy | envsubst | kubectl delete --force -f - || true
+ kustomize build deploy/environments/dev/openshift | envsubst | kubectl delete --force -f - || true
POD=$$(kubectl get pod -l app=$(PROJECT_NAME)-statefulset -o jsonpath='{.items[0].metadata.name}'); \
echo "Deleting pod: $$POD"; \
kubectl delete pod "$$POD" --force --grace-period=0 || true; \
@@ -540,6 +547,57 @@ uninstall-k8s: check-kubectl check-kustomize check-envsubst ## Uninstall from Ku
### OpenShift Targets (oc)
+# ------------------------------------------------------------------------------
+# OpenShift Infrastructure Installer
+#
+# This target deploys infrastructure requirements for the entire cluster.
+# Among other things, this includes CRDs and operators which all users of the
+# cluster need for development (e.g. Gateway API, Istio, etc).
+#
+# **Warning**: Only run this if you're certain you should be running it. It
+# has implications for all users of the cluster!
+# ------------------------------------------------------------------------------
+.PHONY: install-openshift-infrastructure
+install-openshift-infrastructure:
+ifeq ($(strip $(INFRASTRUCTURE_OVERRIDE)),true)
+ @echo "INFRASTRUCTURE_OVERRIDE is set to true, deploying infrastructure components"
+ @echo "Installing CRDs"
+ kustomize build deploy/components/crds | kubectl apply --server-side --force-conflicts -f -
+ @echo "Installing the Istio Control Plane"
+ kustomize build deploy/components/istio-control-plane | kubectl apply -f -
+else
+ $(error "Error: The environment variable INFRASTRUCTURE_OVERRIDE must be set to true in order to run this target.")
+endif
+
+# ------------------------------------------------------------------------------
+# OpenShift Infrastructure Uninstaller
+#
+# This target removes all infrastructure components (e.g. CRDs, operators,
+# etc) for the entire cluster.
+#
+# **Warning**: Only run this if you're certain you should be running it. **This
+# will disrupt everyone using the cluster**. Generally this should only be run
+# when the infrastructure components have undergone very significant change, and
+# you need to do a hard cleanup and re-deploy.
+# ------------------------------------------------------------------------------
+.PHONY: uninstall-openshift-infrastructure
+uninstall-openshift-infrastructure:
+ifeq ($(strip $(INFRASTRUCTURE_OVERRIDE)),true)
+ @echo "INFRASTRUCTURE_OVERRIDE is set to true, removing infrastructure components"
+ @echo "Uninstalling the Istio Control Plane"
+ kustomize build deploy/components/istio-control-plane | kubectl delete -f - || true
+ @echo "Uninstalling CRDs"
+ kustomize build deploy/components/crds | kubectl delete -f - || true
+else
+ $(error "Error: The environment variable INFRASTRUCTURE_OVERRIDE must be set to true in order to run this target.")
+endif
+
+# ------------------------------------------------------------------------------
+# OpenShift Installer
+#
+# This target deploys components in a namespace on an OpenShift cluster for
+# a developer to do development and testing cycles.
+# ------------------------------------------------------------------------------
.PHONY: install-openshift
install-openshift: check-kubectl check-kustomize check-envsubst ## Install on OpenShift
@echo $$PROJECT_NAME $$NAMESPACE $$IMAGE_TAG_BASE $$VERSION
@@ -547,7 +605,7 @@ install-openshift: check-kubectl check-kustomize check-envsubst ## Install on Op
kubectl create namespace $(NAMESPACE) 2>/dev/null || true
@echo "Deploying common resources from deploy/ ..."
# Build and substitute the base manifests from deploy, then apply them
- kustomize build deploy | envsubst '$$PROJECT_NAME $$NAMESPACE $$IMAGE_TAG_BASE $$VERSION' | kubectl apply -n $(NAMESPACE) -f -
+ kustomize build deploy/environments/dev/openshift | envsubst '$$PROJECT_NAME $$NAMESPACE $$IMAGE_TAG_BASE $$VERSION' | kubectl apply -n $(NAMESPACE) -f -
@echo "Waiting for pod to become ready..."
sleep 5
@POD=$$(kubectl get pod -l app=$(PROJECT_NAME)-statefulset -n $(NAMESPACE) -o jsonpath='{.items[0].metadata.name}'); \
@@ -555,10 +613,16 @@ install-openshift: check-kubectl check-kustomize check-envsubst ## Install on Op
echo "To use the app, run:"; \
echo "alias $(PROJECT_NAME)='kubectl exec -n $(NAMESPACE) -it $$POD -- /app/$(PROJECT_NAME)'"
+# ------------------------------------------------------------------------------
+# OpenShift Uninstaller
+#
+# This target cleans up a developer's testing and development namespace,
+# removing all components therein.
+# ------------------------------------------------------------------------------
.PHONY: uninstall-openshift
uninstall-openshift: check-kubectl check-kustomize check-envsubst ## Uninstall from OpenShift
@echo "Removing resources from OpenShift..."
- kustomize build deploy | envsubst '$$PROJECT_NAME $$NAMESPACE $$IMAGE_TAG_BASE $$VERSION' | kubectl delete --force -f - || true
+ kustomize build deploy/environments/dev/openshift | envsubst '$$PROJECT_NAME $$NAMESPACE $$IMAGE_TAG_BASE $$VERSION' | kubectl delete --force -f - || true
# @if kubectl api-resources --api-group=route.openshift.io | grep -q Route; then \
# envsubst '$$PROJECT_NAME $$NAMESPACE $$IMAGE_TAG_BASE $$VERSION' < deploy/openshift/route.yaml | kubectl delete --force -f - || true; \
# fi
@@ -572,12 +636,12 @@ uninstall-openshift: check-kubectl check-kustomize check-envsubst ## Uninstall f
.PHONY: install-rbac
install-rbac: check-kubectl check-kustomize check-envsubst ## Install RBAC
@echo "Applying RBAC configuration from deploy/rbac..."
- kustomize build deploy/rbac | envsubst '$$PROJECT_NAME $$NAMESPACE $$IMAGE_TAG_BASE $$VERSION' | kubectl apply -f -
+ kustomize build deploy/environments/dev/openshift/rbac | envsubst '$$PROJECT_NAME $$NAMESPACE $$IMAGE_TAG_BASE $$VERSION' | kubectl apply -f -
.PHONY: uninstall-rbac
uninstall-rbac: check-kubectl check-kustomize check-envsubst ## Uninstall RBAC
@echo "Removing RBAC configuration from deploy/rbac..."
- kustomize build deploy/rbac | envsubst '$$PROJECT_NAME $$NAMESPACE $$IMAGE_TAG_BASE $$VERSION' | kubectl delete -f - || true
+ kustomize build deploy/environments/dev/openshift/rbac | envsubst '$$PROJECT_NAME $$NAMESPACE $$IMAGE_TAG_BASE $$VERSION' | kubectl delete -f - || true
##@ Version Extraction
@@ -721,3 +785,40 @@ print-namespace: ## Print the current namespace
.PHONY: print-project-name
print-project-name: ## Print the current project name
@echo "$(PROJECT_NAME)"
+
+#
+# Development Environments
+#
+
+KIND_CLUSTER_NAME ?= gie-dev
+
+# ------------------------------------------------------------------------------
+# Development Environment: Kubernetes In Docker (KIND)
+#
+# This target will deploy a local kind cluster with the GIE stack deployed into
+# the default namespace for development and testing.
+#
+# ------------------------------------------------------------------------------
+.PHONY: environment.dev.kind
+environment.dev.kind:
+ CLUSTER_NAME=$(KIND_CLUSTER_NAME) ./scripts/kind-dev-env.sh
+
+# ------------------------------------------------------------------------------
+# Development Environment Update: Kubernetes In Docker (KIND)
+#
+# This target will build the current changes into an image, load them into an
+# existing kind cluster and perform a rollout so that the new changes are
+# reflected in the environment.
+#
+# ------------------------------------------------------------------------------
+.PHONY: environment.dev.kind.update
+environment.dev.kind.update: image-build
+ @echo "INFO: Loading images into cluster"
+ CLUSTER_NAME=$(KIND_CLUSTER_NAME) ./scripts/kind-load-images.sh 2>&1
+ @echo "INFO: Restarting the Endpoint Picker Deployment"
+ kubectl --context kind-$(KIND_CLUSTER_NAME) -n default rollout restart deployment endpoint-picker
+ kubectl --context kind-$(KIND_CLUSTER_NAME) -n default rollout status deployment endpoint-picker
+
+.PHONY: install-hooks
+install-hooks: ## Install git hooks
+ git config core.hooksPath hooks
diff --git a/README.md b/README.md
index e0ac07299..3b56a81b1 100644
--- a/README.md
+++ b/README.md
@@ -53,3 +53,4 @@ Contributions are readily welcomed, follow the [dev guide](./docs/dev.md) to sta
Participation in the Kubernetes community is governed by the [Kubernetes Code of Conduct](code-of-conduct.md).
+
diff --git a/deploy/components/crds/istio.yaml b/deploy/components/crds/istio.yaml
new file mode 100644
index 000000000..274d8d762
--- /dev/null
+++ b/deploy/components/crds/istio.yaml
@@ -0,0 +1,17255 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: base-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ name: authorizationpolicies.security.istio.io
+spec:
+ group: security.istio.io
+ names:
+ categories:
+ - istio-io
+ - security-istio-io
+ kind: AuthorizationPolicy
+ listKind: AuthorizationPolicyList
+ plural: authorizationpolicies
+ shortNames:
+ - ap
+ singular: authorizationpolicy
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: The operation to take.
+ jsonPath: .spec.action
+ name: Action
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration for access control on workloads. See more
+ details at: https://istio.io/docs/reference/config/security/authorization-policy.html'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - provider
+ - required:
+ - provider
+ properties:
+ action:
+ description: |-
+ Optional.
+
+ Valid Options: ALLOW, DENY, AUDIT, CUSTOM
+ enum:
+ - ALLOW
+ - DENY
+ - AUDIT
+ - CUSTOM
+ type: string
+ provider:
+ description: Specifies detailed configuration of the CUSTOM action.
+ properties:
+ name:
+ description: Specifies the name of the extension provider.
+ type: string
+ type: object
+ rules:
+ description: Optional.
+ items:
+ properties:
+ from:
+ description: Optional.
+ items:
+ properties:
+ source:
+ description: Source specifies the source of a request.
+ properties:
+ ipBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ namespaces:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notNamespaces:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notRemoteIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notRequestPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notServiceAccounts:
+ description: Optional.
+ items:
+ maxLength: 320
+ type: string
+ maxItems: 16
+ type: array
+ principals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ remoteIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ requestPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ serviceAccounts:
+ description: Optional.
+ items:
+ maxLength: 320
+ type: string
+ maxItems: 16
+ type: array
+ type: object
+ x-kubernetes-validations:
+ - message: Cannot set serviceAccounts with namespaces
+ or principals
+ rule: |-
+ (has(self.serviceAccounts) || has(self.notServiceAccounts)) ? (!has(self.principals) &&
+ !has(self.notPrincipals) && !has(self.namespaces) && !has(self.notNamespaces)) : true
+ type: object
+ maxItems: 512
+ type: array
+ to:
+ description: Optional.
+ items:
+ properties:
+ operation:
+ description: Operation specifies the operation of a request.
+ properties:
+ hosts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ methods:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notHosts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notMethods:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPaths:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ paths:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ ports:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ when:
+ description: Optional.
+ items:
+ properties:
+ key:
+ description: The name of an Istio attribute.
+ type: string
+ notValues:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ values:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ type: object
+ type: array
+ type: object
+ maxItems: 512
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ maxLength: 63
+ type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: '!self.contains("*")'
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ maxProperties: 4096
+ type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains("*"))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
+ type: object
+ targetRef:
+ properties:
+ group:
+ description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
+ type: object
+ targetRefs:
+ description: Optional.
+ items:
+ properties:
+ group:
+ description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
+ type: object
+ maxItems: 16
+ type: array
+ type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0)
+ + (has(self.targetRefs) ? 1 : 0) <= 1'
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: The operation to take.
+ jsonPath: .spec.action
+ name: Action
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration for access control on workloads. See more
+ details at: https://istio.io/docs/reference/config/security/authorization-policy.html'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - provider
+ - required:
+ - provider
+ properties:
+ action:
+ description: |-
+ Optional.
+
+ Valid Options: ALLOW, DENY, AUDIT, CUSTOM
+ enum:
+ - ALLOW
+ - DENY
+ - AUDIT
+ - CUSTOM
+ type: string
+ provider:
+ description: Specifies detailed configuration of the CUSTOM action.
+ properties:
+ name:
+ description: Specifies the name of the extension provider.
+ type: string
+ type: object
+ rules:
+ description: Optional.
+ items:
+ properties:
+ from:
+ description: Optional.
+ items:
+ properties:
+ source:
+ description: Source specifies the source of a request.
+ properties:
+ ipBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ namespaces:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notNamespaces:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notRemoteIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notRequestPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notServiceAccounts:
+ description: Optional.
+ items:
+ maxLength: 320
+ type: string
+ maxItems: 16
+ type: array
+ principals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ remoteIpBlocks:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ requestPrincipals:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ serviceAccounts:
+ description: Optional.
+ items:
+ maxLength: 320
+ type: string
+ maxItems: 16
+ type: array
+ type: object
+ x-kubernetes-validations:
+ - message: Cannot set serviceAccounts with namespaces
+ or principals
+ rule: |-
+ (has(self.serviceAccounts) || has(self.notServiceAccounts)) ? (!has(self.principals) &&
+ !has(self.notPrincipals) && !has(self.namespaces) && !has(self.notNamespaces)) : true
+ type: object
+ maxItems: 512
+ type: array
+ to:
+ description: Optional.
+ items:
+ properties:
+ operation:
+ description: Operation specifies the operation of a request.
+ properties:
+ hosts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ methods:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notHosts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notMethods:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPaths:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ notPorts:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ paths:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ ports:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ type: array
+ when:
+ description: Optional.
+ items:
+ properties:
+ key:
+ description: The name of an Istio attribute.
+ type: string
+ notValues:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ values:
+ description: Optional.
+ items:
+ type: string
+ type: array
+ required:
+ - key
+ type: object
+ type: array
+ type: object
+ maxItems: 512
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ maxLength: 63
+ type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: '!self.contains("*")'
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ maxProperties: 4096
+ type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains("*"))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
+ type: object
+ targetRef:
+ properties:
+ group:
+ description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
+ type: object
+ targetRefs:
+ description: Optional.
+ items:
+ properties:
+ group:
+ description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
+ type: object
+ maxItems: 16
+ type: array
+ type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0)
+ + (has(self.targetRefs) ? 1 : 0) <= 1'
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: base-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ name: destinationrules.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: DestinationRule
+ listKind: DestinationRuleList
+ plural: destinationrules
+ shortNames:
+ - dr
+ singular: destinationrule
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: The name of a service from the service registry
+ jsonPath: .spec.host
+ name: Host
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting load balancing, outlier detection,
+ etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
+ properties:
+ exportTo:
+ description: A list of namespaces to which this destination rule is
+ exported.
+ items:
+ type: string
+ type: array
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ subsets:
+ description: One or more named sets that represent individual versions
+ of a service.
+ items:
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ description: Labels apply a filter over the endpoints of a service
+ in the service registry.
+ type: object
+ name:
+ description: Name of the subset.
+ type: string
+ trafficPolicy:
+ description: Traffic policies that apply to this subset.
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: |-
+ Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+ Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will
+ be queued while waiting for a ready connection
+ pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to
+ a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can
+ be outstanding to all hosts in a cluster at a
+ given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will
+ be preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the
+ socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ probes:
+ description: Maximum number of keepalive probes
+ to send without response before deciding the
+ connection is dead.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ time:
+ description: The time duration a connection
+ needs to be idle before keep-alive probes
+ start being sent.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query
+ parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ minimum: 0
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ minimum: 0
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual nodes
+ to use for the hash ring.
+ minimum: 0
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ description: Map of upstream localities to
+ traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: Enable locality load balancing.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic
+ will fail over to when endpoints in the
+ 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list
+ of labels used to sort endpoints to do priority
+ based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ description: |2-
+
+
+ Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmup:
+ description: Represents the warmup configuration of
+ Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of
+ traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
+ warmupDurationSecs:
+ description: 'Deprecated: use `warmup` instead.'
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host
+ is ejected from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally originated
+ failures before ejection occurs.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing
+ pool for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled as long
+ as the associated load balancing pool has at least
+ `minHealthPercent` hosts in healthy mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local
+ origin failures from external errors.
+ type: boolean
+ type: object
+ portLevelSettings:
+ description: Traffic policies specific to individual ports.
+ items:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: |-
+ Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+ Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that
+ will be queued while waiting for a ready
+ connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests
+ to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream
+ connection pool connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConcurrentStreams:
+ description: The maximum number of concurrent
+ streams allowed for a peer on one HTTP/2
+ connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per
+ connection to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that
+ can be outstanding to all hosts in a cluster
+ at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol
+ will be preserved while initiating connection
+ to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and
+ TCP upstream connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP
+ connections to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE
+ on the socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between
+ keep-alive probes.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ probes:
+ description: Maximum number of keepalive
+ probes to send without response before
+ deciding the connection is dead.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ time:
+ description: The time duration a connection
+ needs to be idle before keep-alive probes
+ start being sent.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer
+ algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP
+ header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP
+ query parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev
+ hashing.
+ minimum: 0
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ minimum: 0
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend
+ hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual
+ nodes to use for the hash ring.
+ minimum: 0
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/'
+ separated, e.g.
+ type: string
+ to:
+ additionalProperties:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ description: Map of upstream localities
+ to traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: Enable locality load balancing.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the
+ traffic will fail over to when endpoints
+ in the 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered
+ list of labels used to sort endpoints to
+ do priority based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ description: |2-
+
+
+ Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmup:
+ description: Represents the warmup configuration
+ of Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed
+ of traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
+ warmupDurationSecs:
+ description: 'Deprecated: use `warmup` instead.'
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host
+ is ejected from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a
+ host is ejected from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally
+ originated failures before ejection occurs.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep
+ analysis.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing
+ pool for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled
+ as long as the associated load balancing pool
+ has at least `minHealthPercent` hosts in healthy
+ mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish
+ local origin failures from external errors.
+ type: boolean
+ type: object
+ port:
+ description: Specifies the number of a port on the
+ destination service on which this policy is being
+ applied.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ tls:
+ description: TLS related settings for connections
+ to the upstream service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing
+ certificate authority certificates to use in
+ verifying a presented server certificate.'
+ type: string
+ caCrl:
+ description: 'OPTIONAL: The path to the file containing
+ the certificate revocation list (CRL) to use
+ in verifying a presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds
+ the TLS certs for the client including the CA
+ certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether
+ the proxy should skip verifying the CA signature
+ and SAN for the server certificate corresponding
+ to the host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: |-
+ Indicates whether connections to this port should be secured using TLS.
+
+ Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server
+ during TLS handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify
+ the subject identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ maxItems: 4096
+ type: array
+ proxyProtocol:
+ description: The upstream PROXY protocol settings.
+ properties:
+ version:
+ description: |-
+ The PROXY protocol version to use.
+
+ Valid Options: V1, V2
+ enum:
+ - V1
+ - V2
+ type: string
+ type: object
+ tls:
+ description: TLS related settings for connections to the
+ upstream service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing
+ certificate authority certificates to use in verifying
+ a presented server certificate.'
+ type: string
+ caCrl:
+ description: 'OPTIONAL: The path to the file containing
+ the certificate revocation list (CRL) to use in verifying
+ a presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds the TLS
+ certs for the client including the CA certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether
+ the proxy should skip verifying the CA signature and
+ SAN for the server certificate corresponding to the
+ host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: |-
+ Indicates whether connections to this port should be secured using TLS.
+
+ Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during
+ TLS handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the
+ subject identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ tunnel:
+ description: Configuration of tunneling TCP over other transport
+ or application layers for the host configured in the DestinationRule.
+ properties:
+ protocol:
+ description: Specifies which protocol to use for tunneling
+ the downstream connection.
+ type: string
+ targetHost:
+ description: Specifies a host to which the downstream
+ connection is tunneled.
+ type: string
+ targetPort:
+ description: Specifies a port to which the downstream
+ connection is tunneled.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ required:
+ - targetHost
+ - targetPort
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ trafficPolicy:
+ description: Traffic policies to apply (load balancing policy, connection
+ pool sizes, outlier detection).
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: |-
+ Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+ Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will be queued
+ while waiting for a ready connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can be outstanding
+ to all hosts in a cluster at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be preserved
+ while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket
+ to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ probes:
+ description: Maximum number of keepalive probes to
+ send without response before deciding the connection
+ is dead.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ time:
+ description: The time duration a connection needs
+ to be idle before keep-alive probes start being
+ sent.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements consistent
+ hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ minimum: 0
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ minimum: 0
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual nodes to
+ use for the hash ring.
+ minimum: 0
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute, failover
+ or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ description: Map of upstream localities to traffic
+ distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: Enable locality load balancing.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute, failover
+ or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic will
+ fail over to when endpoints in the 'from' region
+ becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list of labels
+ used to sort endpoints to do priority based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ description: |2-
+
+
+ Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmup:
+ description: Represents the warmup configuration of Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of traffic
+ increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
+ warmupDurationSecs:
+ description: 'Deprecated: use `warmup` instead.'
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host is ejected
+ from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally originated
+ failures before ejection occurs.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing pool
+ for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled as long as
+ the associated load balancing pool has at least `minHealthPercent`
+ hosts in healthy mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local origin
+ failures from external errors.
+ type: boolean
+ type: object
+ portLevelSettings:
+ description: Traffic policies specific to individual ports.
+ items:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: |-
+ Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+ Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will
+ be queued while waiting for a ready connection
+ pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to
+ a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can
+ be outstanding to all hosts in a cluster at a
+ given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will
+ be preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the
+ socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ probes:
+ description: Maximum number of keepalive probes
+ to send without response before deciding the
+ connection is dead.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ time:
+ description: The time duration a connection
+ needs to be idle before keep-alive probes
+ start being sent.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query
+ parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ minimum: 0
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ minimum: 0
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual nodes
+ to use for the hash ring.
+ minimum: 0
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ description: Map of upstream localities to
+ traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: Enable locality load balancing.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic
+ will fail over to when endpoints in the
+ 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list
+ of labels used to sort endpoints to do priority
+ based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ description: |2-
+
+
+ Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmup:
+ description: Represents the warmup configuration of
+ Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of
+ traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
+ warmupDurationSecs:
+ description: 'Deprecated: use `warmup` instead.'
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host
+ is ejected from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally originated
+ failures before ejection occurs.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing
+ pool for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled as long
+ as the associated load balancing pool has at least
+ `minHealthPercent` hosts in healthy mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local
+ origin failures from external errors.
+ type: boolean
+ type: object
+ port:
+ description: Specifies the number of a port on the destination
+ service on which this policy is being applied.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ tls:
+ description: TLS related settings for connections to the
+ upstream service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing
+ certificate authority certificates to use in verifying
+ a presented server certificate.'
+ type: string
+ caCrl:
+ description: 'OPTIONAL: The path to the file containing
+ the certificate revocation list (CRL) to use in verifying
+ a presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds the TLS
+ certs for the client including the CA certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether
+ the proxy should skip verifying the CA signature and
+ SAN for the server certificate corresponding to the
+ host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: |-
+ Indicates whether connections to this port should be secured using TLS.
+
+ Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during
+ TLS handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the
+ subject identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ maxItems: 4096
+ type: array
+ proxyProtocol:
+ description: The upstream PROXY protocol settings.
+ properties:
+ version:
+ description: |-
+ The PROXY protocol version to use.
+
+ Valid Options: V1, V2
+ enum:
+ - V1
+ - V2
+ type: string
+ type: object
+ tls:
+ description: TLS related settings for connections to the upstream
+ service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing certificate
+ authority certificates to use in verifying a presented server
+ certificate.'
+ type: string
+ caCrl:
+ description: 'OPTIONAL: The path to the file containing the
+ certificate revocation list (CRL) to use in verifying a
+ presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds the TLS certs
+ for the client including the CA certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether the proxy
+ should skip verifying the CA signature and SAN for the server
+ certificate corresponding to the host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: |-
+ Indicates whether connections to this port should be secured using TLS.
+
+ Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during TLS
+ handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the subject
+ identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ tunnel:
+ description: Configuration of tunneling TCP over other transport
+ or application layers for the host configured in the DestinationRule.
+ properties:
+ protocol:
+ description: Specifies which protocol to use for tunneling
+ the downstream connection.
+ type: string
+ targetHost:
+ description: Specifies a host to which the downstream connection
+ is tunneled.
+ type: string
+ targetPort:
+ description: Specifies a port to which the downstream connection
+ is tunneled.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ required:
+ - targetHost
+ - targetPort
+ type: object
+ type: object
+ workloadSelector:
+ description: Criteria used to select the specific set of pods/VMs
+ on which this `DestinationRule` configuration should be applied.
+ properties:
+ matchLabels:
+ additionalProperties:
+ maxLength: 63
+ type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: '!self.contains("*")'
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ maxProperties: 4096
+ type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains("*"))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
+ type: object
+ required:
+ - host
+ type: object
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: The name of a service from the service registry
+ jsonPath: .spec.host
+ name: Host
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting load balancing, outlier detection,
+ etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
+ properties:
+ exportTo:
+ description: A list of namespaces to which this destination rule is
+ exported.
+ items:
+ type: string
+ type: array
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ subsets:
+ description: One or more named sets that represent individual versions
+ of a service.
+ items:
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ description: Labels apply a filter over the endpoints of a service
+ in the service registry.
+ type: object
+ name:
+ description: Name of the subset.
+ type: string
+ trafficPolicy:
+ description: Traffic policies that apply to this subset.
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: |-
+ Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+ Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will
+ be queued while waiting for a ready connection
+ pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to
+ a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can
+ be outstanding to all hosts in a cluster at a
+ given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will
+ be preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the
+ socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ probes:
+ description: Maximum number of keepalive probes
+ to send without response before deciding the
+ connection is dead.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ time:
+ description: The time duration a connection
+ needs to be idle before keep-alive probes
+ start being sent.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query
+ parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ minimum: 0
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ minimum: 0
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual nodes
+ to use for the hash ring.
+ minimum: 0
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ description: Map of upstream localities to
+ traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: Enable locality load balancing.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic
+ will fail over to when endpoints in the
+ 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list
+ of labels used to sort endpoints to do priority
+ based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ description: |2-
+
+
+ Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmup:
+ description: Represents the warmup configuration of
+ Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of
+ traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
+ warmupDurationSecs:
+ description: 'Deprecated: use `warmup` instead.'
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host
+ is ejected from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally originated
+ failures before ejection occurs.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing
+ pool for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled as long
+ as the associated load balancing pool has at least
+ `minHealthPercent` hosts in healthy mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local
+ origin failures from external errors.
+ type: boolean
+ type: object
+ portLevelSettings:
+ description: Traffic policies specific to individual ports.
+ items:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: |-
+ Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+ Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that
+ will be queued while waiting for a ready
+ connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests
+ to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream
+ connection pool connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConcurrentStreams:
+ description: The maximum number of concurrent
+ streams allowed for a peer on one HTTP/2
+ connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per
+ connection to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that
+ can be outstanding to all hosts in a cluster
+ at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol
+ will be preserved while initiating connection
+ to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and
+ TCP upstream connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP
+ connections to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE
+ on the socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between
+ keep-alive probes.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ probes:
+ description: Maximum number of keepalive
+ probes to send without response before
+ deciding the connection is dead.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ time:
+ description: The time duration a connection
+ needs to be idle before keep-alive probes
+ start being sent.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer
+ algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP
+ header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP
+ query parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev
+ hashing.
+ minimum: 0
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ minimum: 0
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend
+ hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual
+ nodes to use for the hash ring.
+ minimum: 0
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/'
+ separated, e.g.
+ type: string
+ to:
+ additionalProperties:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ description: Map of upstream localities
+ to traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: Enable locality load balancing.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the
+ traffic will fail over to when endpoints
+ in the 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered
+ list of labels used to sort endpoints to
+ do priority based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ description: |2-
+
+
+ Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmup:
+ description: Represents the warmup configuration
+ of Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed
+ of traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
+ warmupDurationSecs:
+ description: 'Deprecated: use `warmup` instead.'
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host
+ is ejected from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a
+ host is ejected from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally
+ originated failures before ejection occurs.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep
+ analysis.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing
+ pool for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled
+ as long as the associated load balancing pool
+ has at least `minHealthPercent` hosts in healthy
+ mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish
+ local origin failures from external errors.
+ type: boolean
+ type: object
+ port:
+ description: Specifies the number of a port on the
+ destination service on which this policy is being
+ applied.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ tls:
+ description: TLS related settings for connections
+ to the upstream service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing
+ certificate authority certificates to use in
+ verifying a presented server certificate.'
+ type: string
+ caCrl:
+ description: 'OPTIONAL: The path to the file containing
+ the certificate revocation list (CRL) to use
+ in verifying a presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds
+ the TLS certs for the client including the CA
+ certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether
+ the proxy should skip verifying the CA signature
+ and SAN for the server certificate corresponding
+ to the host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: |-
+ Indicates whether connections to this port should be secured using TLS.
+
+ Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server
+ during TLS handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify
+ the subject identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ maxItems: 4096
+ type: array
+ proxyProtocol:
+ description: The upstream PROXY protocol settings.
+ properties:
+ version:
+ description: |-
+ The PROXY protocol version to use.
+
+ Valid Options: V1, V2
+ enum:
+ - V1
+ - V2
+ type: string
+ type: object
+ tls:
+ description: TLS related settings for connections to the
+ upstream service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing
+ certificate authority certificates to use in verifying
+ a presented server certificate.'
+ type: string
+ caCrl:
+ description: 'OPTIONAL: The path to the file containing
+ the certificate revocation list (CRL) to use in verifying
+ a presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds the TLS
+ certs for the client including the CA certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether
+ the proxy should skip verifying the CA signature and
+ SAN for the server certificate corresponding to the
+ host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: |-
+ Indicates whether connections to this port should be secured using TLS.
+
+ Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during
+ TLS handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the
+ subject identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ tunnel:
+ description: Configuration of tunneling TCP over other transport
+ or application layers for the host configured in the DestinationRule.
+ properties:
+ protocol:
+ description: Specifies which protocol to use for tunneling
+ the downstream connection.
+ type: string
+ targetHost:
+ description: Specifies a host to which the downstream
+ connection is tunneled.
+ type: string
+ targetPort:
+ description: Specifies a port to which the downstream
+ connection is tunneled.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ required:
+ - targetHost
+ - targetPort
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ trafficPolicy:
+ description: Traffic policies to apply (load balancing policy, connection
+ pool sizes, outlier detection).
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: |-
+ Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+ Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will be queued
+ while waiting for a ready connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can be outstanding
+ to all hosts in a cluster at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be preserved
+ while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket
+ to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ probes:
+ description: Maximum number of keepalive probes to
+ send without response before deciding the connection
+ is dead.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ time:
+ description: The time duration a connection needs
+ to be idle before keep-alive probes start being
+ sent.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements consistent
+ hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ minimum: 0
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ minimum: 0
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual nodes to
+ use for the hash ring.
+ minimum: 0
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute, failover
+ or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ description: Map of upstream localities to traffic
+ distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: Enable locality load balancing.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute, failover
+ or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic will
+ fail over to when endpoints in the 'from' region
+ becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list of labels
+ used to sort endpoints to do priority based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ description: |2-
+
+
+ Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmup:
+ description: Represents the warmup configuration of Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of traffic
+ increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
+ warmupDurationSecs:
+ description: 'Deprecated: use `warmup` instead.'
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host is ejected
+ from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally originated
+ failures before ejection occurs.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing pool
+ for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled as long as
+ the associated load balancing pool has at least `minHealthPercent`
+ hosts in healthy mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local origin
+ failures from external errors.
+ type: boolean
+ type: object
+ portLevelSettings:
+ description: Traffic policies specific to individual ports.
+ items:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: |-
+ Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+ Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will
+ be queued while waiting for a ready connection
+ pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to
+ a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can
+ be outstanding to all hosts in a cluster at a
+ given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will
+ be preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the
+ socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ probes:
+ description: Maximum number of keepalive probes
+ to send without response before deciding the
+ connection is dead.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ time:
+ description: The time duration a connection
+ needs to be idle before keep-alive probes
+ start being sent.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query
+ parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ minimum: 0
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ minimum: 0
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual nodes
+ to use for the hash ring.
+ minimum: 0
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ description: Map of upstream localities to
+ traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: Enable locality load balancing.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic
+ will fail over to when endpoints in the
+ 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list
+ of labels used to sort endpoints to do priority
+ based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ description: |2-
+
+
+ Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmup:
+ description: Represents the warmup configuration of
+ Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of
+ traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
+ warmupDurationSecs:
+ description: 'Deprecated: use `warmup` instead.'
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host
+ is ejected from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally originated
+ failures before ejection occurs.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing
+ pool for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled as long
+ as the associated load balancing pool has at least
+ `minHealthPercent` hosts in healthy mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local
+ origin failures from external errors.
+ type: boolean
+ type: object
+ port:
+ description: Specifies the number of a port on the destination
+ service on which this policy is being applied.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ tls:
+ description: TLS related settings for connections to the
+ upstream service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing
+ certificate authority certificates to use in verifying
+ a presented server certificate.'
+ type: string
+ caCrl:
+ description: 'OPTIONAL: The path to the file containing
+ the certificate revocation list (CRL) to use in verifying
+ a presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds the TLS
+ certs for the client including the CA certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether
+ the proxy should skip verifying the CA signature and
+ SAN for the server certificate corresponding to the
+ host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: |-
+ Indicates whether connections to this port should be secured using TLS.
+
+ Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during
+ TLS handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the
+ subject identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ maxItems: 4096
+ type: array
+ proxyProtocol:
+ description: The upstream PROXY protocol settings.
+ properties:
+ version:
+ description: |-
+ The PROXY protocol version to use.
+
+ Valid Options: V1, V2
+ enum:
+ - V1
+ - V2
+ type: string
+ type: object
+ tls:
+ description: TLS related settings for connections to the upstream
+ service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing certificate
+ authority certificates to use in verifying a presented server
+ certificate.'
+ type: string
+ caCrl:
+ description: 'OPTIONAL: The path to the file containing the
+ certificate revocation list (CRL) to use in verifying a
+ presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds the TLS certs
+ for the client including the CA certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether the proxy
+ should skip verifying the CA signature and SAN for the server
+ certificate corresponding to the host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: |-
+ Indicates whether connections to this port should be secured using TLS.
+
+ Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during TLS
+ handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the subject
+ identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ tunnel:
+ description: Configuration of tunneling TCP over other transport
+ or application layers for the host configured in the DestinationRule.
+ properties:
+ protocol:
+ description: Specifies which protocol to use for tunneling
+ the downstream connection.
+ type: string
+ targetHost:
+ description: Specifies a host to which the downstream connection
+ is tunneled.
+ type: string
+ targetPort:
+ description: Specifies a port to which the downstream connection
+ is tunneled.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ required:
+ - targetHost
+ - targetPort
+ type: object
+ type: object
+ workloadSelector:
+ description: Criteria used to select the specific set of pods/VMs
+ on which this `DestinationRule` configuration should be applied.
+ properties:
+ matchLabels:
+ additionalProperties:
+ maxLength: 63
+ type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: '!self.contains("*")'
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ maxProperties: 4096
+ type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains("*"))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
+ type: object
+ required:
+ - host
+ type: object
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: The name of a service from the service registry
+ jsonPath: .spec.host
+ name: Host
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting load balancing, outlier detection,
+ etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html'
+ properties:
+ exportTo:
+ description: A list of namespaces to which this destination rule is
+ exported.
+ items:
+ type: string
+ type: array
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ subsets:
+ description: One or more named sets that represent individual versions
+ of a service.
+ items:
+ properties:
+ labels:
+ additionalProperties:
+ type: string
+ description: Labels apply a filter over the endpoints of a service
+ in the service registry.
+ type: object
+ name:
+ description: Name of the subset.
+ type: string
+ trafficPolicy:
+ description: Traffic policies that apply to this subset.
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: |-
+ Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+ Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will
+ be queued while waiting for a ready connection
+ pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to
+ a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can
+ be outstanding to all hosts in a cluster at a
+ given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will
+ be preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the
+ socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ probes:
+ description: Maximum number of keepalive probes
+ to send without response before deciding the
+ connection is dead.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ time:
+ description: The time duration a connection
+ needs to be idle before keep-alive probes
+ start being sent.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query
+ parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ minimum: 0
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ minimum: 0
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual nodes
+ to use for the hash ring.
+ minimum: 0
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ description: Map of upstream localities to
+ traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: Enable locality load balancing.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic
+ will fail over to when endpoints in the
+ 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list
+ of labels used to sort endpoints to do priority
+ based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ description: |2-
+
+
+ Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmup:
+ description: Represents the warmup configuration of
+ Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of
+ traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
+ warmupDurationSecs:
+ description: 'Deprecated: use `warmup` instead.'
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host
+ is ejected from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally originated
+ failures before ejection occurs.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing
+ pool for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled as long
+ as the associated load balancing pool has at least
+ `minHealthPercent` hosts in healthy mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local
+ origin failures from external errors.
+ type: boolean
+ type: object
+ portLevelSettings:
+ description: Traffic policies specific to individual ports.
+ items:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: |-
+ Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+ Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that
+ will be queued while waiting for a ready
+ connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests
+ to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream
+ connection pool connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConcurrentStreams:
+ description: The maximum number of concurrent
+ streams allowed for a peer on one HTTP/2
+ connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per
+ connection to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that
+ can be outstanding to all hosts in a cluster
+ at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol
+ will be preserved while initiating connection
+ to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and
+ TCP upstream connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP
+ connections to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE
+ on the socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between
+ keep-alive probes.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ probes:
+ description: Maximum number of keepalive
+ probes to send without response before
+ deciding the connection is dead.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ time:
+ description: The time duration a connection
+ needs to be idle before keep-alive probes
+ start being sent.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer
+ algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP
+ header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP
+ query parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev
+ hashing.
+ minimum: 0
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ minimum: 0
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend
+ hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual
+ nodes to use for the hash ring.
+ minimum: 0
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/'
+ separated, e.g.
+ type: string
+ to:
+ additionalProperties:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ description: Map of upstream localities
+ to traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: Enable locality load balancing.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the
+ traffic will fail over to when endpoints
+ in the 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered
+ list of labels used to sort endpoints to
+ do priority based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ description: |2-
+
+
+ Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmup:
+ description: Represents the warmup configuration
+ of Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed
+ of traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
+ warmupDurationSecs:
+ description: 'Deprecated: use `warmup` instead.'
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host
+ is ejected from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a
+ host is ejected from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally
+ originated failures before ejection occurs.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep
+ analysis.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing
+ pool for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled
+ as long as the associated load balancing pool
+ has at least `minHealthPercent` hosts in healthy
+ mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish
+ local origin failures from external errors.
+ type: boolean
+ type: object
+ port:
+ description: Specifies the number of a port on the
+ destination service on which this policy is being
+ applied.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ tls:
+ description: TLS related settings for connections
+ to the upstream service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing
+ certificate authority certificates to use in
+ verifying a presented server certificate.'
+ type: string
+ caCrl:
+ description: 'OPTIONAL: The path to the file containing
+ the certificate revocation list (CRL) to use
+ in verifying a presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds
+ the TLS certs for the client including the CA
+ certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether
+ the proxy should skip verifying the CA signature
+ and SAN for the server certificate corresponding
+ to the host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: |-
+ Indicates whether connections to this port should be secured using TLS.
+
+ Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server
+ during TLS handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify
+ the subject identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ maxItems: 4096
+ type: array
+ proxyProtocol:
+ description: The upstream PROXY protocol settings.
+ properties:
+ version:
+ description: |-
+ The PROXY protocol version to use.
+
+ Valid Options: V1, V2
+ enum:
+ - V1
+ - V2
+ type: string
+ type: object
+ tls:
+ description: TLS related settings for connections to the
+ upstream service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing
+ certificate authority certificates to use in verifying
+ a presented server certificate.'
+ type: string
+ caCrl:
+ description: 'OPTIONAL: The path to the file containing
+ the certificate revocation list (CRL) to use in verifying
+ a presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds the TLS
+ certs for the client including the CA certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether
+ the proxy should skip verifying the CA signature and
+ SAN for the server certificate corresponding to the
+ host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: |-
+ Indicates whether connections to this port should be secured using TLS.
+
+ Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during
+ TLS handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the
+ subject identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ tunnel:
+ description: Configuration of tunneling TCP over other transport
+ or application layers for the host configured in the DestinationRule.
+ properties:
+ protocol:
+ description: Specifies which protocol to use for tunneling
+ the downstream connection.
+ type: string
+ targetHost:
+ description: Specifies a host to which the downstream
+ connection is tunneled.
+ type: string
+ targetPort:
+ description: Specifies a port to which the downstream
+ connection is tunneled.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ required:
+ - targetHost
+ - targetPort
+ type: object
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ trafficPolicy:
+ description: Traffic policies to apply (load balancing policy, connection
+ pool sizes, outlier detection).
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: |-
+ Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+ Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will be queued
+ while waiting for a ready connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can be outstanding
+ to all hosts in a cluster at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be preserved
+ while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket
+ to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ probes:
+ description: Maximum number of keepalive probes to
+ send without response before deciding the connection
+ is dead.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ time:
+ description: The time duration a connection needs
+ to be idle before keep-alive probes start being
+ sent.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements consistent
+ hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ minimum: 0
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ minimum: 0
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual nodes to
+ use for the hash ring.
+ minimum: 0
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute, failover
+ or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ description: Map of upstream localities to traffic
+ distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: Enable locality load balancing.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute, failover
+ or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic will
+ fail over to when endpoints in the 'from' region
+ becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list of labels
+ used to sort endpoints to do priority based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ description: |2-
+
+
+ Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmup:
+ description: Represents the warmup configuration of Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of traffic
+ increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
+ warmupDurationSecs:
+ description: 'Deprecated: use `warmup` instead.'
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host is ejected
+ from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally originated
+ failures before ejection occurs.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing pool
+ for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled as long as
+ the associated load balancing pool has at least `minHealthPercent`
+ hosts in healthy mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local origin
+ failures from external errors.
+ type: boolean
+ type: object
+ portLevelSettings:
+ description: Traffic policies specific to individual ports.
+ items:
+ properties:
+ connectionPool:
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: |-
+ Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+ Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will
+ be queued while waiting for a ready connection
+ pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to
+ a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can
+ be outstanding to all hosts in a cluster at a
+ given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will
+ be preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the
+ socket to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ probes:
+ description: Maximum number of keepalive probes
+ to send without response before deciding the
+ connection is dead.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ time:
+ description: The time duration a connection
+ needs to be idle before keep-alive probes
+ start being sent.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ type: object
+ type: object
+ loadBalancer:
+ description: Settings controlling the load balancer algorithms.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ - required:
+ - simple
+ - required:
+ - consistentHash
+ properties:
+ consistentHash:
+ allOf:
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - required:
+ - httpHeaderName
+ - required:
+ - httpCookie
+ - required:
+ - useSourceIp
+ - required:
+ - httpQueryParameterName
+ - oneOf:
+ - not:
+ anyOf:
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ - required:
+ - ringHash
+ - required:
+ - maglev
+ properties:
+ httpCookie:
+ description: Hash based on HTTP cookie.
+ properties:
+ name:
+ description: Name of the cookie.
+ type: string
+ path:
+ description: Path to set for the cookie.
+ type: string
+ ttl:
+ description: Lifetime of the cookie.
+ type: string
+ required:
+ - name
+ type: object
+ httpHeaderName:
+ description: Hash based on a specific HTTP header.
+ type: string
+ httpQueryParameterName:
+ description: Hash based on a specific HTTP query
+ parameter.
+ type: string
+ maglev:
+ description: The Maglev load balancer implements
+ consistent hashing to backend hosts.
+ properties:
+ tableSize:
+ description: The table size for Maglev hashing.
+ minimum: 0
+ type: integer
+ type: object
+ minimumRingSize:
+ description: Deprecated.
+ minimum: 0
+ type: integer
+ ringHash:
+ description: The ring/modulo hash load balancer
+ implements consistent hashing to backend hosts.
+ properties:
+ minimumRingSize:
+ description: The minimum number of virtual nodes
+ to use for the hash ring.
+ minimum: 0
+ type: integer
+ type: object
+ useSourceIp:
+ description: Hash based on the source IP address.
+ type: boolean
+ type: object
+ localityLbSetting:
+ properties:
+ distribute:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating locality, '/' separated,
+ e.g.
+ type: string
+ to:
+ additionalProperties:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ description: Map of upstream localities to
+ traffic distribution weights.
+ type: object
+ type: object
+ type: array
+ enabled:
+ description: Enable locality load balancing.
+ nullable: true
+ type: boolean
+ failover:
+ description: 'Optional: only one of distribute,
+ failover or failoverPriority can be set.'
+ items:
+ properties:
+ from:
+ description: Originating region.
+ type: string
+ to:
+ description: Destination region the traffic
+ will fail over to when endpoints in the
+ 'from' region becomes unhealthy.
+ type: string
+ type: object
+ type: array
+ failoverPriority:
+ description: failoverPriority is an ordered list
+ of labels used to sort endpoints to do priority
+ based load balancing.
+ items:
+ type: string
+ type: array
+ type: object
+ simple:
+ description: |2-
+
+
+ Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST
+ enum:
+ - UNSPECIFIED
+ - LEAST_CONN
+ - RANDOM
+ - PASSTHROUGH
+ - ROUND_ROBIN
+ - LEAST_REQUEST
+ type: string
+ warmup:
+ description: Represents the warmup configuration of
+ Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of
+ traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
+ warmupDurationSecs:
+ description: 'Deprecated: use `warmup` instead.'
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ outlierDetection:
+ properties:
+ baseEjectionTime:
+ description: Minimum ejection duration.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ consecutive5xxErrors:
+ description: Number of 5xx errors before a host is ejected
+ from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveErrors:
+ format: int32
+ type: integer
+ consecutiveGatewayErrors:
+ description: Number of gateway errors before a host
+ is ejected from the connection pool.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ consecutiveLocalOriginFailures:
+ description: The number of consecutive locally originated
+ failures before ejection occurs.
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ interval:
+ description: Time interval between ejection sweep analysis.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxEjectionPercent:
+ description: Maximum % of hosts in the load balancing
+ pool for the upstream service that can be ejected.
+ format: int32
+ type: integer
+ minHealthPercent:
+ description: Outlier detection will be enabled as long
+ as the associated load balancing pool has at least
+ `minHealthPercent` hosts in healthy mode.
+ format: int32
+ type: integer
+ splitExternalLocalOriginErrors:
+ description: Determines whether to distinguish local
+ origin failures from external errors.
+ type: boolean
+ type: object
+ port:
+ description: Specifies the number of a port on the destination
+ service on which this policy is being applied.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ tls:
+ description: TLS related settings for connections to the
+ upstream service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing
+ certificate authority certificates to use in verifying
+ a presented server certificate.'
+ type: string
+ caCrl:
+ description: 'OPTIONAL: The path to the file containing
+ the certificate revocation list (CRL) to use in verifying
+ a presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds the TLS
+ certs for the client including the CA certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether
+ the proxy should skip verifying the CA signature and
+ SAN for the server certificate corresponding to the
+ host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: |-
+ Indicates whether connections to this port should be secured using TLS.
+
+ Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during
+ TLS handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the
+ subject identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ maxItems: 4096
+ type: array
+ proxyProtocol:
+ description: The upstream PROXY protocol settings.
+ properties:
+ version:
+ description: |-
+ The PROXY protocol version to use.
+
+ Valid Options: V1, V2
+ enum:
+ - V1
+ - V2
+ type: string
+ type: object
+ tls:
+ description: TLS related settings for connections to the upstream
+ service.
+ properties:
+ caCertificates:
+ description: 'OPTIONAL: The path to the file containing certificate
+ authority certificates to use in verifying a presented server
+ certificate.'
+ type: string
+ caCrl:
+ description: 'OPTIONAL: The path to the file containing the
+ certificate revocation list (CRL) to use in verifying a
+ presented server certificate.'
+ type: string
+ clientCertificate:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ credentialName:
+ description: The name of the secret that holds the TLS certs
+ for the client including the CA certificates.
+ type: string
+ insecureSkipVerify:
+ description: '`insecureSkipVerify` specifies whether the proxy
+ should skip verifying the CA signature and SAN for the server
+ certificate corresponding to the host.'
+ nullable: true
+ type: boolean
+ mode:
+ description: |-
+ Indicates whether connections to this port should be secured using TLS.
+
+ Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL
+ enum:
+ - DISABLE
+ - SIMPLE
+ - MUTUAL
+ - ISTIO_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `MUTUAL`.
+ type: string
+ sni:
+ description: SNI string to present to the server during TLS
+ handshake.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the subject
+ identity in the certificate.
+ items:
+ type: string
+ type: array
+ type: object
+ tunnel:
+ description: Configuration of tunneling TCP over other transport
+ or application layers for the host configured in the DestinationRule.
+ properties:
+ protocol:
+ description: Specifies which protocol to use for tunneling
+ the downstream connection.
+ type: string
+ targetHost:
+ description: Specifies a host to which the downstream connection
+ is tunneled.
+ type: string
+ targetPort:
+ description: Specifies a port to which the downstream connection
+ is tunneled.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ required:
+ - targetHost
+ - targetPort
+ type: object
+ type: object
+ workloadSelector:
+ description: Criteria used to select the specific set of pods/VMs
+ on which this `DestinationRule` configuration should be applied.
+ properties:
+ matchLabels:
+ additionalProperties:
+ maxLength: 63
+ type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: '!self.contains("*")'
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ maxProperties: 4096
+ type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains("*"))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
+ type: object
+ required:
+ - host
+ type: object
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: base-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ name: envoyfilters.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: EnvoyFilter
+ listKind: EnvoyFilterList
+ plural: envoyfilters
+ singular: envoyfilter
+ scope: Namespaced
+ versions:
+ - name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Customizing Envoy configuration generated by Istio. See
+ more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html'
+ properties:
+ configPatches:
+ description: One or more patches with match conditions.
+ items:
+ properties:
+ applyTo:
+ description: |-
+ Specifies where in the Envoy configuration, the patch should be applied.
+
+ Valid Options: LISTENER, FILTER_CHAIN, NETWORK_FILTER, HTTP_FILTER, ROUTE_CONFIGURATION, VIRTUAL_HOST, HTTP_ROUTE, CLUSTER, EXTENSION_CONFIG, BOOTSTRAP, LISTENER_FILTER
+ enum:
+ - INVALID
+ - LISTENER
+ - FILTER_CHAIN
+ - NETWORK_FILTER
+ - HTTP_FILTER
+ - ROUTE_CONFIGURATION
+ - VIRTUAL_HOST
+ - HTTP_ROUTE
+ - CLUSTER
+ - EXTENSION_CONFIG
+ - BOOTSTRAP
+ - LISTENER_FILTER
+ type: string
+ match:
+ description: Match on listener/route configuration/cluster.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - listener
+ - required:
+ - routeConfiguration
+ - required:
+ - cluster
+ - required:
+ - listener
+ - required:
+ - routeConfiguration
+ - required:
+ - cluster
+ properties:
+ cluster:
+ description: Match on envoy cluster attributes.
+ properties:
+ name:
+ description: The exact name of the cluster to match.
+ type: string
+ portNumber:
+ description: The service port for which this cluster
+ was generated.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ service:
+ description: The fully qualified service name for this
+ cluster.
+ type: string
+ subset:
+ description: The subset associated with the service.
+ type: string
+ type: object
+ context:
+ description: |-
+ The specific config generation context to match on.
+
+ Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY
+ enum:
+ - ANY
+ - SIDECAR_INBOUND
+ - SIDECAR_OUTBOUND
+ - GATEWAY
+ type: string
+ listener:
+ description: Match on envoy listener attributes.
+ properties:
+ filterChain:
+ description: Match a specific filter chain in a listener.
+ properties:
+ applicationProtocols:
+ description: Applies only to sidecars.
+ type: string
+ destinationPort:
+ description: The destination_port value used by
+ a filter chain's match condition.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ filter:
+ description: The name of a specific filter to apply
+ the patch to.
+ properties:
+ name:
+ description: The filter name to match on.
+ type: string
+ subFilter:
+ description: The next level filter within this
+ filter to match upon.
+ properties:
+ name:
+ description: The filter name to match on.
+ type: string
+ type: object
+ type: object
+ name:
+ description: The name assigned to the filter chain.
+ type: string
+ sni:
+ description: The SNI value used by a filter chain's
+ match condition.
+ type: string
+ transportProtocol:
+ description: Applies only to `SIDECAR_INBOUND` context.
+ type: string
+ type: object
+ listenerFilter:
+ description: Match a specific listener filter.
+ type: string
+ name:
+ description: Match a specific listener by its name.
+ type: string
+ portName:
+ type: string
+ portNumber:
+ description: The service port/gateway port to which
+ traffic is being sent/received.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ proxy:
+ description: Match on properties associated with a proxy.
+ properties:
+ metadata:
+ additionalProperties:
+ type: string
+ description: Match on the node metadata supplied by
+ a proxy when connecting to istiod.
+ type: object
+ proxyVersion:
+ description: A regular expression in golang regex format
+ (RE2) that can be used to select proxies using a specific
+ version of istio proxy.
+ type: string
+ type: object
+ routeConfiguration:
+ description: Match on envoy HTTP route configuration attributes.
+ properties:
+ gateway:
+ description: The Istio gateway config's namespace/name
+ for which this route configuration was generated.
+ type: string
+ name:
+ description: Route configuration name to match on.
+ type: string
+ portName:
+ description: Applicable only for GATEWAY context.
+ type: string
+ portNumber:
+ description: The service port number or gateway server
+ port number for which this route configuration was
+ generated.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ vhost:
+ description: Match a specific virtual host in a route
+ configuration and apply the patch to the virtual host.
+ properties:
+ domainName:
+ description: Match a domain name in a virtual host.
+ type: string
+ name:
+ description: The VirtualHosts objects generated
+ by Istio are named as host:port, where the host
+ typically corresponds to the VirtualService's
+ host field or the hostname of a service in the
+ registry.
+ type: string
+ route:
+ description: Match a specific route within the virtual
+ host.
+ properties:
+ action:
+ description: |-
+ Match a route with specific action type.
+
+ Valid Options: ANY, ROUTE, REDIRECT, DIRECT_RESPONSE
+ enum:
+ - ANY
+ - ROUTE
+ - REDIRECT
+ - DIRECT_RESPONSE
+ type: string
+ name:
+ description: The Route objects generated by
+ default are named as default.
+ type: string
+ type: object
+ type: object
+ type: object
+ type: object
+ patch:
+ description: The patch to apply along with the operation.
+ properties:
+ filterClass:
+ description: |-
+ Determines the filter insertion order.
+
+ Valid Options: AUTHN, AUTHZ, STATS
+ enum:
+ - UNSPECIFIED
+ - AUTHN
+ - AUTHZ
+ - STATS
+ type: string
+ operation:
+ description: |-
+ Determines how the patch should be applied.
+
+ Valid Options: MERGE, ADD, REMOVE, INSERT_BEFORE, INSERT_AFTER, INSERT_FIRST, REPLACE
+ enum:
+ - INVALID
+ - MERGE
+ - ADD
+ - REMOVE
+ - INSERT_BEFORE
+ - INSERT_AFTER
+ - INSERT_FIRST
+ - REPLACE
+ type: string
+ value:
+ description: The JSON config of the object being patched.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ type: object
+ type: array
+ priority:
+ description: Priority defines the order in which patch sets are applied
+ within a context.
+ format: int32
+ type: integer
+ targetRefs:
+ description: Optional.
+ items:
+ properties:
+ group:
+ description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
+ type: object
+ maxItems: 16
+ type: array
+ workloadSelector:
+ description: Criteria used to select the specific set of pods/VMs
+ on which this patch configuration should be applied.
+ properties:
+ labels:
+ additionalProperties:
+ maxLength: 63
+ type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: '!self.contains("*")'
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which the configuration should be applied.
+ maxProperties: 256
+ type: object
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or workloadSelector can be set
+ rule: '(has(self.workloadSelector) ? 1 : 0) + (has(self.targetRefs)
+ ? 1 : 0) <= 1'
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: base-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ name: gateways.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: Gateway
+ listKind: GatewayList
+ plural: gateways
+ shortNames:
+ - gw
+ singular: gateway
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting edge load balancer. See more details
+ at: https://istio.io/docs/reference/config/networking/gateway.html'
+ properties:
+ selector:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of pods/VMs
+ on which this gateway configuration should be applied.
+ type: object
+ servers:
+ description: A list of server specifications.
+ items:
+ properties:
+ bind:
+ description: The ip or the Unix domain socket to which the listener
+ should be bound to.
+ type: string
+ defaultEndpoint:
+ type: string
+ hosts:
+ description: One or more hosts exposed by this gateway.
+ items:
+ type: string
+ type: array
+ name:
+ description: An optional name of the server, when set must be
+ unique across all servers.
+ type: string
+ port:
+ description: The Port on which the proxy should listen for incoming
+ connections.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ required:
+ - number
+ - protocol
+ - name
+ type: object
+ tls:
+ description: Set of TLS related options that govern the server's
+ behavior.
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+ type: string
+ caCrl:
+ description: 'OPTIONAL: The path to the file containing
+ the certificate revocation list (CRL) to use in verifying
+ a presented client side certificate.'
+ type: string
+ cipherSuites:
+ description: 'Optional: If specified, only support the specified
+ cipher list.'
+ items:
+ type: string
+ type: array
+ credentialName:
+ description: For gateways running on Kubernetes, the name
+ of the secret that holds the TLS certs including the CA
+ certificates.
+ type: string
+ httpsRedirect:
+ description: If set to true, the load balancer will send
+ a 301 redirect for all http connections, asking the clients
+ to use HTTPS.
+ type: boolean
+ maxProtocolVersion:
+ description: |-
+ Optional: Maximum TLS protocol version.
+
+ Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ minProtocolVersion:
+ description: |-
+ Optional: Minimum TLS protocol version.
+
+ Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ mode:
+ description: |-
+ Optional: Indicates whether connections to this port should be secured using TLS.
+
+ Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL
+ enum:
+ - PASSTHROUGH
+ - SIMPLE
+ - MUTUAL
+ - AUTO_PASSTHROUGH
+ - ISTIO_MUTUAL
+ - OPTIONAL_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the subject
+ identity in the certificate presented by the client.
+ items:
+ type: string
+ type: array
+ verifyCertificateHash:
+ description: An optional list of hex-encoded SHA-256 hashes
+ of the authorized client certificates.
+ items:
+ type: string
+ type: array
+ verifyCertificateSpki:
+ description: An optional list of base64-encoded SHA-256
+ hashes of the SPKIs of authorized client certificates.
+ items:
+ type: string
+ type: array
+ type: object
+ required:
+ - port
+ - hosts
+ type: object
+ type: array
+ type: object
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting edge load balancer. See more details
+ at: https://istio.io/docs/reference/config/networking/gateway.html'
+ properties:
+ selector:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of pods/VMs
+ on which this gateway configuration should be applied.
+ type: object
+ servers:
+ description: A list of server specifications.
+ items:
+ properties:
+ bind:
+ description: The ip or the Unix domain socket to which the listener
+ should be bound to.
+ type: string
+ defaultEndpoint:
+ type: string
+ hosts:
+ description: One or more hosts exposed by this gateway.
+ items:
+ type: string
+ type: array
+ name:
+ description: An optional name of the server, when set must be
+ unique across all servers.
+ type: string
+ port:
+ description: The Port on which the proxy should listen for incoming
+ connections.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ required:
+ - number
+ - protocol
+ - name
+ type: object
+ tls:
+ description: Set of TLS related options that govern the server's
+ behavior.
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+ type: string
+ caCrl:
+ description: 'OPTIONAL: The path to the file containing
+ the certificate revocation list (CRL) to use in verifying
+ a presented client side certificate.'
+ type: string
+ cipherSuites:
+ description: 'Optional: If specified, only support the specified
+ cipher list.'
+ items:
+ type: string
+ type: array
+ credentialName:
+ description: For gateways running on Kubernetes, the name
+ of the secret that holds the TLS certs including the CA
+ certificates.
+ type: string
+ httpsRedirect:
+ description: If set to true, the load balancer will send
+ a 301 redirect for all http connections, asking the clients
+ to use HTTPS.
+ type: boolean
+ maxProtocolVersion:
+ description: |-
+ Optional: Maximum TLS protocol version.
+
+ Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ minProtocolVersion:
+ description: |-
+ Optional: Minimum TLS protocol version.
+
+ Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ mode:
+ description: |-
+ Optional: Indicates whether connections to this port should be secured using TLS.
+
+ Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL
+ enum:
+ - PASSTHROUGH
+ - SIMPLE
+ - MUTUAL
+ - AUTO_PASSTHROUGH
+ - ISTIO_MUTUAL
+ - OPTIONAL_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the subject
+ identity in the certificate presented by the client.
+ items:
+ type: string
+ type: array
+ verifyCertificateHash:
+ description: An optional list of hex-encoded SHA-256 hashes
+ of the authorized client certificates.
+ items:
+ type: string
+ type: array
+ verifyCertificateSpki:
+ description: An optional list of base64-encoded SHA-256
+ hashes of the SPKIs of authorized client certificates.
+ items:
+ type: string
+ type: array
+ type: object
+ required:
+ - port
+ - hosts
+ type: object
+ type: array
+ type: object
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting edge load balancer. See more details
+ at: https://istio.io/docs/reference/config/networking/gateway.html'
+ properties:
+ selector:
+ additionalProperties:
+ type: string
+ description: One or more labels that indicate a specific set of pods/VMs
+ on which this gateway configuration should be applied.
+ type: object
+ servers:
+ description: A list of server specifications.
+ items:
+ properties:
+ bind:
+ description: The ip or the Unix domain socket to which the listener
+ should be bound to.
+ type: string
+ defaultEndpoint:
+ type: string
+ hosts:
+ description: One or more hosts exposed by this gateway.
+ items:
+ type: string
+ type: array
+ name:
+ description: An optional name of the server, when set must be
+ unique across all servers.
+ type: string
+ port:
+ description: The Port on which the proxy should listen for incoming
+ connections.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ required:
+ - number
+ - protocol
+ - name
+ type: object
+ tls:
+ description: Set of TLS related options that govern the server's
+ behavior.
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+ type: string
+ caCrl:
+ description: 'OPTIONAL: The path to the file containing
+ the certificate revocation list (CRL) to use in verifying
+ a presented client side certificate.'
+ type: string
+ cipherSuites:
+ description: 'Optional: If specified, only support the specified
+ cipher list.'
+ items:
+ type: string
+ type: array
+ credentialName:
+ description: For gateways running on Kubernetes, the name
+ of the secret that holds the TLS certs including the CA
+ certificates.
+ type: string
+ httpsRedirect:
+ description: If set to true, the load balancer will send
+ a 301 redirect for all http connections, asking the clients
+ to use HTTPS.
+ type: boolean
+ maxProtocolVersion:
+ description: |-
+ Optional: Maximum TLS protocol version.
+
+ Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ minProtocolVersion:
+ description: |-
+ Optional: Minimum TLS protocol version.
+
+ Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ mode:
+ description: |-
+ Optional: Indicates whether connections to this port should be secured using TLS.
+
+ Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL
+ enum:
+ - PASSTHROUGH
+ - SIMPLE
+ - MUTUAL
+ - AUTO_PASSTHROUGH
+ - ISTIO_MUTUAL
+ - OPTIONAL_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the subject
+ identity in the certificate presented by the client.
+ items:
+ type: string
+ type: array
+ verifyCertificateHash:
+ description: An optional list of hex-encoded SHA-256 hashes
+ of the authorized client certificates.
+ items:
+ type: string
+ type: array
+ verifyCertificateSpki:
+ description: An optional list of base64-encoded SHA-256
+ hashes of the SPKIs of authorized client certificates.
+ items:
+ type: string
+ type: array
+ type: object
+ required:
+ - port
+ - hosts
+ type: object
+ type: array
+ type: object
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: base-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ name: peerauthentications.security.istio.io
+spec:
+ group: security.istio.io
+ names:
+ categories:
+ - istio-io
+ - security-istio-io
+ kind: PeerAuthentication
+ listKind: PeerAuthenticationList
+ plural: peerauthentications
+ shortNames:
+ - pa
+ singular: peerauthentication
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: Defines the mTLS mode used for peer authentication.
+ jsonPath: .spec.mtls.mode
+ name: Mode
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Peer authentication configuration for workloads. See more
+ details at: https://istio.io/docs/reference/config/security/peer_authentication.html'
+ properties:
+ mtls:
+ description: Mutual TLS settings for workload.
+ properties:
+ mode:
+ description: |-
+ Defines the mTLS mode used for peer authentication.
+
+ Valid Options: DISABLE, PERMISSIVE, STRICT
+ enum:
+ - UNSET
+ - DISABLE
+ - PERMISSIVE
+ - STRICT
+ type: string
+ type: object
+ portLevelMtls:
+ additionalProperties:
+ properties:
+ mode:
+ description: |-
+ Defines the mTLS mode used for peer authentication.
+
+ Valid Options: DISABLE, PERMISSIVE, STRICT
+ enum:
+ - UNSET
+ - DISABLE
+ - PERMISSIVE
+ - STRICT
+ type: string
+ type: object
+ description: Port specific mutual TLS settings.
+ minProperties: 1
+ type: object
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: self.all(key, 0 < int(key) && int(key) <= 65535)
+ selector:
+ description: The selector determines the workloads to apply the PeerAuthentication
+ on.
+ properties:
+ matchLabels:
+ additionalProperties:
+ maxLength: 63
+ type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: '!self.contains("*")'
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ maxProperties: 4096
+ type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains("*"))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: portLevelMtls requires selector
+ rule: 'has(self.portLevelMtls) ? (((has(self.selector) && has(self.selector.matchLabels))
+ ? self.selector.matchLabels : {}).size() > 0) : true'
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: Defines the mTLS mode used for peer authentication.
+ jsonPath: .spec.mtls.mode
+ name: Mode
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Peer authentication configuration for workloads. See more
+ details at: https://istio.io/docs/reference/config/security/peer_authentication.html'
+ properties:
+ mtls:
+ description: Mutual TLS settings for workload.
+ properties:
+ mode:
+ description: |-
+ Defines the mTLS mode used for peer authentication.
+
+ Valid Options: DISABLE, PERMISSIVE, STRICT
+ enum:
+ - UNSET
+ - DISABLE
+ - PERMISSIVE
+ - STRICT
+ type: string
+ type: object
+ portLevelMtls:
+ additionalProperties:
+ properties:
+ mode:
+ description: |-
+ Defines the mTLS mode used for peer authentication.
+
+ Valid Options: DISABLE, PERMISSIVE, STRICT
+ enum:
+ - UNSET
+ - DISABLE
+ - PERMISSIVE
+ - STRICT
+ type: string
+ type: object
+ description: Port specific mutual TLS settings.
+ minProperties: 1
+ type: object
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: self.all(key, 0 < int(key) && int(key) <= 65535)
+ selector:
+ description: The selector determines the workloads to apply the PeerAuthentication
+ on.
+ properties:
+ matchLabels:
+ additionalProperties:
+ maxLength: 63
+ type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: '!self.contains("*")'
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ maxProperties: 4096
+ type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains("*"))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
+ type: object
+ type: object
+ x-kubernetes-validations:
+ - message: portLevelMtls requires selector
+ rule: 'has(self.portLevelMtls) ? (((has(self.selector) && has(self.selector.matchLabels))
+ ? self.selector.matchLabels : {}).size() > 0) : true'
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: base-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ name: proxyconfigs.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: ProxyConfig
+ listKind: ProxyConfigList
+ plural: proxyconfigs
+ singular: proxyconfig
+ scope: Namespaced
+ versions:
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Provides configuration for individual workloads. See more
+ details at: https://istio.io/docs/reference/config/networking/proxy-config.html'
+ properties:
+ concurrency:
+ description: The number of worker threads to run.
+ format: int32
+ minimum: 0
+ nullable: true
+ type: integer
+ environmentVariables:
+ additionalProperties:
+ maxLength: 2048
+ type: string
+ description: Additional environment variables for the proxy.
+ type: object
+ image:
+ description: Specifies the details of the proxy image.
+ properties:
+ imageType:
+ description: The image type of the image.
+ type: string
+ type: object
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ maxLength: 63
+ type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: '!self.contains("*")'
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ maxProperties: 4096
+ type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains("*"))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
+ type: object
+ type: object
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: base-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ name: requestauthentications.security.istio.io
+spec:
+ group: security.istio.io
+ names:
+ categories:
+ - istio-io
+ - security-istio-io
+ kind: RequestAuthentication
+ listKind: RequestAuthenticationList
+ plural: requestauthentications
+ shortNames:
+ - ra
+ singular: requestauthentication
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Request authentication configuration for workloads. See
+ more details at: https://istio.io/docs/reference/config/security/request_authentication.html'
+ properties:
+ jwtRules:
+ description: Define the list of JWTs that can be validated at the
+ selected workloads' proxy.
+ items:
+ properties:
+ audiences:
+ description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
+ that are allowed to access.
+ items:
+ minLength: 1
+ type: string
+ type: array
+ forwardOriginalToken:
+ description: If set to true, the original token will be kept
+ for the upstream request.
+ type: boolean
+ fromCookies:
+ description: List of cookie names from which JWT is expected.
+ items:
+ minLength: 1
+ type: string
+ type: array
+ fromHeaders:
+ description: List of header locations from which JWT is expected.
+ items:
+ properties:
+ name:
+ description: The HTTP header name.
+ minLength: 1
+ type: string
+ prefix:
+ description: The prefix that should be stripped before
+ decoding the token.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ fromParams:
+ description: List of query parameters from which JWT is expected.
+ items:
+ minLength: 1
+ type: string
+ type: array
+ issuer:
+ description: Identifies the issuer that issued the JWT.
+ minLength: 1
+ type: string
+ jwks:
+ description: JSON Web Key Set of public keys to validate signature
+ of the JWT.
+ type: string
+ jwks_uri:
+ description: URL of the provider's public key set to validate
+ signature of the JWT.
+ maxLength: 2048
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: url must have scheme http:// or https://
+ rule: url(self).getScheme() in ["http", "https"]
+ jwksUri:
+ description: URL of the provider's public key set to validate
+ signature of the JWT.
+ maxLength: 2048
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: url must have scheme http:// or https://
+ rule: url(self).getScheme() in ["http", "https"]
+ outputClaimToHeaders:
+ description: This field specifies a list of operations to copy
+ the claim to HTTP headers on a successfully verified token.
+ items:
+ properties:
+ claim:
+ description: The name of the claim to be copied from.
+ minLength: 1
+ type: string
+ header:
+ description: The name of the header to be created.
+ minLength: 1
+ pattern: ^[-_A-Za-z0-9]+$
+ type: string
+ required:
+ - header
+ - claim
+ type: object
+ type: array
+ outputPayloadToHeader:
+ description: This field specifies the header name to output
+ a successfully verified JWT payload to the backend.
+ type: string
+ timeout:
+ description: The maximum amount of time that the resolver, determined
+ by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable,
+ will spend waiting for the JWKS to be fetched.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ required:
+ - issuer
+ type: object
+ x-kubernetes-validations:
+ - message: only one of jwks or jwksUri can be set
+ rule: '(has(self.jwksUri) ? 1 : 0) + (has(self.jwks_uri) ? 1 :
+ 0) + (has(self.jwks) ? 1 : 0) <= 1'
+ maxItems: 4096
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ maxLength: 63
+ type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: '!self.contains("*")'
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ maxProperties: 4096
+ type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains("*"))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
+ type: object
+ targetRef:
+ properties:
+ group:
+ description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
+ type: object
+ targetRefs:
+ description: Optional.
+ items:
+ properties:
+ group:
+ description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
+ type: object
+ maxItems: 16
+ type: array
+ type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0)
+ + (has(self.targetRefs) ? 1 : 0) <= 1'
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Request authentication configuration for workloads. See
+ more details at: https://istio.io/docs/reference/config/security/request_authentication.html'
+ properties:
+ jwtRules:
+ description: Define the list of JWTs that can be validated at the
+ selected workloads' proxy.
+ items:
+ properties:
+ audiences:
+ description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
+ that are allowed to access.
+ items:
+ minLength: 1
+ type: string
+ type: array
+ forwardOriginalToken:
+ description: If set to true, the original token will be kept
+ for the upstream request.
+ type: boolean
+ fromCookies:
+ description: List of cookie names from which JWT is expected.
+ items:
+ minLength: 1
+ type: string
+ type: array
+ fromHeaders:
+ description: List of header locations from which JWT is expected.
+ items:
+ properties:
+ name:
+ description: The HTTP header name.
+ minLength: 1
+ type: string
+ prefix:
+ description: The prefix that should be stripped before
+ decoding the token.
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ fromParams:
+ description: List of query parameters from which JWT is expected.
+ items:
+ minLength: 1
+ type: string
+ type: array
+ issuer:
+ description: Identifies the issuer that issued the JWT.
+ minLength: 1
+ type: string
+ jwks:
+ description: JSON Web Key Set of public keys to validate signature
+ of the JWT.
+ type: string
+ jwks_uri:
+ description: URL of the provider's public key set to validate
+ signature of the JWT.
+ maxLength: 2048
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: url must have scheme http:// or https://
+ rule: url(self).getScheme() in ["http", "https"]
+ jwksUri:
+ description: URL of the provider's public key set to validate
+ signature of the JWT.
+ maxLength: 2048
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: url must have scheme http:// or https://
+ rule: url(self).getScheme() in ["http", "https"]
+ outputClaimToHeaders:
+ description: This field specifies a list of operations to copy
+ the claim to HTTP headers on a successfully verified token.
+ items:
+ properties:
+ claim:
+ description: The name of the claim to be copied from.
+ minLength: 1
+ type: string
+ header:
+ description: The name of the header to be created.
+ minLength: 1
+ pattern: ^[-_A-Za-z0-9]+$
+ type: string
+ required:
+ - header
+ - claim
+ type: object
+ type: array
+ outputPayloadToHeader:
+ description: This field specifies the header name to output
+ a successfully verified JWT payload to the backend.
+ type: string
+ timeout:
+ description: The maximum amount of time that the resolver, determined
+ by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable,
+ will spend waiting for the JWKS to be fetched.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ required:
+ - issuer
+ type: object
+ x-kubernetes-validations:
+ - message: only one of jwks or jwksUri can be set
+ rule: '(has(self.jwksUri) ? 1 : 0) + (has(self.jwks_uri) ? 1 :
+ 0) + (has(self.jwks) ? 1 : 0) <= 1'
+ maxItems: 4096
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ maxLength: 63
+ type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: '!self.contains("*")'
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ maxProperties: 4096
+ type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains("*"))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
+ type: object
+ targetRef:
+ properties:
+ group:
+ description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
+ type: object
+ targetRefs:
+ description: Optional.
+ items:
+ properties:
+ group:
+ description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
+ type: object
+ maxItems: 16
+ type: array
+ type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0)
+ + (has(self.targetRefs) ? 1 : 0) <= 1'
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: base-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ name: serviceentries.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: ServiceEntry
+ listKind: ServiceEntryList
+ plural: serviceentries
+ shortNames:
+ - se
+ singular: serviceentry
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: The hosts associated with the ServiceEntry
+ jsonPath: .spec.hosts
+ name: Hosts
+ type: string
+ - description: Whether the service is external to the mesh or part of the mesh
+ (MESH_EXTERNAL or MESH_INTERNAL)
+ jsonPath: .spec.location
+ name: Location
+ type: string
+ - description: Service resolution mode for the hosts (NONE, STATIC, or DNS)
+ jsonPath: .spec.resolution
+ name: Resolution
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting service registry. See more details
+ at: https://istio.io/docs/reference/config/networking/service-entry.html'
+ properties:
+ addresses:
+ description: The virtual IP addresses associated with the service.
+ items:
+ maxLength: 64
+ type: string
+ maxItems: 256
+ type: array
+ endpoints:
+ description: One or more endpoints associated with the service.
+ items:
+ properties:
+ address:
+ description: Address associated with the network endpoint without
+ the port.
+ maxLength: 256
+ type: string
+ x-kubernetes-validations:
+ - message: UDS must be an absolute path or abstract socket
+ rule: 'self.startsWith("unix://") ? (self.substring(7, 8)
+ == "/" || self.substring(7, 8) == "@") : true'
+ - message: UDS may not be a dir
+ rule: 'self.startsWith("unix://") ? !self.endsWith("/") :
+ true'
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ maxProperties: 256
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ maxLength: 2048
+ type: string
+ network:
+ description: Network enables Istio to group endpoints resident
+ in the same L3 domain/network.
+ maxLength: 2048
+ type: string
+ ports:
+ additionalProperties:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ description: Set of ports associated with the endpoint.
+ maxProperties: 128
+ type: object
+ x-kubernetes-validations:
+ - message: port name must be valid
+ rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$"))
+ serviceAccount:
+ description: The service account associated with the workload
+ if a sidecar is present in the workload.
+ maxLength: 253
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ x-kubernetes-validations:
+ - message: Address is required
+ rule: has(self.address) || has(self.network)
+ - message: UDS may not include ports
+ rule: '(has(self.address) ? self.address : "").startsWith("unix://")
+ ? !has(self.ports) : true'
+ maxItems: 4096
+ type: array
+ exportTo:
+ description: A list of namespaces to which this service is exported.
+ items:
+ type: string
+ type: array
+ hosts:
+ description: The hosts associated with the ServiceEntry.
+ items:
+ type: string
+ x-kubernetes-validations:
+ - message: hostname cannot be wildcard
+ rule: self != "*"
+ maxItems: 256
+ minItems: 1
+ type: array
+ location:
+ description: |-
+ Specify whether the service should be considered external to the mesh or part of the mesh.
+
+ Valid Options: MESH_EXTERNAL, MESH_INTERNAL
+ enum:
+ - MESH_EXTERNAL
+ - MESH_INTERNAL
+ type: string
+ ports:
+ description: The ports associated with the external service.
+ items:
+ properties:
+ name:
+ description: Label assigned to the port.
+ maxLength: 256
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ protocol:
+ description: The protocol exposed on the port.
+ maxLength: 256
+ type: string
+ targetPort:
+ description: The port number on the endpoint where the traffic
+ will be received.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ required:
+ - number
+ - name
+ type: object
+ maxItems: 256
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: port number cannot be duplicated
+ rule: self.all(l1, self.exists_one(l2, l1.number == l2.number))
+ resolution:
+ description: |-
+ Service resolution mode for the hosts.
+
+ Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN
+ enum:
+ - NONE
+ - STATIC
+ - DNS
+ - DNS_ROUND_ROBIN
+ type: string
+ subjectAltNames:
+ description: If specified, the proxy will verify that the server certificate's
+ subject alternate name matches one of the specified values.
+ items:
+ type: string
+ type: array
+ workloadSelector:
+ description: Applicable only for MESH_INTERNAL services.
+ properties:
+ labels:
+ additionalProperties:
+ maxLength: 63
+ type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: '!self.contains("*")'
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which the configuration should be applied.
+ maxProperties: 256
+ type: object
+ type: object
+ required:
+ - hosts
+ type: object
+ x-kubernetes-validations:
+ - message: only one of WorkloadSelector or Endpoints can be set
+ rule: '(has(self.workloadSelector) ? 1 : 0) + (has(self.endpoints) ?
+ 1 : 0) <= 1'
+ - message: CIDR addresses are allowed only for NONE/STATIC resolution
+ types
+ rule: '!((has(self.addresses) ? self.addresses : []).exists(k, k.contains("/"))
+ && !((has(self.resolution) ? self.resolution : "NONE") in ["STATIC",
+ "NONE"]))'
+ - message: NONE mode cannot set endpoints
+ rule: '((has(self.resolution) ? self.resolution : "NONE") == "NONE")
+ ? !has(self.endpoints) : true'
+ - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
+ rule: '((has(self.resolution) ? self.resolution : "") == "DNS_ROUND_ROBIN")
+ ? ((has(self.endpoints) ? self.endpoints : []).size() <= 1) : true'
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: The hosts associated with the ServiceEntry
+ jsonPath: .spec.hosts
+ name: Hosts
+ type: string
+ - description: Whether the service is external to the mesh or part of the mesh
+ (MESH_EXTERNAL or MESH_INTERNAL)
+ jsonPath: .spec.location
+ name: Location
+ type: string
+ - description: Service resolution mode for the hosts (NONE, STATIC, or DNS)
+ jsonPath: .spec.resolution
+ name: Resolution
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting service registry. See more details
+ at: https://istio.io/docs/reference/config/networking/service-entry.html'
+ properties:
+ addresses:
+ description: The virtual IP addresses associated with the service.
+ items:
+ maxLength: 64
+ type: string
+ maxItems: 256
+ type: array
+ endpoints:
+ description: One or more endpoints associated with the service.
+ items:
+ properties:
+ address:
+ description: Address associated with the network endpoint without
+ the port.
+ maxLength: 256
+ type: string
+ x-kubernetes-validations:
+ - message: UDS must be an absolute path or abstract socket
+ rule: 'self.startsWith("unix://") ? (self.substring(7, 8)
+ == "/" || self.substring(7, 8) == "@") : true'
+ - message: UDS may not be a dir
+ rule: 'self.startsWith("unix://") ? !self.endsWith("/") :
+ true'
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ maxProperties: 256
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ maxLength: 2048
+ type: string
+ network:
+ description: Network enables Istio to group endpoints resident
+ in the same L3 domain/network.
+ maxLength: 2048
+ type: string
+ ports:
+ additionalProperties:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ description: Set of ports associated with the endpoint.
+ maxProperties: 128
+ type: object
+ x-kubernetes-validations:
+ - message: port name must be valid
+ rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$"))
+ serviceAccount:
+ description: The service account associated with the workload
+ if a sidecar is present in the workload.
+ maxLength: 253
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ x-kubernetes-validations:
+ - message: Address is required
+ rule: has(self.address) || has(self.network)
+ - message: UDS may not include ports
+ rule: '(has(self.address) ? self.address : "").startsWith("unix://")
+ ? !has(self.ports) : true'
+ maxItems: 4096
+ type: array
+ exportTo:
+ description: A list of namespaces to which this service is exported.
+ items:
+ type: string
+ type: array
+ hosts:
+ description: The hosts associated with the ServiceEntry.
+ items:
+ type: string
+ x-kubernetes-validations:
+ - message: hostname cannot be wildcard
+ rule: self != "*"
+ maxItems: 256
+ minItems: 1
+ type: array
+ location:
+ description: |-
+ Specify whether the service should be considered external to the mesh or part of the mesh.
+
+ Valid Options: MESH_EXTERNAL, MESH_INTERNAL
+ enum:
+ - MESH_EXTERNAL
+ - MESH_INTERNAL
+ type: string
+ ports:
+ description: The ports associated with the external service.
+ items:
+ properties:
+ name:
+ description: Label assigned to the port.
+ maxLength: 256
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ protocol:
+ description: The protocol exposed on the port.
+ maxLength: 256
+ type: string
+ targetPort:
+ description: The port number on the endpoint where the traffic
+ will be received.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ required:
+ - number
+ - name
+ type: object
+ maxItems: 256
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: port number cannot be duplicated
+ rule: self.all(l1, self.exists_one(l2, l1.number == l2.number))
+ resolution:
+ description: |-
+ Service resolution mode for the hosts.
+
+ Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN
+ enum:
+ - NONE
+ - STATIC
+ - DNS
+ - DNS_ROUND_ROBIN
+ type: string
+ subjectAltNames:
+ description: If specified, the proxy will verify that the server certificate's
+ subject alternate name matches one of the specified values.
+ items:
+ type: string
+ type: array
+ workloadSelector:
+ description: Applicable only for MESH_INTERNAL services.
+ properties:
+ labels:
+ additionalProperties:
+ maxLength: 63
+ type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: '!self.contains("*")'
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which the configuration should be applied.
+ maxProperties: 256
+ type: object
+ type: object
+ required:
+ - hosts
+ type: object
+ x-kubernetes-validations:
+ - message: only one of WorkloadSelector or Endpoints can be set
+ rule: '(has(self.workloadSelector) ? 1 : 0) + (has(self.endpoints) ?
+ 1 : 0) <= 1'
+ - message: CIDR addresses are allowed only for NONE/STATIC resolution
+ types
+ rule: '!((has(self.addresses) ? self.addresses : []).exists(k, k.contains("/"))
+ && !((has(self.resolution) ? self.resolution : "NONE") in ["STATIC",
+ "NONE"]))'
+ - message: NONE mode cannot set endpoints
+ rule: '((has(self.resolution) ? self.resolution : "NONE") == "NONE")
+ ? !has(self.endpoints) : true'
+ - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
+ rule: '((has(self.resolution) ? self.resolution : "") == "DNS_ROUND_ROBIN")
+ ? ((has(self.endpoints) ? self.endpoints : []).size() <= 1) : true'
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: The hosts associated with the ServiceEntry
+ jsonPath: .spec.hosts
+ name: Hosts
+ type: string
+ - description: Whether the service is external to the mesh or part of the mesh
+ (MESH_EXTERNAL or MESH_INTERNAL)
+ jsonPath: .spec.location
+ name: Location
+ type: string
+ - description: Service resolution mode for the hosts (NONE, STATIC, or DNS)
+ jsonPath: .spec.resolution
+ name: Resolution
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting service registry. See more details
+ at: https://istio.io/docs/reference/config/networking/service-entry.html'
+ properties:
+ addresses:
+ description: The virtual IP addresses associated with the service.
+ items:
+ maxLength: 64
+ type: string
+ maxItems: 256
+ type: array
+ endpoints:
+ description: One or more endpoints associated with the service.
+ items:
+ properties:
+ address:
+ description: Address associated with the network endpoint without
+ the port.
+ maxLength: 256
+ type: string
+ x-kubernetes-validations:
+ - message: UDS must be an absolute path or abstract socket
+ rule: 'self.startsWith("unix://") ? (self.substring(7, 8)
+ == "/" || self.substring(7, 8) == "@") : true'
+ - message: UDS may not be a dir
+ rule: 'self.startsWith("unix://") ? !self.endsWith("/") :
+ true'
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ maxProperties: 256
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ maxLength: 2048
+ type: string
+ network:
+ description: Network enables Istio to group endpoints resident
+ in the same L3 domain/network.
+ maxLength: 2048
+ type: string
+ ports:
+ additionalProperties:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ description: Set of ports associated with the endpoint.
+ maxProperties: 128
+ type: object
+ x-kubernetes-validations:
+ - message: port name must be valid
+ rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$"))
+ serviceAccount:
+ description: The service account associated with the workload
+ if a sidecar is present in the workload.
+ maxLength: 253
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ x-kubernetes-validations:
+ - message: Address is required
+ rule: has(self.address) || has(self.network)
+ - message: UDS may not include ports
+ rule: '(has(self.address) ? self.address : "").startsWith("unix://")
+ ? !has(self.ports) : true'
+ maxItems: 4096
+ type: array
+ exportTo:
+ description: A list of namespaces to which this service is exported.
+ items:
+ type: string
+ type: array
+ hosts:
+ description: The hosts associated with the ServiceEntry.
+ items:
+ type: string
+ x-kubernetes-validations:
+ - message: hostname cannot be wildcard
+ rule: self != "*"
+ maxItems: 256
+ minItems: 1
+ type: array
+ location:
+ description: |-
+ Specify whether the service should be considered external to the mesh or part of the mesh.
+
+ Valid Options: MESH_EXTERNAL, MESH_INTERNAL
+ enum:
+ - MESH_EXTERNAL
+ - MESH_INTERNAL
+ type: string
+ ports:
+ description: The ports associated with the external service.
+ items:
+ properties:
+ name:
+ description: Label assigned to the port.
+ maxLength: 256
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ protocol:
+ description: The protocol exposed on the port.
+ maxLength: 256
+ type: string
+ targetPort:
+ description: The port number on the endpoint where the traffic
+ will be received.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ required:
+ - number
+ - name
+ type: object
+ maxItems: 256
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: port number cannot be duplicated
+ rule: self.all(l1, self.exists_one(l2, l1.number == l2.number))
+ resolution:
+ description: |-
+ Service resolution mode for the hosts.
+
+ Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN
+ enum:
+ - NONE
+ - STATIC
+ - DNS
+ - DNS_ROUND_ROBIN
+ type: string
+ subjectAltNames:
+ description: If specified, the proxy will verify that the server certificate's
+ subject alternate name matches one of the specified values.
+ items:
+ type: string
+ type: array
+ workloadSelector:
+ description: Applicable only for MESH_INTERNAL services.
+ properties:
+ labels:
+ additionalProperties:
+ maxLength: 63
+ type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: '!self.contains("*")'
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which the configuration should be applied.
+ maxProperties: 256
+ type: object
+ type: object
+ required:
+ - hosts
+ type: object
+ x-kubernetes-validations:
+ - message: only one of WorkloadSelector or Endpoints can be set
+ rule: '(has(self.workloadSelector) ? 1 : 0) + (has(self.endpoints) ?
+ 1 : 0) <= 1'
+ - message: CIDR addresses are allowed only for NONE/STATIC resolution
+ types
+ rule: '!((has(self.addresses) ? self.addresses : []).exists(k, k.contains("/"))
+ && !((has(self.resolution) ? self.resolution : "NONE") in ["STATIC",
+ "NONE"]))'
+ - message: NONE mode cannot set endpoints
+ rule: '((has(self.resolution) ? self.resolution : "NONE") == "NONE")
+ ? !has(self.endpoints) : true'
+ - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
+ rule: '((has(self.resolution) ? self.resolution : "") == "DNS_ROUND_ROBIN")
+ ? ((has(self.endpoints) ? self.endpoints : []).size() <= 1) : true'
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: base-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ name: sidecars.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: Sidecar
+ listKind: SidecarList
+ plural: sidecars
+ singular: sidecar
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting network reachability of a sidecar.
+ See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
+ properties:
+ egress:
+ description: Egress specifies the configuration of the sidecar for
+ processing outbound traffic from the attached workload instance
+ to other services in the mesh.
+ items:
+ properties:
+ bind:
+ description: The IP(IPv4 or IPv6) or the Unix domain socket
+ to which the listener should be bound to.
+ type: string
+ captureMode:
+ description: |-
+ When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not).
+
+ Valid Options: DEFAULT, IPTABLES, NONE
+ enum:
+ - DEFAULT
+ - IPTABLES
+ - NONE
+ type: string
+ hosts:
+ description: One or more service hosts exposed by the listener
+ in `namespace/dnsName` format.
+ items:
+ type: string
+ type: array
+ port:
+ description: The port associated with the listener.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ required:
+ - hosts
+ type: object
+ type: array
+ inboundConnectionPool:
+ description: Settings controlling the volume of connections Envoy
+ will accept from the network.
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: |-
+ Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+ Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will be queued
+ while waiting for a ready connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection pool
+ connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams allowed
+ for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection to
+ a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can be outstanding
+ to all hosts in a cluster at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be preserved
+ while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections to a
+ destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket to
+ enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive probes.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ probes:
+ description: Maximum number of keepalive probes to send
+ without response before deciding the connection is dead.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ time:
+ description: The time duration a connection needs to be
+ idle before keep-alive probes start being sent.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ type: object
+ type: object
+ ingress:
+ description: Ingress specifies the configuration of the sidecar for
+ processing inbound traffic to the attached workload instance.
+ items:
+ properties:
+ bind:
+ description: The IP(IPv4 or IPv6) to which the listener should
+ be bound.
+ type: string
+ captureMode:
+ description: |-
+ The captureMode option dictates how traffic to the listener is expected to be captured (or not).
+
+ Valid Options: DEFAULT, IPTABLES, NONE
+ enum:
+ - DEFAULT
+ - IPTABLES
+ - NONE
+ type: string
+ connectionPool:
+ description: Settings controlling the volume of connections
+ Envoy will accept from the network.
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: |-
+ Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+ Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will be
+ queued while waiting for a ready connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a
+ destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can be outstanding
+ to all hosts in a cluster at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be
+ preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket
+ to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ probes:
+ description: Maximum number of keepalive probes
+ to send without response before deciding the connection
+ is dead.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ time:
+ description: The time duration a connection needs
+ to be idle before keep-alive probes start being
+ sent.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ type: object
+ type: object
+ defaultEndpoint:
+ description: The IP endpoint or Unix domain socket to which
+ traffic should be forwarded to.
+ type: string
+ port:
+ description: The port associated with the listener.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ tls:
+ description: Set of TLS related options that will enable TLS
+ termination on the sidecar for requests originating from outside
+ the mesh.
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+ type: string
+ caCrl:
+ description: 'OPTIONAL: The path to the file containing
+ the certificate revocation list (CRL) to use in verifying
+ a presented client side certificate.'
+ type: string
+ cipherSuites:
+ description: 'Optional: If specified, only support the specified
+ cipher list.'
+ items:
+ type: string
+ type: array
+ credentialName:
+ description: For gateways running on Kubernetes, the name
+ of the secret that holds the TLS certs including the CA
+ certificates.
+ type: string
+ httpsRedirect:
+ description: If set to true, the load balancer will send
+ a 301 redirect for all http connections, asking the clients
+ to use HTTPS.
+ type: boolean
+ maxProtocolVersion:
+ description: |-
+ Optional: Maximum TLS protocol version.
+
+ Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ minProtocolVersion:
+ description: |-
+ Optional: Minimum TLS protocol version.
+
+ Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ mode:
+ description: |-
+ Optional: Indicates whether connections to this port should be secured using TLS.
+
+ Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL
+ enum:
+ - PASSTHROUGH
+ - SIMPLE
+ - MUTUAL
+ - AUTO_PASSTHROUGH
+ - ISTIO_MUTUAL
+ - OPTIONAL_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the subject
+ identity in the certificate presented by the client.
+ items:
+ type: string
+ type: array
+ verifyCertificateHash:
+ description: An optional list of hex-encoded SHA-256 hashes
+ of the authorized client certificates.
+ items:
+ type: string
+ type: array
+ verifyCertificateSpki:
+ description: An optional list of base64-encoded SHA-256
+ hashes of the SPKIs of authorized client certificates.
+ items:
+ type: string
+ type: array
+ type: object
+ required:
+ - port
+ type: object
+ type: array
+ outboundTrafficPolicy:
+ description: Set the default behavior of the sidecar for handling
+ outbound traffic from the application.
+ properties:
+ egressProxy:
+ properties:
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ mode:
+ description: |2-
+
+
+ Valid Options: REGISTRY_ONLY, ALLOW_ANY
+ enum:
+ - REGISTRY_ONLY
+ - ALLOW_ANY
+ type: string
+ type: object
+ workloadSelector:
+ description: Criteria used to select the specific set of pods/VMs
+ on which this `Sidecar` configuration should be applied.
+ properties:
+ labels:
+ additionalProperties:
+ maxLength: 63
+ type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: '!self.contains("*")'
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which the configuration should be applied.
+ maxProperties: 256
+ type: object
+ type: object
+ type: object
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting network reachability of a sidecar.
+ See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
+ properties:
+ egress:
+ description: Egress specifies the configuration of the sidecar for
+ processing outbound traffic from the attached workload instance
+ to other services in the mesh.
+ items:
+ properties:
+ bind:
+ description: The IP(IPv4 or IPv6) or the Unix domain socket
+ to which the listener should be bound to.
+ type: string
+ captureMode:
+ description: |-
+ When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not).
+
+ Valid Options: DEFAULT, IPTABLES, NONE
+ enum:
+ - DEFAULT
+ - IPTABLES
+ - NONE
+ type: string
+ hosts:
+ description: One or more service hosts exposed by the listener
+ in `namespace/dnsName` format.
+ items:
+ type: string
+ type: array
+ port:
+ description: The port associated with the listener.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ required:
+ - hosts
+ type: object
+ type: array
+ inboundConnectionPool:
+ description: Settings controlling the volume of connections Envoy
+ will accept from the network.
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: |-
+ Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+ Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will be queued
+ while waiting for a ready connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection pool
+ connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams allowed
+ for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection to
+ a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can be outstanding
+ to all hosts in a cluster at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be preserved
+ while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections to a
+ destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket to
+ enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive probes.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ probes:
+ description: Maximum number of keepalive probes to send
+ without response before deciding the connection is dead.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ time:
+ description: The time duration a connection needs to be
+ idle before keep-alive probes start being sent.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ type: object
+ type: object
+ ingress:
+ description: Ingress specifies the configuration of the sidecar for
+ processing inbound traffic to the attached workload instance.
+ items:
+ properties:
+ bind:
+ description: The IP(IPv4 or IPv6) to which the listener should
+ be bound.
+ type: string
+ captureMode:
+ description: |-
+ The captureMode option dictates how traffic to the listener is expected to be captured (or not).
+
+ Valid Options: DEFAULT, IPTABLES, NONE
+ enum:
+ - DEFAULT
+ - IPTABLES
+ - NONE
+ type: string
+ connectionPool:
+ description: Settings controlling the volume of connections
+ Envoy will accept from the network.
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: |-
+ Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+ Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will be
+ queued while waiting for a ready connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a
+ destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can be outstanding
+ to all hosts in a cluster at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be
+ preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket
+ to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ probes:
+ description: Maximum number of keepalive probes
+ to send without response before deciding the connection
+ is dead.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ time:
+ description: The time duration a connection needs
+ to be idle before keep-alive probes start being
+ sent.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ type: object
+ type: object
+ defaultEndpoint:
+ description: The IP endpoint or Unix domain socket to which
+ traffic should be forwarded to.
+ type: string
+ port:
+ description: The port associated with the listener.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ tls:
+ description: Set of TLS related options that will enable TLS
+ termination on the sidecar for requests originating from outside
+ the mesh.
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+ type: string
+ caCrl:
+ description: 'OPTIONAL: The path to the file containing
+ the certificate revocation list (CRL) to use in verifying
+ a presented client side certificate.'
+ type: string
+ cipherSuites:
+ description: 'Optional: If specified, only support the specified
+ cipher list.'
+ items:
+ type: string
+ type: array
+ credentialName:
+ description: For gateways running on Kubernetes, the name
+ of the secret that holds the TLS certs including the CA
+ certificates.
+ type: string
+ httpsRedirect:
+ description: If set to true, the load balancer will send
+ a 301 redirect for all http connections, asking the clients
+ to use HTTPS.
+ type: boolean
+ maxProtocolVersion:
+ description: |-
+ Optional: Maximum TLS protocol version.
+
+ Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ minProtocolVersion:
+ description: |-
+ Optional: Minimum TLS protocol version.
+
+ Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ mode:
+ description: |-
+ Optional: Indicates whether connections to this port should be secured using TLS.
+
+ Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL
+ enum:
+ - PASSTHROUGH
+ - SIMPLE
+ - MUTUAL
+ - AUTO_PASSTHROUGH
+ - ISTIO_MUTUAL
+ - OPTIONAL_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the subject
+ identity in the certificate presented by the client.
+ items:
+ type: string
+ type: array
+ verifyCertificateHash:
+ description: An optional list of hex-encoded SHA-256 hashes
+ of the authorized client certificates.
+ items:
+ type: string
+ type: array
+ verifyCertificateSpki:
+ description: An optional list of base64-encoded SHA-256
+ hashes of the SPKIs of authorized client certificates.
+ items:
+ type: string
+ type: array
+ type: object
+ required:
+ - port
+ type: object
+ type: array
+ outboundTrafficPolicy:
+ description: Set the default behavior of the sidecar for handling
+ outbound traffic from the application.
+ properties:
+ egressProxy:
+ properties:
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ mode:
+ description: |2-
+
+
+ Valid Options: REGISTRY_ONLY, ALLOW_ANY
+ enum:
+ - REGISTRY_ONLY
+ - ALLOW_ANY
+ type: string
+ type: object
+ workloadSelector:
+ description: Criteria used to select the specific set of pods/VMs
+ on which this `Sidecar` configuration should be applied.
+ properties:
+ labels:
+ additionalProperties:
+ maxLength: 63
+ type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: '!self.contains("*")'
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which the configuration should be applied.
+ maxProperties: 256
+ type: object
+ type: object
+ type: object
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting network reachability of a sidecar.
+ See more details at: https://istio.io/docs/reference/config/networking/sidecar.html'
+ properties:
+ egress:
+ description: Egress specifies the configuration of the sidecar for
+ processing outbound traffic from the attached workload instance
+ to other services in the mesh.
+ items:
+ properties:
+ bind:
+ description: The IP(IPv4 or IPv6) or the Unix domain socket
+ to which the listener should be bound to.
+ type: string
+ captureMode:
+ description: |-
+ When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not).
+
+ Valid Options: DEFAULT, IPTABLES, NONE
+ enum:
+ - DEFAULT
+ - IPTABLES
+ - NONE
+ type: string
+ hosts:
+ description: One or more service hosts exposed by the listener
+ in `namespace/dnsName` format.
+ items:
+ type: string
+ type: array
+ port:
+ description: The port associated with the listener.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ required:
+ - hosts
+ type: object
+ type: array
+ inboundConnectionPool:
+ description: Settings controlling the volume of connections Envoy
+ will accept from the network.
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: |-
+ Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+ Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will be queued
+ while waiting for a ready connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection pool
+ connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams allowed
+ for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection to
+ a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can be outstanding
+ to all hosts in a cluster at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be preserved
+ while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections to a
+ destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket to
+ enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive probes.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ probes:
+ description: Maximum number of keepalive probes to send
+ without response before deciding the connection is dead.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ time:
+ description: The time duration a connection needs to be
+ idle before keep-alive probes start being sent.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ type: object
+ type: object
+ ingress:
+ description: Ingress specifies the configuration of the sidecar for
+ processing inbound traffic to the attached workload instance.
+ items:
+ properties:
+ bind:
+ description: The IP(IPv4 or IPv6) to which the listener should
+ be bound.
+ type: string
+ captureMode:
+ description: |-
+ The captureMode option dictates how traffic to the listener is expected to be captured (or not).
+
+ Valid Options: DEFAULT, IPTABLES, NONE
+ enum:
+ - DEFAULT
+ - IPTABLES
+ - NONE
+ type: string
+ connectionPool:
+ description: Settings controlling the volume of connections
+ Envoy will accept from the network.
+ properties:
+ http:
+ description: HTTP connection pool settings.
+ properties:
+ h2UpgradePolicy:
+ description: |-
+ Specify if http1.1 connection should be upgraded to http2 for the associated destination.
+
+ Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE
+ enum:
+ - DEFAULT
+ - DO_NOT_UPGRADE
+ - UPGRADE
+ type: string
+ http1MaxPendingRequests:
+ description: Maximum number of requests that will be
+ queued while waiting for a ready connection pool connection.
+ format: int32
+ type: integer
+ http2MaxRequests:
+ description: Maximum number of active requests to a
+ destination.
+ format: int32
+ type: integer
+ idleTimeout:
+ description: The idle timeout for upstream connection
+ pool connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConcurrentStreams:
+ description: The maximum number of concurrent streams
+ allowed for a peer on one HTTP/2 connection.
+ format: int32
+ type: integer
+ maxRequestsPerConnection:
+ description: Maximum number of requests per connection
+ to a backend.
+ format: int32
+ type: integer
+ maxRetries:
+ description: Maximum number of retries that can be outstanding
+ to all hosts in a cluster at a given time.
+ format: int32
+ type: integer
+ useClientProtocol:
+ description: If set to true, client protocol will be
+ preserved while initiating connection to backend.
+ type: boolean
+ type: object
+ tcp:
+ description: Settings common to both HTTP and TCP upstream
+ connections.
+ properties:
+ connectTimeout:
+ description: TCP connection timeout.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ idleTimeout:
+ description: The idle timeout for TCP connections.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnectionDuration:
+ description: The maximum duration of a connection.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ maxConnections:
+ description: Maximum number of HTTP1 /TCP connections
+ to a destination host.
+ format: int32
+ type: integer
+ tcpKeepalive:
+ description: If set then set SO_KEEPALIVE on the socket
+ to enable TCP Keepalives.
+ properties:
+ interval:
+ description: The time duration between keep-alive
+ probes.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ probes:
+ description: Maximum number of keepalive probes
+ to send without response before deciding the connection
+ is dead.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ time:
+ description: The time duration a connection needs
+ to be idle before keep-alive probes start being
+ sent.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ type: object
+ type: object
+ defaultEndpoint:
+ description: The IP endpoint or Unix domain socket to which
+ traffic should be forwarded to.
+ type: string
+ port:
+ description: The port associated with the listener.
+ properties:
+ name:
+ description: Label assigned to the port.
+ type: string
+ number:
+ description: A valid non-negative integer port number.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ protocol:
+ description: The protocol exposed on the port.
+ type: string
+ targetPort:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ tls:
+ description: Set of TLS related options that will enable TLS
+ termination on the sidecar for requests originating from outside
+ the mesh.
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+ type: string
+ caCrl:
+ description: 'OPTIONAL: The path to the file containing
+ the certificate revocation list (CRL) to use in verifying
+ a presented client side certificate.'
+ type: string
+ cipherSuites:
+ description: 'Optional: If specified, only support the specified
+ cipher list.'
+ items:
+ type: string
+ type: array
+ credentialName:
+ description: For gateways running on Kubernetes, the name
+ of the secret that holds the TLS certs including the CA
+ certificates.
+ type: string
+ httpsRedirect:
+ description: If set to true, the load balancer will send
+ a 301 redirect for all http connections, asking the clients
+ to use HTTPS.
+ type: boolean
+ maxProtocolVersion:
+ description: |-
+ Optional: Maximum TLS protocol version.
+
+ Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ minProtocolVersion:
+ description: |-
+ Optional: Minimum TLS protocol version.
+
+ Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3
+ enum:
+ - TLS_AUTO
+ - TLSV1_0
+ - TLSV1_1
+ - TLSV1_2
+ - TLSV1_3
+ type: string
+ mode:
+ description: |-
+ Optional: Indicates whether connections to this port should be secured using TLS.
+
+ Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL
+ enum:
+ - PASSTHROUGH
+ - SIMPLE
+ - MUTUAL
+ - AUTO_PASSTHROUGH
+ - ISTIO_MUTUAL
+ - OPTIONAL_MUTUAL
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ subjectAltNames:
+ description: A list of alternate names to verify the subject
+ identity in the certificate presented by the client.
+ items:
+ type: string
+ type: array
+ verifyCertificateHash:
+ description: An optional list of hex-encoded SHA-256 hashes
+ of the authorized client certificates.
+ items:
+ type: string
+ type: array
+ verifyCertificateSpki:
+ description: An optional list of base64-encoded SHA-256
+ hashes of the SPKIs of authorized client certificates.
+ items:
+ type: string
+ type: array
+ type: object
+ required:
+ - port
+ type: object
+ type: array
+ outboundTrafficPolicy:
+ description: Set the default behavior of the sidecar for handling
+ outbound traffic from the application.
+ properties:
+ egressProxy:
+ properties:
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ mode:
+ description: |2-
+
+
+ Valid Options: REGISTRY_ONLY, ALLOW_ANY
+ enum:
+ - REGISTRY_ONLY
+ - ALLOW_ANY
+ type: string
+ type: object
+ workloadSelector:
+ description: Criteria used to select the specific set of pods/VMs
+ on which this `Sidecar` configuration should be applied.
+ properties:
+ labels:
+ additionalProperties:
+ maxLength: 63
+ type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: '!self.contains("*")'
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which the configuration should be applied.
+ maxProperties: 256
+ type: object
+ type: object
+ type: object
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: base-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ name: telemetries.telemetry.istio.io
+spec:
+ group: telemetry.istio.io
+ names:
+ categories:
+ - istio-io
+ - telemetry-istio-io
+ kind: Telemetry
+ listKind: TelemetryList
+ plural: telemetries
+ shortNames:
+ - telemetry
+ singular: telemetry
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Telemetry configuration for workloads. See more details
+ at: https://istio.io/docs/reference/config/telemetry.html'
+ properties:
+ accessLogging:
+ description: Optional.
+ items:
+ properties:
+ disabled:
+ description: Controls logging.
+ nullable: true
+ type: boolean
+ filter:
+ description: Optional.
+ properties:
+ expression:
+ description: CEL expression for selecting when requests/connections
+ should be logged.
+ type: string
+ type: object
+ match:
+ description: Allows tailoring of logging behavior to specific
+ conditions.
+ properties:
+ mode:
+ description: |-
+ This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload.
+
+ Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER
+ enum:
+ - CLIENT_AND_SERVER
+ - CLIENT
+ - SERVER
+ type: string
+ type: object
+ providers:
+ description: Optional.
+ items:
+ properties:
+ name:
+ description: Required.
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ type: object
+ type: array
+ metrics:
+ description: Optional.
+ items:
+ properties:
+ overrides:
+ description: Optional.
+ items:
+ properties:
+ disabled:
+ description: Optional.
+ nullable: true
+ type: boolean
+ match:
+ description: Match allows providing the scope of the override.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - metric
+ - required:
+ - customMetric
+ - required:
+ - metric
+ - required:
+ - customMetric
+ properties:
+ customMetric:
+ description: Allows free-form specification of a metric.
+ minLength: 1
+ type: string
+ metric:
+ description: |-
+ One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/).
+
+ Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES
+ enum:
+ - ALL_METRICS
+ - REQUEST_COUNT
+ - REQUEST_DURATION
+ - REQUEST_SIZE
+ - RESPONSE_SIZE
+ - TCP_OPENED_CONNECTIONS
+ - TCP_CLOSED_CONNECTIONS
+ - TCP_SENT_BYTES
+ - TCP_RECEIVED_BYTES
+ - GRPC_REQUEST_MESSAGES
+ - GRPC_RESPONSE_MESSAGES
+ type: string
+ mode:
+ description: |-
+ Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`.
+
+ Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER
+ enum:
+ - CLIENT_AND_SERVER
+ - CLIENT
+ - SERVER
+ type: string
+ type: object
+ tagOverrides:
+ additionalProperties:
+ properties:
+ operation:
+ description: |-
+ Operation controls whether or not to update/add a tag, or to remove it.
+
+ Valid Options: UPSERT, REMOVE
+ enum:
+ - UPSERT
+ - REMOVE
+ type: string
+ value:
+ description: Value is only considered if the operation
+ is `UPSERT`.
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: value must be set when operation is UPSERT
+ rule: '((has(self.operation) ? self.operation : "")
+ == "UPSERT") ? (self.value != "") : true'
+ - message: value must not be set when operation is REMOVE
+ rule: '((has(self.operation) ? self.operation : "")
+ == "REMOVE") ? !has(self.value) : true'
+ description: Optional.
+ type: object
+ type: object
+ type: array
+ providers:
+ description: Optional.
+ items:
+ properties:
+ name:
+ description: Required.
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ reportingInterval:
+ description: Optional.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ maxLength: 63
+ type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: '!self.contains("*")'
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ maxProperties: 4096
+ type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains("*"))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
+ type: object
+ targetRef:
+ properties:
+ group:
+ description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
+ type: object
+ targetRefs:
+ description: Optional.
+ items:
+ properties:
+ group:
+ description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
+ type: object
+ maxItems: 16
+ type: array
+ tracing:
+ description: Optional.
+ items:
+ properties:
+ customTags:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - literal
+ - required:
+ - environment
+ - required:
+ - header
+ - required:
+ - literal
+ - required:
+ - environment
+ - required:
+ - header
+ properties:
+ environment:
+ description: Environment adds the value of an environment
+ variable to each span.
+ properties:
+ defaultValue:
+ description: Optional.
+ type: string
+ name:
+ description: Name of the environment variable from
+ which to extract the tag value.
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: RequestHeader adds the value of an header
+ from the request to each span.
+ properties:
+ defaultValue:
+ description: Optional.
+ type: string
+ name:
+ description: Name of the header from which to extract
+ the tag value.
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ literal:
+ description: Literal adds the same, hard-coded value to
+ each span.
+ properties:
+ value:
+ description: The tag value to use.
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ type: object
+ description: Optional.
+ type: object
+ disableSpanReporting:
+ description: Controls span reporting.
+ nullable: true
+ type: boolean
+ enableIstioTags:
+ description: Determines whether or not trace spans generated
+ by Envoy will include Istio specific tags.
+ nullable: true
+ type: boolean
+ match:
+ description: Allows tailoring of behavior to specific conditions.
+ properties:
+ mode:
+ description: |-
+ This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload.
+
+ Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER
+ enum:
+ - CLIENT_AND_SERVER
+ - CLIENT
+ - SERVER
+ type: string
+ type: object
+ providers:
+ description: Optional.
+ items:
+ properties:
+ name:
+ description: Required.
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ randomSamplingPercentage:
+ description: Controls the rate at which traffic will be selected
+ for tracing if no prior sampling decision has been made.
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ useRequestIdForTraceSampling:
+ nullable: true
+ type: boolean
+ type: object
+ type: array
+ type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0)
+ + (has(self.targetRefs) ? 1 : 0) <= 1'
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Telemetry configuration for workloads. See more details
+ at: https://istio.io/docs/reference/config/telemetry.html'
+ properties:
+ accessLogging:
+ description: Optional.
+ items:
+ properties:
+ disabled:
+ description: Controls logging.
+ nullable: true
+ type: boolean
+ filter:
+ description: Optional.
+ properties:
+ expression:
+ description: CEL expression for selecting when requests/connections
+ should be logged.
+ type: string
+ type: object
+ match:
+ description: Allows tailoring of logging behavior to specific
+ conditions.
+ properties:
+ mode:
+ description: |-
+ This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload.
+
+ Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER
+ enum:
+ - CLIENT_AND_SERVER
+ - CLIENT
+ - SERVER
+ type: string
+ type: object
+ providers:
+ description: Optional.
+ items:
+ properties:
+ name:
+ description: Required.
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ type: object
+ type: array
+ metrics:
+ description: Optional.
+ items:
+ properties:
+ overrides:
+ description: Optional.
+ items:
+ properties:
+ disabled:
+ description: Optional.
+ nullable: true
+ type: boolean
+ match:
+ description: Match allows providing the scope of the override.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - metric
+ - required:
+ - customMetric
+ - required:
+ - metric
+ - required:
+ - customMetric
+ properties:
+ customMetric:
+ description: Allows free-form specification of a metric.
+ minLength: 1
+ type: string
+ metric:
+ description: |-
+ One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/).
+
+ Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES
+ enum:
+ - ALL_METRICS
+ - REQUEST_COUNT
+ - REQUEST_DURATION
+ - REQUEST_SIZE
+ - RESPONSE_SIZE
+ - TCP_OPENED_CONNECTIONS
+ - TCP_CLOSED_CONNECTIONS
+ - TCP_SENT_BYTES
+ - TCP_RECEIVED_BYTES
+ - GRPC_REQUEST_MESSAGES
+ - GRPC_RESPONSE_MESSAGES
+ type: string
+ mode:
+ description: |-
+ Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`.
+
+ Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER
+ enum:
+ - CLIENT_AND_SERVER
+ - CLIENT
+ - SERVER
+ type: string
+ type: object
+ tagOverrides:
+ additionalProperties:
+ properties:
+ operation:
+ description: |-
+ Operation controls whether or not to update/add a tag, or to remove it.
+
+ Valid Options: UPSERT, REMOVE
+ enum:
+ - UPSERT
+ - REMOVE
+ type: string
+ value:
+ description: Value is only considered if the operation
+ is `UPSERT`.
+ type: string
+ type: object
+ x-kubernetes-validations:
+ - message: value must be set when operation is UPSERT
+ rule: '((has(self.operation) ? self.operation : "")
+ == "UPSERT") ? (self.value != "") : true'
+ - message: value must not be set when operation is REMOVE
+ rule: '((has(self.operation) ? self.operation : "")
+ == "REMOVE") ? !has(self.value) : true'
+ description: Optional.
+ type: object
+ type: object
+ type: array
+ providers:
+ description: Optional.
+ items:
+ properties:
+ name:
+ description: Required.
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ reportingInterval:
+ description: Optional.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ type: array
+ selector:
+ description: Optional.
+ properties:
+ matchLabels:
+ additionalProperties:
+ maxLength: 63
+ type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: '!self.contains("*")'
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ maxProperties: 4096
+ type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains("*"))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
+ type: object
+ targetRef:
+ properties:
+ group:
+ description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
+ type: object
+ targetRefs:
+ description: Optional.
+ items:
+ properties:
+ group:
+ description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
+ type: object
+ maxItems: 16
+ type: array
+ tracing:
+ description: Optional.
+ items:
+ properties:
+ customTags:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - literal
+ - required:
+ - environment
+ - required:
+ - header
+ - required:
+ - literal
+ - required:
+ - environment
+ - required:
+ - header
+ properties:
+ environment:
+ description: Environment adds the value of an environment
+ variable to each span.
+ properties:
+ defaultValue:
+ description: Optional.
+ type: string
+ name:
+ description: Name of the environment variable from
+ which to extract the tag value.
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ header:
+ description: RequestHeader adds the value of an header
+ from the request to each span.
+ properties:
+ defaultValue:
+ description: Optional.
+ type: string
+ name:
+ description: Name of the header from which to extract
+ the tag value.
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ literal:
+ description: Literal adds the same, hard-coded value to
+ each span.
+ properties:
+ value:
+ description: The tag value to use.
+ minLength: 1
+ type: string
+ required:
+ - value
+ type: object
+ type: object
+ description: Optional.
+ type: object
+ disableSpanReporting:
+ description: Controls span reporting.
+ nullable: true
+ type: boolean
+ enableIstioTags:
+ description: Determines whether or not trace spans generated
+ by Envoy will include Istio specific tags.
+ nullable: true
+ type: boolean
+ match:
+ description: Allows tailoring of behavior to specific conditions.
+ properties:
+ mode:
+ description: |-
+ This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload.
+
+ Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER
+ enum:
+ - CLIENT_AND_SERVER
+ - CLIENT
+ - SERVER
+ type: string
+ type: object
+ providers:
+ description: Optional.
+ items:
+ properties:
+ name:
+ description: Required.
+ minLength: 1
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ randomSamplingPercentage:
+ description: Controls the rate at which traffic will be selected
+ for tracing if no prior sampling decision has been made.
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ useRequestIdForTraceSampling:
+ nullable: true
+ type: boolean
+ type: object
+ type: array
+ type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0)
+ + (has(self.targetRefs) ? 1 : 0) <= 1'
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: base-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ name: virtualservices.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: VirtualService
+ listKind: VirtualServiceList
+ plural: virtualservices
+ shortNames:
+ - vs
+ singular: virtualservice
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: The names of gateways and sidecars that should apply these routes
+ jsonPath: .spec.gateways
+ name: Gateways
+ type: string
+ - description: The destination hosts to which traffic is being sent
+ jsonPath: .spec.hosts
+ name: Hosts
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting label/content routing, sni routing,
+ etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
+ properties:
+ exportTo:
+ description: A list of namespaces to which this virtual service is
+ exported.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: The names of gateways and sidecars that should apply
+ these routes.
+ items:
+ type: string
+ type: array
+ hosts:
+ description: The destination hosts to which traffic is being sent.
+ items:
+ type: string
+ type: array
+ http:
+ description: An ordered list of route rules for HTTP traffic.
+ items:
+ properties:
+ corsPolicy:
+ description: Cross-Origin Resource Sharing policy (CORS).
+ properties:
+ allowCredentials:
+ description: Indicates whether the caller is allowed to
+ send the actual request (not the preflight) using credentials.
+ nullable: true
+ type: boolean
+ allowHeaders:
+ description: List of HTTP headers that can be used when
+ requesting the resource.
+ items:
+ type: string
+ type: array
+ allowMethods:
+ description: List of HTTP methods allowed to access the
+ resource.
+ items:
+ type: string
+ type: array
+ allowOrigin:
+ items:
+ type: string
+ type: array
+ allowOrigins:
+ description: String patterns that match allowed origins.
+ items:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ type: array
+ exposeHeaders:
+ description: A list of HTTP headers that the browsers are
+ allowed to access.
+ items:
+ type: string
+ type: array
+ maxAge:
+ description: Specifies how long the results of a preflight
+ request can be cached.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ unmatchedPreflights:
+ description: |-
+ Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream.
+
+ Valid Options: FORWARD, IGNORE
+ enum:
+ - UNSPECIFIED
+ - FORWARD
+ - IGNORE
+ type: string
+ type: object
+ delegate:
+ description: Delegate is used to specify the particular VirtualService
+ which can be used to define delegate HTTPRoute.
+ properties:
+ name:
+ description: Name specifies the name of the delegate VirtualService.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace where the
+ delegate VirtualService resides.
+ type: string
+ type: object
+ directResponse:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ properties:
+ body:
+ description: Specifies the content of the response body.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - string
+ - required:
+ - bytes
+ - required:
+ - string
+ - required:
+ - bytes
+ properties:
+ bytes:
+ description: response body as base64 encoded bytes.
+ format: binary
+ type: string
+ string:
+ type: string
+ type: object
+ status:
+ description: Specifies the HTTP response status to be returned.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ required:
+ - status
+ type: object
+ fault:
+ description: Fault injection policy to apply on HTTP traffic
+ at the client side.
+ properties:
+ abort:
+ description: Abort Http request attempts and return error
+ codes back to downstream service, giving the impression
+ that the upstream service is faulty.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpStatus
+ - required:
+ - grpcStatus
+ - required:
+ - http2Error
+ - required:
+ - httpStatus
+ - required:
+ - grpcStatus
+ - required:
+ - http2Error
+ properties:
+ grpcStatus:
+ description: GRPC status code to use to abort the request.
+ type: string
+ http2Error:
+ type: string
+ httpStatus:
+ description: HTTP status code to use to abort the Http
+ request.
+ format: int32
+ type: integer
+ percentage:
+ description: Percentage of requests to be aborted with
+ the error code provided.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ type: object
+ delay:
+ description: Delay requests before forwarding, emulating
+ various failures such as network issues, overloaded upstream
+ service, etc.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - fixedDelay
+ - required:
+ - exponentialDelay
+ - required:
+ - fixedDelay
+ - required:
+ - exponentialDelay
+ properties:
+ exponentialDelay:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ fixedDelay:
+ description: Add a fixed delay before forwarding the
+ request.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ percent:
+ description: Percentage of requests on which the delay
+ will be injected (0-100).
+ format: int32
+ type: integer
+ percentage:
+ description: Percentage of requests on which the delay
+ will be injected.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ type: object
+ type: object
+ headers:
+ properties:
+ request:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ response:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ match:
+ description: Match conditions to be satisfied for the rule to
+ be activated.
+ items:
+ properties:
+ authority:
+ description: 'HTTP Authority values are case-sensitive
+ and formatted as follows: - `exact: "value"` for exact
+ string match - `prefix: "value"` for prefix-based match
+ - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ headers:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ description: The header keys must be lowercase and use
+ hyphen as the separator, e.g.
+ type: object
+ ignoreUriCase:
+ description: Flag to specify whether the URI matching
+ should be case-insensitive.
+ type: boolean
+ method:
+ description: 'HTTP Method values are case-sensitive and
+ formatted as follows: - `exact: "value"` for exact string
+ match - `prefix: "value"` for prefix-based match - `regex:
+ "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ name:
+ description: The name assigned to a match.
+ type: string
+ port:
+ description: Specifies the ports on the host that is being
+ addressed.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ queryParams:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ description: Query parameters for matching.
+ type: object
+ scheme:
+ description: 'URI Scheme values are case-sensitive and
+ formatted as follows: - `exact: "value"` for exact string
+ match - `prefix: "value"` for prefix-based match - `regex:
+ "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ sourceLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that constrain the applicability
+ of a rule to source (client) workloads with the given
+ labels.
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ statPrefix:
+ description: The human readable prefix to use when emitting
+ statistics for this route.
+ type: string
+ uri:
+ description: 'URI to match values are case-sensitive and
+ formatted as follows: - `exact: "value"` for exact string
+ match - `prefix: "value"` for prefix-based match - `regex:
+ "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ withoutHeaders:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ description: withoutHeader has the same syntax with the
+ header, but has opposite meaning.
+ type: object
+ type: object
+ type: array
+ mirror:
+ description: Mirror HTTP traffic to a another destination in
+ addition to forwarding the requests to the intended destination.
+ properties:
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ mirror_percent:
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ mirrorPercent:
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ mirrorPercentage:
+ description: Percentage of the traffic to be mirrored by the
+ `mirror` field.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ mirrors:
+ description: Specifies the destinations to mirror HTTP traffic
+ in addition to the original destination.
+ items:
+ properties:
+ destination:
+ description: Destination specifies the target of the mirror
+ operation.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ percentage:
+ description: Percentage of the traffic to be mirrored
+ by the `destination` field.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ required:
+ - destination
+ type: object
+ type: array
+ name:
+ description: The name assigned to the route for debugging purposes.
+ type: string
+ redirect:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - port
+ - required:
+ - derivePort
+ - required:
+ - port
+ - required:
+ - derivePort
+ properties:
+ authority:
+ description: On a redirect, overwrite the Authority/Host
+ portion of the URL with this value.
+ type: string
+ derivePort:
+ description: |-
+ On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.
+
+ Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT
+ enum:
+ - FROM_PROTOCOL_DEFAULT
+ - FROM_REQUEST_PORT
+ type: string
+ port:
+ description: On a redirect, overwrite the port portion of
+ the URL with this value.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ redirectCode:
+ description: On a redirect, Specifies the HTTP status code
+ to use in the redirect response.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ scheme:
+ description: On a redirect, overwrite the scheme portion
+ of the URL with this value.
+ type: string
+ uri:
+ description: On a redirect, overwrite the Path portion of
+ the URL with this value.
+ type: string
+ type: object
+ retries:
+ description: Retry policy for HTTP requests.
+ properties:
+ attempts:
+ description: Number of retries to be allowed for a given
+ request.
+ format: int32
+ type: integer
+ perTryTimeout:
+ description: Timeout per attempt for a given request, including
+ the initial call and any retries.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ retryIgnorePreviousHosts:
+ description: Flag to specify whether the retries should
+ ignore previously tried hosts during retry.
+ nullable: true
+ type: boolean
+ retryOn:
+ description: Specifies the conditions under which retry
+ takes place.
+ type: string
+ retryRemoteLocalities:
+ description: Flag to specify whether the retries should
+ retry to other localities.
+ nullable: true
+ type: boolean
+ type: object
+ rewrite:
+ description: Rewrite HTTP URIs and Authority headers.
+ properties:
+ authority:
+ description: rewrite the Authority/Host header with this
+ value.
+ type: string
+ uri:
+ description: rewrite the path (or the prefix) portion of
+ the URI with this value.
+ type: string
+ uriRegexRewrite:
+ description: rewrite the path portion of the URI with the
+ specified regex.
+ properties:
+ match:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ rewrite:
+ description: The string that should replace into matching
+ portions of original URI.
+ type: string
+ type: object
+ type: object
+ route:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ items:
+ properties:
+ destination:
+ description: Destination uniquely identifies the instances
+ of a service to which the request/connection should
+ be forwarded to.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ headers:
+ properties:
+ request:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ response:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ required:
+ - destination
+ type: object
+ type: array
+ timeout:
+ description: Timeout for HTTP requests, default is disabled.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ type: array
+ tcp:
+ description: An ordered list of route rules for opaque TCP traffic.
+ items:
+ properties:
+ match:
+ description: Match conditions to be satisfied for the rule to
+ be activated.
+ items:
+ properties:
+ destinationSubnets:
+ description: IPv4 or IPv6 ip addresses of destination
+ with optional subnet.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ sourceLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that constrain the applicability
+ of a rule to workloads with the given labels.
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ sourceSubnet:
+ type: string
+ type: object
+ type: array
+ route:
+ description: The destination to which the connection should
+ be forwarded to.
+ items:
+ properties:
+ destination:
+ description: Destination uniquely identifies the instances
+ of a service to which the request/connection should
+ be forwarded to.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ required:
+ - destination
+ type: object
+ type: array
+ type: object
+ type: array
+ tls:
+ description: An ordered list of route rule for non-terminated TLS
+ & HTTPS traffic.
+ items:
+ properties:
+ match:
+ description: Match conditions to be satisfied for the rule to
+ be activated.
+ items:
+ properties:
+ destinationSubnets:
+ description: IPv4 or IPv6 ip addresses of destination
+ with optional subnet.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ sniHosts:
+ description: SNI (server name indicator) to match on.
+ items:
+ type: string
+ type: array
+ sourceLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that constrain the applicability
+ of a rule to workloads with the given labels.
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ required:
+ - sniHosts
+ type: object
+ type: array
+ route:
+ description: The destination to which the connection should
+ be forwarded to.
+ items:
+ properties:
+ destination:
+ description: Destination uniquely identifies the instances
+ of a service to which the request/connection should
+ be forwarded to.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ required:
+ - destination
+ type: object
+ type: array
+ required:
+ - match
+ type: object
+ type: array
+ type: object
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: The names of gateways and sidecars that should apply these routes
+ jsonPath: .spec.gateways
+ name: Gateways
+ type: string
+ - description: The destination hosts to which traffic is being sent
+ jsonPath: .spec.hosts
+ name: Hosts
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting label/content routing, sni routing,
+ etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
+ properties:
+ exportTo:
+ description: A list of namespaces to which this virtual service is
+ exported.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: The names of gateways and sidecars that should apply
+ these routes.
+ items:
+ type: string
+ type: array
+ hosts:
+ description: The destination hosts to which traffic is being sent.
+ items:
+ type: string
+ type: array
+ http:
+ description: An ordered list of route rules for HTTP traffic.
+ items:
+ properties:
+ corsPolicy:
+ description: Cross-Origin Resource Sharing policy (CORS).
+ properties:
+ allowCredentials:
+ description: Indicates whether the caller is allowed to
+ send the actual request (not the preflight) using credentials.
+ nullable: true
+ type: boolean
+ allowHeaders:
+ description: List of HTTP headers that can be used when
+ requesting the resource.
+ items:
+ type: string
+ type: array
+ allowMethods:
+ description: List of HTTP methods allowed to access the
+ resource.
+ items:
+ type: string
+ type: array
+ allowOrigin:
+ items:
+ type: string
+ type: array
+ allowOrigins:
+ description: String patterns that match allowed origins.
+ items:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ type: array
+ exposeHeaders:
+ description: A list of HTTP headers that the browsers are
+ allowed to access.
+ items:
+ type: string
+ type: array
+ maxAge:
+ description: Specifies how long the results of a preflight
+ request can be cached.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ unmatchedPreflights:
+ description: |-
+ Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream.
+
+ Valid Options: FORWARD, IGNORE
+ enum:
+ - UNSPECIFIED
+ - FORWARD
+ - IGNORE
+ type: string
+ type: object
+ delegate:
+ description: Delegate is used to specify the particular VirtualService
+ which can be used to define delegate HTTPRoute.
+ properties:
+ name:
+ description: Name specifies the name of the delegate VirtualService.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace where the
+ delegate VirtualService resides.
+ type: string
+ type: object
+ directResponse:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ properties:
+ body:
+ description: Specifies the content of the response body.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - string
+ - required:
+ - bytes
+ - required:
+ - string
+ - required:
+ - bytes
+ properties:
+ bytes:
+ description: response body as base64 encoded bytes.
+ format: binary
+ type: string
+ string:
+ type: string
+ type: object
+ status:
+ description: Specifies the HTTP response status to be returned.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ required:
+ - status
+ type: object
+ fault:
+ description: Fault injection policy to apply on HTTP traffic
+ at the client side.
+ properties:
+ abort:
+ description: Abort Http request attempts and return error
+ codes back to downstream service, giving the impression
+ that the upstream service is faulty.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpStatus
+ - required:
+ - grpcStatus
+ - required:
+ - http2Error
+ - required:
+ - httpStatus
+ - required:
+ - grpcStatus
+ - required:
+ - http2Error
+ properties:
+ grpcStatus:
+ description: GRPC status code to use to abort the request.
+ type: string
+ http2Error:
+ type: string
+ httpStatus:
+ description: HTTP status code to use to abort the Http
+ request.
+ format: int32
+ type: integer
+ percentage:
+ description: Percentage of requests to be aborted with
+ the error code provided.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ type: object
+ delay:
+ description: Delay requests before forwarding, emulating
+ various failures such as network issues, overloaded upstream
+ service, etc.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - fixedDelay
+ - required:
+ - exponentialDelay
+ - required:
+ - fixedDelay
+ - required:
+ - exponentialDelay
+ properties:
+ exponentialDelay:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ fixedDelay:
+ description: Add a fixed delay before forwarding the
+ request.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ percent:
+ description: Percentage of requests on which the delay
+ will be injected (0-100).
+ format: int32
+ type: integer
+ percentage:
+ description: Percentage of requests on which the delay
+ will be injected.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ type: object
+ type: object
+ headers:
+ properties:
+ request:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ response:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ match:
+ description: Match conditions to be satisfied for the rule to
+ be activated.
+ items:
+ properties:
+ authority:
+ description: 'HTTP Authority values are case-sensitive
+ and formatted as follows: - `exact: "value"` for exact
+ string match - `prefix: "value"` for prefix-based match
+ - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ headers:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ description: The header keys must be lowercase and use
+ hyphen as the separator, e.g.
+ type: object
+ ignoreUriCase:
+ description: Flag to specify whether the URI matching
+ should be case-insensitive.
+ type: boolean
+ method:
+ description: 'HTTP Method values are case-sensitive and
+ formatted as follows: - `exact: "value"` for exact string
+ match - `prefix: "value"` for prefix-based match - `regex:
+ "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ name:
+ description: The name assigned to a match.
+ type: string
+ port:
+ description: Specifies the ports on the host that is being
+ addressed.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ queryParams:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ description: Query parameters for matching.
+ type: object
+ scheme:
+ description: 'URI Scheme values are case-sensitive and
+ formatted as follows: - `exact: "value"` for exact string
+ match - `prefix: "value"` for prefix-based match - `regex:
+ "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ sourceLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that constrain the applicability
+ of a rule to source (client) workloads with the given
+ labels.
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ statPrefix:
+ description: The human readable prefix to use when emitting
+ statistics for this route.
+ type: string
+ uri:
+ description: 'URI to match values are case-sensitive and
+ formatted as follows: - `exact: "value"` for exact string
+ match - `prefix: "value"` for prefix-based match - `regex:
+ "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ withoutHeaders:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ description: withoutHeader has the same syntax with the
+ header, but has opposite meaning.
+ type: object
+ type: object
+ type: array
+ mirror:
+ description: Mirror HTTP traffic to a another destination in
+ addition to forwarding the requests to the intended destination.
+ properties:
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ mirror_percent:
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ mirrorPercent:
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ mirrorPercentage:
+ description: Percentage of the traffic to be mirrored by the
+ `mirror` field.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ mirrors:
+ description: Specifies the destinations to mirror HTTP traffic
+ in addition to the original destination.
+ items:
+ properties:
+ destination:
+ description: Destination specifies the target of the mirror
+ operation.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ percentage:
+ description: Percentage of the traffic to be mirrored
+ by the `destination` field.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ required:
+ - destination
+ type: object
+ type: array
+ name:
+ description: The name assigned to the route for debugging purposes.
+ type: string
+ redirect:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - port
+ - required:
+ - derivePort
+ - required:
+ - port
+ - required:
+ - derivePort
+ properties:
+ authority:
+ description: On a redirect, overwrite the Authority/Host
+ portion of the URL with this value.
+ type: string
+ derivePort:
+ description: |-
+ On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.
+
+ Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT
+ enum:
+ - FROM_PROTOCOL_DEFAULT
+ - FROM_REQUEST_PORT
+ type: string
+ port:
+ description: On a redirect, overwrite the port portion of
+ the URL with this value.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ redirectCode:
+ description: On a redirect, Specifies the HTTP status code
+ to use in the redirect response.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ scheme:
+ description: On a redirect, overwrite the scheme portion
+ of the URL with this value.
+ type: string
+ uri:
+ description: On a redirect, overwrite the Path portion of
+ the URL with this value.
+ type: string
+ type: object
+ retries:
+ description: Retry policy for HTTP requests.
+ properties:
+ attempts:
+ description: Number of retries to be allowed for a given
+ request.
+ format: int32
+ type: integer
+ perTryTimeout:
+ description: Timeout per attempt for a given request, including
+ the initial call and any retries.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ retryIgnorePreviousHosts:
+ description: Flag to specify whether the retries should
+ ignore previously tried hosts during retry.
+ nullable: true
+ type: boolean
+ retryOn:
+ description: Specifies the conditions under which retry
+ takes place.
+ type: string
+ retryRemoteLocalities:
+ description: Flag to specify whether the retries should
+ retry to other localities.
+ nullable: true
+ type: boolean
+ type: object
+ rewrite:
+ description: Rewrite HTTP URIs and Authority headers.
+ properties:
+ authority:
+ description: rewrite the Authority/Host header with this
+ value.
+ type: string
+ uri:
+ description: rewrite the path (or the prefix) portion of
+ the URI with this value.
+ type: string
+ uriRegexRewrite:
+ description: rewrite the path portion of the URI with the
+ specified regex.
+ properties:
+ match:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ rewrite:
+ description: The string that should replace into matching
+ portions of original URI.
+ type: string
+ type: object
+ type: object
+ route:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ items:
+ properties:
+ destination:
+ description: Destination uniquely identifies the instances
+ of a service to which the request/connection should
+ be forwarded to.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ headers:
+ properties:
+ request:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ response:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ required:
+ - destination
+ type: object
+ type: array
+ timeout:
+ description: Timeout for HTTP requests, default is disabled.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ type: array
+ tcp:
+ description: An ordered list of route rules for opaque TCP traffic.
+ items:
+ properties:
+ match:
+ description: Match conditions to be satisfied for the rule to
+ be activated.
+ items:
+ properties:
+ destinationSubnets:
+ description: IPv4 or IPv6 ip addresses of destination
+ with optional subnet.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ sourceLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that constrain the applicability
+ of a rule to workloads with the given labels.
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ sourceSubnet:
+ type: string
+ type: object
+ type: array
+ route:
+ description: The destination to which the connection should
+ be forwarded to.
+ items:
+ properties:
+ destination:
+ description: Destination uniquely identifies the instances
+ of a service to which the request/connection should
+ be forwarded to.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ required:
+ - destination
+ type: object
+ type: array
+ type: object
+ type: array
+ tls:
+ description: An ordered list of route rule for non-terminated TLS
+ & HTTPS traffic.
+ items:
+ properties:
+ match:
+ description: Match conditions to be satisfied for the rule to
+ be activated.
+ items:
+ properties:
+ destinationSubnets:
+ description: IPv4 or IPv6 ip addresses of destination
+ with optional subnet.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ sniHosts:
+ description: SNI (server name indicator) to match on.
+ items:
+ type: string
+ type: array
+ sourceLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that constrain the applicability
+ of a rule to workloads with the given labels.
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ required:
+ - sniHosts
+ type: object
+ type: array
+ route:
+ description: The destination to which the connection should
+ be forwarded to.
+ items:
+ properties:
+ destination:
+ description: Destination uniquely identifies the instances
+ of a service to which the request/connection should
+ be forwarded to.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ required:
+ - destination
+ type: object
+ type: array
+ required:
+ - match
+ type: object
+ type: array
+ type: object
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: The names of gateways and sidecars that should apply these routes
+ jsonPath: .spec.gateways
+ name: Gateways
+ type: string
+ - description: The destination hosts to which traffic is being sent
+ jsonPath: .spec.hosts
+ name: Hosts
+ type: string
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting label/content routing, sni routing,
+ etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html'
+ properties:
+ exportTo:
+ description: A list of namespaces to which this virtual service is
+ exported.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: The names of gateways and sidecars that should apply
+ these routes.
+ items:
+ type: string
+ type: array
+ hosts:
+ description: The destination hosts to which traffic is being sent.
+ items:
+ type: string
+ type: array
+ http:
+ description: An ordered list of route rules for HTTP traffic.
+ items:
+ properties:
+ corsPolicy:
+ description: Cross-Origin Resource Sharing policy (CORS).
+ properties:
+ allowCredentials:
+ description: Indicates whether the caller is allowed to
+ send the actual request (not the preflight) using credentials.
+ nullable: true
+ type: boolean
+ allowHeaders:
+ description: List of HTTP headers that can be used when
+ requesting the resource.
+ items:
+ type: string
+ type: array
+ allowMethods:
+ description: List of HTTP methods allowed to access the
+ resource.
+ items:
+ type: string
+ type: array
+ allowOrigin:
+ items:
+ type: string
+ type: array
+ allowOrigins:
+ description: String patterns that match allowed origins.
+ items:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ type: array
+ exposeHeaders:
+ description: A list of HTTP headers that the browsers are
+ allowed to access.
+ items:
+ type: string
+ type: array
+ maxAge:
+ description: Specifies how long the results of a preflight
+ request can be cached.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ unmatchedPreflights:
+ description: |-
+ Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream.
+
+ Valid Options: FORWARD, IGNORE
+ enum:
+ - UNSPECIFIED
+ - FORWARD
+ - IGNORE
+ type: string
+ type: object
+ delegate:
+ description: Delegate is used to specify the particular VirtualService
+ which can be used to define delegate HTTPRoute.
+ properties:
+ name:
+ description: Name specifies the name of the delegate VirtualService.
+ type: string
+ namespace:
+ description: Namespace specifies the namespace where the
+ delegate VirtualService resides.
+ type: string
+ type: object
+ directResponse:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ properties:
+ body:
+ description: Specifies the content of the response body.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - string
+ - required:
+ - bytes
+ - required:
+ - string
+ - required:
+ - bytes
+ properties:
+ bytes:
+ description: response body as base64 encoded bytes.
+ format: binary
+ type: string
+ string:
+ type: string
+ type: object
+ status:
+ description: Specifies the HTTP response status to be returned.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ required:
+ - status
+ type: object
+ fault:
+ description: Fault injection policy to apply on HTTP traffic
+ at the client side.
+ properties:
+ abort:
+ description: Abort Http request attempts and return error
+ codes back to downstream service, giving the impression
+ that the upstream service is faulty.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpStatus
+ - required:
+ - grpcStatus
+ - required:
+ - http2Error
+ - required:
+ - httpStatus
+ - required:
+ - grpcStatus
+ - required:
+ - http2Error
+ properties:
+ grpcStatus:
+ description: GRPC status code to use to abort the request.
+ type: string
+ http2Error:
+ type: string
+ httpStatus:
+ description: HTTP status code to use to abort the Http
+ request.
+ format: int32
+ type: integer
+ percentage:
+ description: Percentage of requests to be aborted with
+ the error code provided.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ type: object
+ delay:
+ description: Delay requests before forwarding, emulating
+ various failures such as network issues, overloaded upstream
+ service, etc.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - fixedDelay
+ - required:
+ - exponentialDelay
+ - required:
+ - fixedDelay
+ - required:
+ - exponentialDelay
+ properties:
+ exponentialDelay:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ fixedDelay:
+ description: Add a fixed delay before forwarding the
+ request.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ percent:
+ description: Percentage of requests on which the delay
+ will be injected (0-100).
+ format: int32
+ type: integer
+ percentage:
+ description: Percentage of requests on which the delay
+ will be injected.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ type: object
+ type: object
+ headers:
+ properties:
+ request:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ response:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ match:
+ description: Match conditions to be satisfied for the rule to
+ be activated.
+ items:
+ properties:
+ authority:
+ description: 'HTTP Authority values are case-sensitive
+ and formatted as follows: - `exact: "value"` for exact
+ string match - `prefix: "value"` for prefix-based match
+ - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ headers:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ description: The header keys must be lowercase and use
+ hyphen as the separator, e.g.
+ type: object
+ ignoreUriCase:
+ description: Flag to specify whether the URI matching
+ should be case-insensitive.
+ type: boolean
+ method:
+ description: 'HTTP Method values are case-sensitive and
+ formatted as follows: - `exact: "value"` for exact string
+ match - `prefix: "value"` for prefix-based match - `regex:
+ "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ name:
+ description: The name assigned to a match.
+ type: string
+ port:
+ description: Specifies the ports on the host that is being
+ addressed.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ queryParams:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ description: Query parameters for matching.
+ type: object
+ scheme:
+ description: 'URI Scheme values are case-sensitive and
+ formatted as follows: - `exact: "value"` for exact string
+ match - `prefix: "value"` for prefix-based match - `regex:
+ "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ sourceLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that constrain the applicability
+ of a rule to source (client) workloads with the given
+ labels.
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ statPrefix:
+ description: The human readable prefix to use when emitting
+ statistics for this route.
+ type: string
+ uri:
+ description: 'URI to match values are case-sensitive and
+ formatted as follows: - `exact: "value"` for exact string
+ match - `prefix: "value"` for prefix-based match - `regex:
+ "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ withoutHeaders:
+ additionalProperties:
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ - required:
+ - exact
+ - required:
+ - prefix
+ - required:
+ - regex
+ properties:
+ exact:
+ type: string
+ prefix:
+ type: string
+ regex:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ type: object
+ description: withoutHeader has the same syntax with the
+ header, but has opposite meaning.
+ type: object
+ type: object
+ type: array
+ mirror:
+ description: Mirror HTTP traffic to a another destination in
+ addition to forwarding the requests to the intended destination.
+ properties:
+ host:
+ description: The name of a service from the service registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ mirror_percent:
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ mirrorPercent:
+ maximum: 4294967295
+ minimum: 0
+ nullable: true
+ type: integer
+ mirrorPercentage:
+ description: Percentage of the traffic to be mirrored by the
+ `mirror` field.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ mirrors:
+ description: Specifies the destinations to mirror HTTP traffic
+ in addition to the original destination.
+ items:
+ properties:
+ destination:
+ description: Destination specifies the target of the mirror
+ operation.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ percentage:
+ description: Percentage of the traffic to be mirrored
+ by the `destination` field.
+ properties:
+ value:
+ format: double
+ type: number
+ type: object
+ required:
+ - destination
+ type: object
+ type: array
+ name:
+ description: The name assigned to the route for debugging purposes.
+ type: string
+ redirect:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - port
+ - required:
+ - derivePort
+ - required:
+ - port
+ - required:
+ - derivePort
+ properties:
+ authority:
+ description: On a redirect, overwrite the Authority/Host
+ portion of the URL with this value.
+ type: string
+ derivePort:
+ description: |-
+ On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.
+
+ Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT
+ enum:
+ - FROM_PROTOCOL_DEFAULT
+ - FROM_REQUEST_PORT
+ type: string
+ port:
+ description: On a redirect, overwrite the port portion of
+ the URL with this value.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ redirectCode:
+ description: On a redirect, Specifies the HTTP status code
+ to use in the redirect response.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ scheme:
+ description: On a redirect, overwrite the scheme portion
+ of the URL with this value.
+ type: string
+ uri:
+ description: On a redirect, overwrite the Path portion of
+ the URL with this value.
+ type: string
+ type: object
+ retries:
+ description: Retry policy for HTTP requests.
+ properties:
+ attempts:
+ description: Number of retries to be allowed for a given
+ request.
+ format: int32
+ type: integer
+ perTryTimeout:
+ description: Timeout per attempt for a given request, including
+ the initial call and any retries.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ retryIgnorePreviousHosts:
+ description: Flag to specify whether the retries should
+ ignore previously tried hosts during retry.
+ nullable: true
+ type: boolean
+ retryOn:
+ description: Specifies the conditions under which retry
+ takes place.
+ type: string
+ retryRemoteLocalities:
+ description: Flag to specify whether the retries should
+ retry to other localities.
+ nullable: true
+ type: boolean
+ type: object
+ rewrite:
+ description: Rewrite HTTP URIs and Authority headers.
+ properties:
+ authority:
+ description: rewrite the Authority/Host header with this
+ value.
+ type: string
+ uri:
+ description: rewrite the path (or the prefix) portion of
+ the URI with this value.
+ type: string
+ uriRegexRewrite:
+ description: rewrite the path portion of the URI with the
+ specified regex.
+ properties:
+ match:
+ description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).'
+ type: string
+ rewrite:
+ description: The string that should replace into matching
+ portions of original URI.
+ type: string
+ type: object
+ type: object
+ route:
+ description: A HTTP rule can either return a direct_response,
+ redirect or forward (default) traffic.
+ items:
+ properties:
+ destination:
+ description: Destination uniquely identifies the instances
+ of a service to which the request/connection should
+ be forwarded to.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ headers:
+ properties:
+ request:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ response:
+ properties:
+ add:
+ additionalProperties:
+ type: string
+ type: object
+ remove:
+ items:
+ type: string
+ type: array
+ set:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ required:
+ - destination
+ type: object
+ type: array
+ timeout:
+ description: Timeout for HTTP requests, default is disabled.
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ type: object
+ type: array
+ tcp:
+ description: An ordered list of route rules for opaque TCP traffic.
+ items:
+ properties:
+ match:
+ description: Match conditions to be satisfied for the rule to
+ be activated.
+ items:
+ properties:
+ destinationSubnets:
+ description: IPv4 or IPv6 ip addresses of destination
+ with optional subnet.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ sourceLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that constrain the applicability
+ of a rule to workloads with the given labels.
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ sourceSubnet:
+ type: string
+ type: object
+ type: array
+ route:
+ description: The destination to which the connection should
+ be forwarded to.
+ items:
+ properties:
+ destination:
+ description: Destination uniquely identifies the instances
+ of a service to which the request/connection should
+ be forwarded to.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ required:
+ - destination
+ type: object
+ type: array
+ type: object
+ type: array
+ tls:
+ description: An ordered list of route rule for non-terminated TLS
+ & HTTPS traffic.
+ items:
+ properties:
+ match:
+ description: Match conditions to be satisfied for the rule to
+ be activated.
+ items:
+ properties:
+ destinationSubnets:
+ description: IPv4 or IPv6 ip addresses of destination
+ with optional subnet.
+ items:
+ type: string
+ type: array
+ gateways:
+ description: Names of gateways where the rule should be
+ applied.
+ items:
+ type: string
+ type: array
+ port:
+ description: Specifies the port on the host that is being
+ addressed.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ sniHosts:
+ description: SNI (server name indicator) to match on.
+ items:
+ type: string
+ type: array
+ sourceLabels:
+ additionalProperties:
+ type: string
+ description: One or more labels that constrain the applicability
+ of a rule to workloads with the given labels.
+ type: object
+ sourceNamespace:
+ description: Source namespace constraining the applicability
+ of a rule to workloads in that namespace.
+ type: string
+ required:
+ - sniHosts
+ type: object
+ type: array
+ route:
+ description: The destination to which the connection should
+ be forwarded to.
+ items:
+ properties:
+ destination:
+ description: Destination uniquely identifies the instances
+ of a service to which the request/connection should
+ be forwarded to.
+ properties:
+ host:
+ description: The name of a service from the service
+ registry.
+ type: string
+ port:
+ description: Specifies the port on the host that is
+ being addressed.
+ properties:
+ number:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ subset:
+ description: The name of a subset within the service.
+ type: string
+ required:
+ - host
+ type: object
+ weight:
+ description: Weight specifies the relative proportion
+ of traffic to be forwarded to the destination.
+ format: int32
+ type: integer
+ required:
+ - destination
+ type: object
+ type: array
+ required:
+ - match
+ type: object
+ type: array
+ type: object
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: base-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ name: wasmplugins.extensions.istio.io
+spec:
+ group: extensions.istio.io
+ names:
+ categories:
+ - istio-io
+ - extensions-istio-io
+ kind: WasmPlugin
+ listKind: WasmPluginList
+ plural: wasmplugins
+ singular: wasmplugin
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Extend the functionality provided by the Istio proxy through
+ WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html'
+ properties:
+ failStrategy:
+ description: |-
+ Specifies the failure behavior for the plugin due to fatal errors.
+
+ Valid Options: FAIL_CLOSE, FAIL_OPEN
+ enum:
+ - FAIL_CLOSE
+ - FAIL_OPEN
+ type: string
+ imagePullPolicy:
+ description: |-
+ The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`.
+
+ Valid Options: IfNotPresent, Always
+ enum:
+ - UNSPECIFIED_POLICY
+ - IfNotPresent
+ - Always
+ type: string
+ imagePullSecret:
+ description: Credentials to use for OCI image pulling.
+ maxLength: 253
+ minLength: 1
+ type: string
+ match:
+ description: Specifies the criteria to determine which traffic is
+ passed to WasmPlugin.
+ items:
+ properties:
+ mode:
+ description: |-
+ Criteria for selecting traffic by their direction.
+
+ Valid Options: CLIENT, SERVER, CLIENT_AND_SERVER
+ enum:
+ - UNDEFINED
+ - CLIENT
+ - SERVER
+ - CLIENT_AND_SERVER
+ type: string
+ ports:
+ description: Criteria for selecting traffic by their destination
+ port.
+ items:
+ properties:
+ number:
+ maximum: 65535
+ minimum: 1
+ type: integer
+ required:
+ - number
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - number
+ x-kubernetes-list-type: map
+ type: object
+ type: array
+ phase:
+ description: |-
+ Determines where in the filter chain this `WasmPlugin` is to be injected.
+
+ Valid Options: AUTHN, AUTHZ, STATS
+ enum:
+ - UNSPECIFIED_PHASE
+ - AUTHN
+ - AUTHZ
+ - STATS
+ type: string
+ pluginConfig:
+ description: The configuration that will be passed on to the plugin.
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ pluginName:
+ description: The plugin name to be used in the Envoy configuration
+ (used to be called `rootID`).
+ maxLength: 256
+ minLength: 1
+ type: string
+ priority:
+ description: Determines ordering of `WasmPlugins` in the same `phase`.
+ format: int32
+ nullable: true
+ type: integer
+ selector:
+ description: Criteria used to select the specific set of pods/VMs
+ on which this plugin configuration should be applied.
+ properties:
+ matchLabels:
+ additionalProperties:
+ maxLength: 63
+ type: string
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label value match
+ rule: '!self.contains("*")'
+ description: One or more labels that indicate a specific set of
+ pods/VMs on which a policy should be applied.
+ maxProperties: 4096
+ type: object
+ x-kubernetes-validations:
+ - message: wildcard not allowed in label key match
+ rule: self.all(key, !key.contains("*"))
+ - message: key must not be empty
+ rule: self.all(key, key.size() != 0)
+ type: object
+ sha256:
+ description: SHA256 checksum that will be used to verify Wasm module
+ or OCI container.
+ pattern: (^$|^[a-f0-9]{64}$)
+ type: string
+ targetRef:
+ properties:
+ group:
+ description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
+ type: object
+ targetRefs:
+ description: Optional.
+ items:
+ properties:
+ group:
+ description: group is the group of the target resource.
+ maxLength: 253
+ pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+ type: string
+ kind:
+ description: kind is kind of the target resource.
+ maxLength: 63
+ minLength: 1
+ pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
+ type: string
+ name:
+ description: name is the name of the target resource.
+ maxLength: 253
+ minLength: 1
+ type: string
+ namespace:
+ description: namespace is the namespace of the referent.
+ type: string
+ x-kubernetes-validations:
+ - message: cross namespace referencing is not currently supported
+ rule: self.size() == 0
+ required:
+ - kind
+ - name
+ type: object
+ maxItems: 16
+ type: array
+ type:
+ description: |-
+ Specifies the type of Wasm Extension to be used.
+
+ Valid Options: HTTP, NETWORK
+ enum:
+ - UNSPECIFIED_PLUGIN_TYPE
+ - HTTP
+ - NETWORK
+ type: string
+ url:
+ description: URL of a Wasm module or OCI container.
+ minLength: 1
+ type: string
+ x-kubernetes-validations:
+ - message: url must have schema one of [http, https, file, oci]
+ rule: |-
+ isURL(self) ? (url(self).getScheme() in ["", "http", "https", "oci", "file"]) : (isURL("http://" + self) &&
+ url("http://" + self).getScheme() in ["", "http", "https", "oci", "file"])
+ verificationKey:
+ type: string
+ vmConfig:
+ description: Configuration for a Wasm VM.
+ properties:
+ env:
+ description: Specifies environment variables to be injected to
+ this VM.
+ items:
+ properties:
+ name:
+ description: Name of the environment variable.
+ maxLength: 256
+ minLength: 1
+ type: string
+ value:
+ description: Value for the environment variable.
+ maxLength: 2048
+ type: string
+ valueFrom:
+ description: |-
+ Source for the environment variable's value.
+
+ Valid Options: INLINE, HOST
+ enum:
+ - INLINE
+ - HOST
+ type: string
+ required:
+ - name
+ type: object
+ x-kubernetes-validations:
+ - message: value may only be set when valueFrom is INLINE
+ rule: '(has(self.valueFrom) ? self.valueFrom : "") != "HOST"
+ || !has(self.value)'
+ maxItems: 256
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ type: object
+ required:
+ - url
+ type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0)
+ + (has(self.targetRefs) ? 1 : 0) <= 1'
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: base-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ name: workloadentries.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: WorkloadEntry
+ listKind: WorkloadEntryList
+ plural: workloadentries
+ shortNames:
+ - we
+ singular: workloadentry
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - description: Address associated with the network endpoint.
+ jsonPath: .spec.address
+ name: Address
+ type: string
+ name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting VMs onboarded into the mesh. See
+ more details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
+ properties:
+ address:
+ description: Address associated with the network endpoint without
+ the port.
+ maxLength: 256
+ type: string
+ x-kubernetes-validations:
+ - message: UDS must be an absolute path or abstract socket
+ rule: 'self.startsWith("unix://") ? (self.substring(7, 8) == "/"
+ || self.substring(7, 8) == "@") : true'
+ - message: UDS may not be a dir
+ rule: 'self.startsWith("unix://") ? !self.endsWith("/") : true'
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ maxProperties: 256
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ maxLength: 2048
+ type: string
+ network:
+ description: Network enables Istio to group endpoints resident in
+ the same L3 domain/network.
+ maxLength: 2048
+ type: string
+ ports:
+ additionalProperties:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ description: Set of ports associated with the endpoint.
+ maxProperties: 128
+ type: object
+ x-kubernetes-validations:
+ - message: port name must be valid
+ rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$"))
+ serviceAccount:
+ description: The service account associated with the workload if a
+ sidecar is present in the workload.
+ maxLength: 253
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ x-kubernetes-validations:
+ - message: Address is required
+ rule: has(self.address) || has(self.network)
+ - message: UDS may not include ports
+ rule: '(has(self.address) ? self.address : "").startsWith("unix://")
+ ? !has(self.ports) : true'
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - description: Address associated with the network endpoint.
+ jsonPath: .spec.address
+ name: Address
+ type: string
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting VMs onboarded into the mesh. See
+ more details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
+ properties:
+ address:
+ description: Address associated with the network endpoint without
+ the port.
+ maxLength: 256
+ type: string
+ x-kubernetes-validations:
+ - message: UDS must be an absolute path or abstract socket
+ rule: 'self.startsWith("unix://") ? (self.substring(7, 8) == "/"
+ || self.substring(7, 8) == "@") : true'
+ - message: UDS may not be a dir
+ rule: 'self.startsWith("unix://") ? !self.endsWith("/") : true'
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ maxProperties: 256
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ maxLength: 2048
+ type: string
+ network:
+ description: Network enables Istio to group endpoints resident in
+ the same L3 domain/network.
+ maxLength: 2048
+ type: string
+ ports:
+ additionalProperties:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ description: Set of ports associated with the endpoint.
+ maxProperties: 128
+ type: object
+ x-kubernetes-validations:
+ - message: port name must be valid
+ rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$"))
+ serviceAccount:
+ description: The service account associated with the workload if a
+ sidecar is present in the workload.
+ maxLength: 253
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ x-kubernetes-validations:
+ - message: Address is required
+ rule: has(self.address) || has(self.network)
+ - message: UDS may not include ports
+ rule: '(has(self.address) ? self.address : "").startsWith("unix://")
+ ? !has(self.ports) : true'
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ - description: Address associated with the network endpoint.
+ jsonPath: .spec.address
+ name: Address
+ type: string
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Configuration affecting VMs onboarded into the mesh. See
+ more details at: https://istio.io/docs/reference/config/networking/workload-entry.html'
+ properties:
+ address:
+ description: Address associated with the network endpoint without
+ the port.
+ maxLength: 256
+ type: string
+ x-kubernetes-validations:
+ - message: UDS must be an absolute path or abstract socket
+ rule: 'self.startsWith("unix://") ? (self.substring(7, 8) == "/"
+ || self.substring(7, 8) == "@") : true'
+ - message: UDS may not be a dir
+ rule: 'self.startsWith("unix://") ? !self.endsWith("/") : true'
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ maxProperties: 256
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ maxLength: 2048
+ type: string
+ network:
+ description: Network enables Istio to group endpoints resident in
+ the same L3 domain/network.
+ maxLength: 2048
+ type: string
+ ports:
+ additionalProperties:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ description: Set of ports associated with the endpoint.
+ maxProperties: 128
+ type: object
+ x-kubernetes-validations:
+ - message: port name must be valid
+ rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$"))
+ serviceAccount:
+ description: The service account associated with the workload if a
+ sidecar is present in the workload.
+ maxLength: 253
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ x-kubernetes-validations:
+ - message: Address is required
+ rule: has(self.address) || has(self.network)
+ - message: UDS may not include ports
+ rule: '(has(self.address) ? self.address : "").startsWith("unix://")
+ ? !has(self.ports) : true'
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: base-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ name: workloadgroups.networking.istio.io
+spec:
+ group: networking.istio.io
+ names:
+ categories:
+ - istio-io
+ - networking-istio-io
+ kind: WorkloadGroup
+ listKind: WorkloadGroupList
+ plural: workloadgroups
+ shortNames:
+ - wg
+ singular: workloadgroup
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Describes a collection of workload instances. See more details
+ at: https://istio.io/docs/reference/config/networking/workload-group.html'
+ properties:
+ metadata:
+ description: Metadata that will be used for all corresponding `WorkloadEntries`.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ maxProperties: 256
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ maxProperties: 256
+ type: object
+ type: object
+ probe:
+ description: '`ReadinessProbe` describes the configuration the user
+ must provide for healthchecking on their workload.'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpGet
+ - required:
+ - tcpSocket
+ - required:
+ - exec
+ - required:
+ - grpc
+ - required:
+ - httpGet
+ - required:
+ - tcpSocket
+ - required:
+ - exec
+ - required:
+ - grpc
+ properties:
+ exec:
+ description: Health is determined by how the command that is executed
+ exited.
+ properties:
+ command:
+ description: Command to run.
+ items:
+ minLength: 1
+ type: string
+ type: array
+ required:
+ - command
+ type: object
+ failureThreshold:
+ description: Minimum consecutive failures for the probe to be
+ considered failed after having succeeded.
+ format: int32
+ minimum: 0
+ type: integer
+ grpc:
+ description: GRPC call is made and response/error is used to determine
+ health.
+ properties:
+ port:
+ description: Port on which the endpoint lives.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ service:
+ type: string
+ type: object
+ httpGet:
+ description: '`httpGet` is performed to a given endpoint and the
+ status/able to connect determines health.'
+ properties:
+ host:
+ description: Host name to connect to, defaults to the pod
+ IP.
+ type: string
+ httpHeaders:
+ description: Headers the proxy will pass on to make the request.
+ items:
+ properties:
+ name:
+ pattern: ^[-_A-Za-z0-9]+$
+ type: string
+ value:
+ type: string
+ type: object
+ type: array
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: Port on which the endpoint lives.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ scheme:
+ type: string
+ x-kubernetes-validations:
+ - message: scheme must be one of [HTTP, HTTPS]
+ rule: self in ["", "HTTP", "HTTPS"]
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ description: Number of seconds after the container has started
+ before readiness probes are initiated.
+ format: int32
+ minimum: 0
+ type: integer
+ periodSeconds:
+ description: How often (in seconds) to perform the probe.
+ format: int32
+ minimum: 0
+ type: integer
+ successThreshold:
+ description: Minimum consecutive successes for the probe to be
+ considered successful after having failed.
+ format: int32
+ minimum: 0
+ type: integer
+ tcpSocket:
+ description: Health is determined by if the proxy is able to connect.
+ properties:
+ host:
+ type: string
+ port:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ required:
+ - port
+ type: object
+ timeoutSeconds:
+ description: Number of seconds after which the probe times out.
+ format: int32
+ minimum: 0
+ type: integer
+ type: object
+ template:
+ description: Template to be used for the generation of `WorkloadEntry`
+ resources that belong to this `WorkloadGroup`.
+ properties:
+ address:
+ description: Address associated with the network endpoint without
+ the port.
+ maxLength: 256
+ type: string
+ x-kubernetes-validations:
+ - message: UDS must be an absolute path or abstract socket
+ rule: 'self.startsWith("unix://") ? (self.substring(7, 8) ==
+ "/" || self.substring(7, 8) == "@") : true'
+ - message: UDS may not be a dir
+ rule: 'self.startsWith("unix://") ? !self.endsWith("/") : true'
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ maxProperties: 256
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ maxLength: 2048
+ type: string
+ network:
+ description: Network enables Istio to group endpoints resident
+ in the same L3 domain/network.
+ maxLength: 2048
+ type: string
+ ports:
+ additionalProperties:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ description: Set of ports associated with the endpoint.
+ maxProperties: 128
+ type: object
+ x-kubernetes-validations:
+ - message: port name must be valid
+ rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$"))
+ serviceAccount:
+ description: The service account associated with the workload
+ if a sidecar is present in the workload.
+ maxLength: 253
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ x-kubernetes-validations:
+ - message: UDS may not include ports
+ rule: '(has(self.address) ? self.address : "").startsWith("unix://")
+ ? !has(self.ports) : true'
+ required:
+ - template
+ type: object
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1alpha3
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Describes a collection of workload instances. See more details
+ at: https://istio.io/docs/reference/config/networking/workload-group.html'
+ properties:
+ metadata:
+ description: Metadata that will be used for all corresponding `WorkloadEntries`.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ maxProperties: 256
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ maxProperties: 256
+ type: object
+ type: object
+ probe:
+ description: '`ReadinessProbe` describes the configuration the user
+ must provide for healthchecking on their workload.'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpGet
+ - required:
+ - tcpSocket
+ - required:
+ - exec
+ - required:
+ - grpc
+ - required:
+ - httpGet
+ - required:
+ - tcpSocket
+ - required:
+ - exec
+ - required:
+ - grpc
+ properties:
+ exec:
+ description: Health is determined by how the command that is executed
+ exited.
+ properties:
+ command:
+ description: Command to run.
+ items:
+ minLength: 1
+ type: string
+ type: array
+ required:
+ - command
+ type: object
+ failureThreshold:
+ description: Minimum consecutive failures for the probe to be
+ considered failed after having succeeded.
+ format: int32
+ minimum: 0
+ type: integer
+ grpc:
+ description: GRPC call is made and response/error is used to determine
+ health.
+ properties:
+ port:
+ description: Port on which the endpoint lives.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ service:
+ type: string
+ type: object
+ httpGet:
+ description: '`httpGet` is performed to a given endpoint and the
+ status/able to connect determines health.'
+ properties:
+ host:
+ description: Host name to connect to, defaults to the pod
+ IP.
+ type: string
+ httpHeaders:
+ description: Headers the proxy will pass on to make the request.
+ items:
+ properties:
+ name:
+ pattern: ^[-_A-Za-z0-9]+$
+ type: string
+ value:
+ type: string
+ type: object
+ type: array
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: Port on which the endpoint lives.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ scheme:
+ type: string
+ x-kubernetes-validations:
+ - message: scheme must be one of [HTTP, HTTPS]
+ rule: self in ["", "HTTP", "HTTPS"]
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ description: Number of seconds after the container has started
+ before readiness probes are initiated.
+ format: int32
+ minimum: 0
+ type: integer
+ periodSeconds:
+ description: How often (in seconds) to perform the probe.
+ format: int32
+ minimum: 0
+ type: integer
+ successThreshold:
+ description: Minimum consecutive successes for the probe to be
+ considered successful after having failed.
+ format: int32
+ minimum: 0
+ type: integer
+ tcpSocket:
+ description: Health is determined by if the proxy is able to connect.
+ properties:
+ host:
+ type: string
+ port:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ required:
+ - port
+ type: object
+ timeoutSeconds:
+ description: Number of seconds after which the probe times out.
+ format: int32
+ minimum: 0
+ type: integer
+ type: object
+ template:
+ description: Template to be used for the generation of `WorkloadEntry`
+ resources that belong to this `WorkloadGroup`.
+ properties:
+ address:
+ description: Address associated with the network endpoint without
+ the port.
+ maxLength: 256
+ type: string
+ x-kubernetes-validations:
+ - message: UDS must be an absolute path or abstract socket
+ rule: 'self.startsWith("unix://") ? (self.substring(7, 8) ==
+ "/" || self.substring(7, 8) == "@") : true'
+ - message: UDS may not be a dir
+ rule: 'self.startsWith("unix://") ? !self.endsWith("/") : true'
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ maxProperties: 256
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ maxLength: 2048
+ type: string
+ network:
+ description: Network enables Istio to group endpoints resident
+ in the same L3 domain/network.
+ maxLength: 2048
+ type: string
+ ports:
+ additionalProperties:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ description: Set of ports associated with the endpoint.
+ maxProperties: 128
+ type: object
+ x-kubernetes-validations:
+ - message: port name must be valid
+ rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$"))
+ serviceAccount:
+ description: The service account associated with the workload
+ if a sidecar is present in the workload.
+ maxLength: 253
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ x-kubernetes-validations:
+ - message: UDS may not include ports
+ rule: '(has(self.address) ? self.address : "").startsWith("unix://")
+ ? !has(self.ports) : true'
+ required:
+ - template
+ type: object
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - description: 'CreationTimestamp is a timestamp representing the server time
+ when this object was created. It is not guaranteed to be set in happens-before
+ order across separate operations. Clients may not set this value. It is represented
+ in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+ lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ description: 'Describes a collection of workload instances. See more details
+ at: https://istio.io/docs/reference/config/networking/workload-group.html'
+ properties:
+ metadata:
+ description: Metadata that will be used for all corresponding `WorkloadEntries`.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ maxProperties: 256
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ maxProperties: 256
+ type: object
+ type: object
+ probe:
+ description: '`ReadinessProbe` describes the configuration the user
+ must provide for healthchecking on their workload.'
+ oneOf:
+ - not:
+ anyOf:
+ - required:
+ - httpGet
+ - required:
+ - tcpSocket
+ - required:
+ - exec
+ - required:
+ - grpc
+ - required:
+ - httpGet
+ - required:
+ - tcpSocket
+ - required:
+ - exec
+ - required:
+ - grpc
+ properties:
+ exec:
+ description: Health is determined by how the command that is executed
+ exited.
+ properties:
+ command:
+ description: Command to run.
+ items:
+ minLength: 1
+ type: string
+ type: array
+ required:
+ - command
+ type: object
+ failureThreshold:
+ description: Minimum consecutive failures for the probe to be
+ considered failed after having succeeded.
+ format: int32
+ minimum: 0
+ type: integer
+ grpc:
+ description: GRPC call is made and response/error is used to determine
+ health.
+ properties:
+ port:
+ description: Port on which the endpoint lives.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ service:
+ type: string
+ type: object
+ httpGet:
+ description: '`httpGet` is performed to a given endpoint and the
+ status/able to connect determines health.'
+ properties:
+ host:
+ description: Host name to connect to, defaults to the pod
+ IP.
+ type: string
+ httpHeaders:
+ description: Headers the proxy will pass on to make the request.
+ items:
+ properties:
+ name:
+ pattern: ^[-_A-Za-z0-9]+$
+ type: string
+ value:
+ type: string
+ type: object
+ type: array
+ path:
+ description: Path to access on the HTTP server.
+ type: string
+ port:
+ description: Port on which the endpoint lives.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ scheme:
+ type: string
+ x-kubernetes-validations:
+ - message: scheme must be one of [HTTP, HTTPS]
+ rule: self in ["", "HTTP", "HTTPS"]
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ description: Number of seconds after the container has started
+ before readiness probes are initiated.
+ format: int32
+ minimum: 0
+ type: integer
+ periodSeconds:
+ description: How often (in seconds) to perform the probe.
+ format: int32
+ minimum: 0
+ type: integer
+ successThreshold:
+ description: Minimum consecutive successes for the probe to be
+ considered successful after having failed.
+ format: int32
+ minimum: 0
+ type: integer
+ tcpSocket:
+ description: Health is determined by if the proxy is able to connect.
+ properties:
+ host:
+ type: string
+ port:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ required:
+ - port
+ type: object
+ timeoutSeconds:
+ description: Number of seconds after which the probe times out.
+ format: int32
+ minimum: 0
+ type: integer
+ type: object
+ template:
+ description: Template to be used for the generation of `WorkloadEntry`
+ resources that belong to this `WorkloadGroup`.
+ properties:
+ address:
+ description: Address associated with the network endpoint without
+ the port.
+ maxLength: 256
+ type: string
+ x-kubernetes-validations:
+ - message: UDS must be an absolute path or abstract socket
+ rule: 'self.startsWith("unix://") ? (self.substring(7, 8) ==
+ "/" || self.substring(7, 8) == "@") : true'
+ - message: UDS may not be a dir
+ rule: 'self.startsWith("unix://") ? !self.endsWith("/") : true'
+ labels:
+ additionalProperties:
+ type: string
+ description: One or more labels associated with the endpoint.
+ maxProperties: 256
+ type: object
+ locality:
+ description: The locality associated with the endpoint.
+ maxLength: 2048
+ type: string
+ network:
+ description: Network enables Istio to group endpoints resident
+ in the same L3 domain/network.
+ maxLength: 2048
+ type: string
+ ports:
+ additionalProperties:
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
+ description: Set of ports associated with the endpoint.
+ maxProperties: 128
+ type: object
+ x-kubernetes-validations:
+ - message: port name must be valid
+ rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$"))
+ serviceAccount:
+ description: The service account associated with the workload
+ if a sidecar is present in the workload.
+ maxLength: 253
+ type: string
+ weight:
+ description: The load balancing weight associated with the endpoint.
+ maximum: 4294967295
+ minimum: 0
+ type: integer
+ type: object
+ x-kubernetes-validations:
+ - message: UDS may not include ports
+ rule: '(has(self.address) ? self.address : "").startsWith("unix://")
+ ? !has(self.ports) : true'
+ required:
+ - template
+ type: object
+ status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Condition refers.
+ x-kubernetes-int-or-string: true
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/deploy/components/crds/kustomization.yaml b/deploy/components/crds/kustomization.yaml
new file mode 100644
index 000000000..975bbe4f8
--- /dev/null
+++ b/deploy/components/crds/kustomization.yaml
@@ -0,0 +1,19 @@
+# ------------------------------------------------------------------------------
+# Custom Resource Definitions (CRDs)
+#
+# This deploys the CRDs needed for development environments (e.g. Gateway API).
+#
+# **Warning**: CRDs are cluster-level, so in a shared development environment
+# this needs to be done in a controlled and communicated manner.
+# ------------------------------------------------------------------------------
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+# Gateway API CRDs
+- https://github.com/kubernetes-sigs/gateway-api/config/crd?ref=v1.2.1
+# Gateway API Inference Extension (GIE) CRDs
+# NOTE: deploys whatever is in the current branch
+- ../../../config/crd # GIE CRDs
+# Istio CRDs
+- istio.yaml
diff --git a/deploy/components/inference-gateway/deployments.yaml b/deploy/components/inference-gateway/deployments.yaml
new file mode 100644
index 000000000..8f5ab9fc1
--- /dev/null
+++ b/deploy/components/inference-gateway/deployments.yaml
@@ -0,0 +1,52 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: endpoint-picker
+ labels:
+ app: endpoint-picker
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: endpoint-picker
+ template:
+ metadata:
+ labels:
+ app: endpoint-picker
+ spec:
+ serviceAccountName: endpoint-picker
+ terminationGracePeriodSeconds: 130
+ containers:
+ - name: epp
+ image: quay.io/vllm-d/gateway-api-inference-extension/epp:latest
+ imagePullPolicy: IfNotPresent
+ args:
+ - -refreshMetricsInterval
+ - "500ms"
+ - -poolName
+ - "vllm-llama3-8b-instruct"
+ - -v
+ - "4"
+ - --zap-encoder
+ - "json"
+ - -grpcPort
+ - "9002"
+ - -grpcHealthPort
+ - "9003"
+ ports:
+ - containerPort: 9002
+ - containerPort: 9003
+ - name: metrics
+ containerPort: 9090
+ livenessProbe:
+ grpc:
+ port: 9003
+ service: inference-extension
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ readinessProbe:
+ grpc:
+ port: 9003
+ service: inference-extension
+ initialDelaySeconds: 5
+ periodSeconds: 10
diff --git a/deploy/components/inference-gateway/destination-rules.yaml b/deploy/components/inference-gateway/destination-rules.yaml
new file mode 100644
index 000000000..20a91a6fa
--- /dev/null
+++ b/deploy/components/inference-gateway/destination-rules.yaml
@@ -0,0 +1,11 @@
+# **WARNING** Only use in testing scenarios
+apiVersion: networking.istio.io/v1
+kind: DestinationRule
+metadata:
+ name: endpoint-picker-insecure-tls
+spec:
+ host: endpoint-picker
+ trafficPolicy:
+ tls:
+ mode: SIMPLE
+ insecureSkipVerify: true
diff --git a/deploy/components/inference-gateway/gateways.yaml b/deploy/components/inference-gateway/gateways.yaml
new file mode 100644
index 000000000..98a8c7f17
--- /dev/null
+++ b/deploy/components/inference-gateway/gateways.yaml
@@ -0,0 +1,14 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+ name: inference-gateway
+ labels:
+ istio.io/enable-inference-extproc: "true"
+ annotations:
+ networking.istio.io/service-type: ClusterIP
+spec:
+ gatewayClassName: istio
+ listeners:
+ - name: default
+ port: 80
+ protocol: HTTP
diff --git a/deploy/components/inference-gateway/httproutes.yaml b/deploy/components/inference-gateway/httproutes.yaml
new file mode 100644
index 000000000..4ef4c04f4
--- /dev/null
+++ b/deploy/components/inference-gateway/httproutes.yaml
@@ -0,0 +1,17 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ name: inference-route
+spec:
+ parentRefs:
+ - name: inference-gateway
+ rules:
+ - matches:
+ - path:
+ type: PathPrefix
+ value: /
+ backendRefs:
+ - group: inference.networking.x-k8s.io
+ kind: InferencePool
+ name: vllm-llama3-8b-instruct
+ port: 8000
diff --git a/deploy/components/inference-gateway/inference-models.yaml b/deploy/components/inference-gateway/inference-models.yaml
new file mode 100644
index 000000000..f729407e9
--- /dev/null
+++ b/deploy/components/inference-gateway/inference-models.yaml
@@ -0,0 +1,9 @@
+apiVersion: inference.networking.x-k8s.io/v1alpha2
+kind: InferenceModel
+metadata:
+ name: food-review
+spec:
+ modelName: food-review
+ criticality: Critical
+ poolRef:
+ name: vllm-llama3-8b-instruct
diff --git a/deploy/components/inference-gateway/inference-pools.yaml b/deploy/components/inference-gateway/inference-pools.yaml
new file mode 100644
index 000000000..ece6e5009
--- /dev/null
+++ b/deploy/components/inference-gateway/inference-pools.yaml
@@ -0,0 +1,10 @@
+apiVersion: inference.networking.x-k8s.io/v1alpha2
+kind: InferencePool
+metadata:
+ name: vllm-llama3-8b-instruct
+spec:
+ targetPortNumber: 8000
+ selector:
+ app: vllm-llama3-8b-instruct
+ extensionRef:
+ name: endpoint-picker
diff --git a/deploy/components/inference-gateway/kustomization.yaml b/deploy/components/inference-gateway/kustomization.yaml
new file mode 100644
index 000000000..96278338c
--- /dev/null
+++ b/deploy/components/inference-gateway/kustomization.yaml
@@ -0,0 +1,32 @@
+# ------------------------------------------------------------------------------
+# Inference Gateway
+#
+# This deploys a Gateway and the Endpoint Picker (EPP), and attaches the EPP to
+# the Gateway with an EnvoyFilter.
+#
+# Add an HTTPRoute to route traffic to VLLM, or a VLLM simulator.
+#
+# **WARNING**: The EnvoyFilter contains a variable that needs to be replaced
+# with the namespace to match the EPP's Service. For now use sed to replace it,
+# e.g.:
+#
+# $ kubectl kustomize deploy/components/inference-gateway \
+# | sed 's/REPLACE_NAMESPACE/mynamespace/gI' \
+# | kubectl -n mynamespace apply -f -
+# ------------------------------------------------------------------------------
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- service-accounts.yaml
+- rbac.yaml
+- destination-rules.yaml
+- inference-pools.yaml
+- inference-models.yaml
+- deployments.yaml
+- gateways.yaml
+- httproutes.yaml
+
+images:
+- name: quay.io/vllm-d/gateway-api-inference-extension/epp
+ newTag: 0.0.1
diff --git a/deploy/components/inference-gateway/rbac.yaml b/deploy/components/inference-gateway/rbac.yaml
new file mode 100644
index 000000000..8414d8930
--- /dev/null
+++ b/deploy/components/inference-gateway/rbac.yaml
@@ -0,0 +1,61 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: endpoint-picker
+rules:
+- apiGroups:
+ - "inference.networking.x-k8s.io"
+ resources:
+ - "inferencemodels"
+ verbs:
+ - "get"
+ - "watch"
+ - "list"
+- apiGroups:
+ - ""
+ resources:
+ - "pods"
+ verbs:
+ - "get"
+ - "watch"
+ - "list"
+- apiGroups:
+ - "inference.networking.x-k8s.io"
+ resources:
+ - "inferencepools"
+ verbs:
+ - "get"
+ - "watch"
+ - "list"
+- apiGroups:
+ - "discovery.k8s.io"
+ resources:
+ - "endpointslices"
+ verbs:
+ - "get"
+ - "watch"
+ - "list"
+- apiGroups:
+ - "authentication.k8s.io"
+ resources:
+ - "tokenreviews"
+ verbs:
+ - "create"
+- apiGroups:
+ - "authorization.k8s.io"
+ resources:
+ - "subjectaccessreviews"
+ verbs:
+ - "create"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: endpoint-picker-binding
+subjects:
+- kind: ServiceAccount
+ name: endpoint-picker
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: endpoint-picker
diff --git a/deploy/components/inference-gateway/service-accounts.yaml b/deploy/components/inference-gateway/service-accounts.yaml
new file mode 100644
index 000000000..18cf45701
--- /dev/null
+++ b/deploy/components/inference-gateway/service-accounts.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: endpoint-picker
diff --git a/deploy/components/istio-control-plane/configmaps.yaml b/deploy/components/istio-control-plane/configmaps.yaml
new file mode 100644
index 000000000..27c56e8a7
--- /dev/null
+++ b/deploy/components/istio-control-plane/configmaps.yaml
@@ -0,0 +1,2025 @@
+apiVersion: v1
+data:
+ mesh: |-
+ defaultConfig:
+ discoveryAddress: istiod.istio-system.svc:15012
+ defaultProviders:
+ metrics:
+ - prometheus
+ enablePrometheusMerge: true
+ rootNamespace: istio-system
+ trustDomain: cluster.local
+ meshNetworks: 'networks: {}'
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: istiod-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ install.operator.istio.io/owning-resource: unknown
+ istio.io/rev: default
+ operator.istio.io/component: Pilot
+ release: istio
+ name: istio
+ namespace: istio-system
+---
+apiVersion: v1
+data:
+ config: |-
+ # defaultTemplates defines the default template to use for pods that do not explicitly specify a template
+ defaultTemplates: [sidecar]
+ policy: enabled
+ alwaysInjectSelector:
+ []
+ neverInjectSelector:
+ []
+ injectedAnnotations:
+ template: "{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}"
+ templates:
+ sidecar: |
+ {{- define "resources" }}
+ {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+ {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+ requests:
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+ cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+ {{ end }}
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+ memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+ {{ end }}
+ {{- end }}
+ {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+ limits:
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+ cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+ {{ end }}
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+ memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+ {{ end }}
+ {{- end }}
+ {{- else }}
+ {{- if .Values.global.proxy.resources }}
+ {{ toYaml .Values.global.proxy.resources | indent 6 }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }}
+ {{- $containers := list }}
+ {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+ metadata:
+ labels:
+ security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }}
+ {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }}
+ networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }}
+ {{- end }}
+ service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }}
+ service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
+ annotations: {
+ istio.io/rev: {{ .Revision | default "default" | quote }},
+ {{- if ge (len $containers) 1 }}
+ {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+ kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+ {{- end }}
+ {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+ kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+ {{- end }}
+ {{- end }}
+ {{- if .Values.pilot.cni.enabled }}
+ {{- if eq .Values.pilot.cni.provider "multus" }}
+ k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}',
+ {{- end }}
+ sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
+ {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }}
+ {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }}
+ traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}",
+ traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}",
+ {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }}
+ traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}",
+ {{- end }}
+ {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }}
+ traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}",
+ {{- end }}
+ {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }}
+ {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }}
+ {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }}
+ {{- end }}
+ }
+ spec:
+ {{- $holdProxy := and
+ (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts)
+ (not $nativeSidecar) }}
+ {{- $noInitContainer := and
+ (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`)
+ (not $nativeSidecar) }}
+ {{ if $noInitContainer }}
+ initContainers: []
+ {{ else -}}
+ initContainers:
+ {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
+ {{ if .Values.pilot.cni.enabled -}}
+ - name: istio-validation
+ {{ else -}}
+ - name: istio-init
+ {{ end -}}
+ {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
+ image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
+ {{- else }}
+ image: "{{ .ProxyImage }}"
+ {{- end }}
+ args:
+ - istio-iptables
+ - "-p"
+ - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }}
+ - "-z"
+ - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }}
+ - "-u"
+ - {{ .ProxyUID | default "1337" | quote }}
+ - "-m"
+ - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}"
+ - "-i"
+ - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}"
+ - "-x"
+ - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}"
+ - "-b"
+ - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}"
+ - "-d"
+ {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}
+ - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}"
+ {{- else }}
+ - "15090,15021"
+ {{- end }}
+ {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}}
+ - "-q"
+ - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}"
+ {{ end -}}
+ {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}}
+ - "-o"
+ - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}"
+ {{ end -}}
+ {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}}
+ - "-k"
+ - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}"
+ {{ end -}}
+ {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}}
+ - "-k"
+ - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}"
+ {{ end -}}
+ {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}}
+ - "-c"
+ - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}"
+ {{ end -}}
+ - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}"
+ {{ if .Values.global.logAsJson -}}
+ - "--log_as_json"
+ {{ end -}}
+ {{ if .Values.pilot.cni.enabled -}}
+ - "--run-validation"
+ - "--skip-rule-apply"
+ {{ else if .Values.global.proxy_init.forceApplyIptables -}}
+ - "--force-apply"
+ {{ end -}}
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ {{- if .ProxyConfig.ProxyMetadata }}
+ env:
+ {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{- end }}
+ resources:
+ {{ template "resources" . }}
+ securityContext:
+ allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+ privileged: {{ .Values.global.proxy.privileged }}
+ capabilities:
+ {{- if not .Values.pilot.cni.enabled }}
+ add:
+ - NET_ADMIN
+ - NET_RAW
+ {{- end }}
+ drop:
+ - ALL
+ {{- if not .Values.pilot.cni.enabled }}
+ readOnlyRootFilesystem: false
+ runAsGroup: 0
+ runAsNonRoot: false
+ runAsUser: 0
+ {{- else }}
+ readOnlyRootFilesystem: true
+ runAsGroup: {{ .ProxyGID | default "1337" }}
+ runAsUser: {{ .ProxyUID | default "1337" }}
+ runAsNonRoot: true
+ {{- end }}
+ {{ end -}}
+ {{ end -}}
+ {{ if not $nativeSidecar }}
+ containers:
+ {{ end }}
+ - name: istio-proxy
+ {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+ image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+ {{- else }}
+ image: "{{ .ProxyImage }}"
+ {{- end }}
+ {{ if $nativeSidecar }}restartPolicy: Always{{end}}
+ ports:
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ args:
+ - proxy
+ - sidecar
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+ - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+ - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+ {{- if .Values.global.sts.servicePort }}
+ - --stsPort={{ .Values.global.sts.servicePort }}
+ {{- end }}
+ {{- if .Values.global.logAsJson }}
+ - --log_as_json
+ {{- end }}
+ {{- if .Values.global.proxy.outlierLogPath }}
+ - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+ {{- end}}
+ {{- if .Values.global.proxy.lifecycle }}
+ lifecycle:
+ {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+ {{- else if $holdProxy }}
+ lifecycle:
+ postStart:
+ exec:
+ command:
+ - pilot-agent
+ - wait
+ {{- else if $nativeSidecar }}
+ {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}}
+ lifecycle:
+ preStop:
+ exec:
+ command:
+ - pilot-agent
+ - request
+ - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}}
+ - POST
+ - drain
+ {{- end }}
+ env:
+ {{- if eq .InboundTrafficPolicyMode "localhost" }}
+ - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+ value: "true"
+ {{- end }}
+ - name: PILOT_CERT_PROVIDER
+ value: {{ .Values.global.pilotCertProvider }}
+ - name: CA_ADDR
+ {{- if .Values.global.caAddress }}
+ value: {{ .Values.global.caAddress }}
+ {{- else }}
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+ {{- end }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: PROXY_CONFIG
+ value: |
+ {{ protoToJSON .ProxyConfig }}
+ - name: ISTIO_META_POD_PORTS
+ value: |-
+ [
+ {{- $first := true }}
+ {{- range $index1, $c := .Spec.Containers }}
+ {{- range $index2, $p := $c.Ports }}
+ {{- if (structToJSON $p) }}
+ {{if not $first}},{{end}}{{ structToJSON $p }}
+ {{- $first = false }}
+ {{- end }}
+ {{- end}}
+ {{- end}}
+ ]
+ - name: ISTIO_META_APP_CONTAINERS
+ value: "{{ $containers | join "," }}"
+ - name: GOMEMLIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.memory
+ - name: GOMAXPROCS
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ {{- if .CompliancePolicy }}
+ - name: COMPLIANCE_POLICY
+ value: "{{ .CompliancePolicy }}"
+ {{- end }}
+ - name: ISTIO_META_CLUSTER_ID
+ value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: ISTIO_META_INTERCEPTION_MODE
+ value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}"
+ {{- if .Values.global.network }}
+ - name: ISTIO_META_NETWORK
+ value: "{{ .Values.global.network }}"
+ {{- end }}
+ {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }}
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: "{{ . }}"
+ {{ end }}
+ {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+ - name: ISTIO_META_OWNER
+ value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+ {{- end}}
+ {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+ - name: ISTIO_BOOTSTRAP_OVERRIDE
+ value: "/etc/istio/custom-bootstrap/custom_bootstrap.json"
+ {{- end }}
+ {{- if .Values.global.meshID }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ .Values.global.meshID }}"
+ {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+ {{- end }}
+ {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: TRUST_DOMAIN
+ value: "{{ . }}"
+ {{- end }}
+ {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+ {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{- end }}
+ {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+ {{ if .Values.global.proxy.startupProbe.enabled }}
+ startupProbe:
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ initialDelaySeconds: 0
+ periodSeconds: 1
+ timeoutSeconds: 3
+ failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }}
+ {{ end }}
+ readinessProbe:
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+ periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+ timeoutSeconds: 3
+ failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+ {{ end -}}
+ securityContext:
+ {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }}
+ allowPrivilegeEscalation: true
+ capabilities:
+ add:
+ - NET_ADMIN
+ drop:
+ - ALL
+ privileged: true
+ readOnlyRootFilesystem: true
+ runAsGroup: {{ .ProxyGID | default "1337" }}
+ runAsNonRoot: false
+ runAsUser: 0
+ {{- else }}
+ allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
+ capabilities:
+ {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
+ add:
+ {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}}
+ - NET_ADMIN
+ {{- end }}
+ {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}}
+ - NET_BIND_SERVICE
+ {{- end }}
+ {{- end }}
+ drop:
+ - ALL
+ privileged: {{ .Values.global.proxy.privileged }}
+ readOnlyRootFilesystem: true
+ runAsGroup: {{ .ProxyGID | default "1337" }}
+ {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
+ runAsNonRoot: false
+ runAsUser: 0
+ {{- else -}}
+ runAsNonRoot: true
+ runAsUser: {{ .ProxyUID | default "1337" }}
+ {{- end }}
+ {{- end }}
+ resources:
+ {{ template "resources" . }}
+ volumeMounts:
+ - name: workload-socket
+ mountPath: /var/run/secrets/workload-spiffe-uds
+ - name: credential-socket
+ mountPath: /var/run/secrets/credential-uds
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ readOnly: true
+ {{- else }}
+ - name: workload-certs
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ {{- end }}
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+ - mountPath: /etc/istio/custom-bootstrap
+ name: custom-bootstrap-volume
+ {{- end }}
+ # SDS channel between istioagent and Envoy
+ - mountPath: /etc/istio/proxy
+ name: istio-envoy
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - mountPath: /etc/certs/
+ name: istio-certs
+ readOnly: true
+ {{- end }}
+ - name: istio-podinfo
+ mountPath: /etc/istio/pod
+ {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+ - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }}
+ name: lightstep-certs
+ readOnly: true
+ {{- end }}
+ {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+ {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+ - name: "{{ $index }}"
+ {{ toYaml $value | indent 6 }}
+ {{ end }}
+ {{- end }}
+ volumes:
+ - emptyDir:
+ name: workload-socket
+ - emptyDir:
+ name: credential-socket
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ csi:
+ driver: workloadcertificates.security.cloud.google.com
+ {{- else }}
+ - emptyDir:
+ name: workload-certs
+ {{- end }}
+ {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+ - name: custom-bootstrap-volume
+ configMap:
+ name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+ {{- end }}
+ # SDS channel between istioagent and Envoy
+ - emptyDir:
+ medium: Memory
+ name: istio-envoy
+ - name: istio-data
+ emptyDir: {}
+ - name: istio-podinfo
+ downwardAPI:
+ items:
+ - path: "labels"
+ fieldRef:
+ fieldPath: metadata.labels
+ - path: "annotations"
+ fieldRef:
+ fieldPath: metadata.annotations
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ path: istio-token
+ expirationSeconds: 43200
+ audience: {{ .Values.global.sds.token.aud }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - name: istiod-ca-cert
+ configMap:
+ name: istio-ca-root-cert
+ {{- end }}
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - name: istio-certs
+ secret:
+ optional: true
+ {{ if eq .Spec.ServiceAccountName "" }}
+ secretName: istio.default
+ {{ else -}}
+ secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
+ {{ end -}}
+ {{- end }}
+ {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+ {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+ - name: "{{ $index }}"
+ {{ toYaml $value | indent 4 }}
+ {{ end }}
+ {{ end }}
+ {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }}
+ - name: lightstep-certs
+ secret:
+ optional: true
+ secretName: lightstep.cacert
+ {{- end }}
+ {{- if .Values.global.imagePullSecrets }}
+ imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+ gateway: |
+ {{- $containers := list }}
+ {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+ metadata:
+ labels:
+ service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
+ service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
+ annotations:
+ istio.io/rev: {{ .Revision | default "default" | quote }}
+ {{- if ge (len $containers) 1 }}
+ {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+ kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}"
+ {{- end }}
+ {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+ kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}"
+ {{- end }}
+ {{- end }}
+ spec:
+ securityContext:
+ {{- if .Values.gateways.securityContext }}
+ {{- toYaml .Values.gateways.securityContext | nindent 4 }}
+ {{- else }}
+ sysctls:
+ - name: net.ipv4.ip_unprivileged_port_start
+ value: "0"
+ {{- end }}
+ containers:
+ - name: istio-proxy
+ {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+ image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+ {{- else }}
+ image: "{{ .ProxyImage }}"
+ {{- end }}
+ ports:
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ args:
+ - proxy
+ - router
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+ - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+ - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+ {{- if .Values.global.sts.servicePort }}
+ - --stsPort={{ .Values.global.sts.servicePort }}
+ {{- end }}
+ {{- if .Values.global.logAsJson }}
+ - --log_as_json
+ {{- end }}
+ {{- if .Values.global.proxy.lifecycle }}
+ lifecycle:
+ {{ toYaml .Values.global.proxy.lifecycle | indent 6 }}
+ {{- end }}
+ securityContext:
+ runAsUser: {{ .ProxyUID | default "1337" }}
+ runAsGroup: {{ .ProxyGID | default "1337" }}
+ env:
+ - name: PILOT_CERT_PROVIDER
+ value: {{ .Values.global.pilotCertProvider }}
+ - name: CA_ADDR
+ {{- if .Values.global.caAddress }}
+ value: {{ .Values.global.caAddress }}
+ {{- else }}
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+ {{- end }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: PROXY_CONFIG
+ value: |
+ {{ protoToJSON .ProxyConfig }}
+ - name: ISTIO_META_POD_PORTS
+ value: |-
+ [
+ {{- $first := true }}
+ {{- range $index1, $c := .Spec.Containers }}
+ {{- range $index2, $p := $c.Ports }}
+ {{- if (structToJSON $p) }}
+ {{if not $first}},{{end}}{{ structToJSON $p }}
+ {{- $first = false }}
+ {{- end }}
+ {{- end}}
+ {{- end}}
+ ]
+ - name: GOMEMLIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.memory
+ - name: GOMAXPROCS
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ {{- if .CompliancePolicy }}
+ - name: COMPLIANCE_POLICY
+ value: "{{ .CompliancePolicy }}"
+ {{- end }}
+ - name: ISTIO_META_APP_CONTAINERS
+ value: "{{ $containers | join "," }}"
+ - name: ISTIO_META_CLUSTER_ID
+ value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: ISTIO_META_INTERCEPTION_MODE
+ value: "{{ .ProxyConfig.InterceptionMode.String }}"
+ {{- if .Values.global.network }}
+ - name: ISTIO_META_NETWORK
+ value: "{{ .Values.global.network }}"
+ {{- end }}
+ {{- if .DeploymentMeta.Name }}
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: "{{ .DeploymentMeta.Name }}"
+ {{ end }}
+ {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+ - name: ISTIO_META_OWNER
+ value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+ {{- end}}
+ {{- if .Values.global.meshID }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ .Values.global.meshID }}"
+ {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+ {{- end }}
+ {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: TRUST_DOMAIN
+ value: "{{ . }}"
+ {{- end }}
+ {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ readinessProbe:
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }}
+ periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }}
+ timeoutSeconds: 3
+ failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }}
+ volumeMounts:
+ - name: workload-socket
+ mountPath: /var/run/secrets/workload-spiffe-uds
+ - name: credential-socket
+ mountPath: /var/run/secrets/credential-uds
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ readOnly: true
+ {{- else }}
+ - name: workload-certs
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ {{- end }}
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ # SDS channel between istioagent and Envoy
+ - mountPath: /etc/istio/proxy
+ name: istio-envoy
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - mountPath: /etc/certs/
+ name: istio-certs
+ readOnly: true
+ {{- end }}
+ - name: istio-podinfo
+ mountPath: /etc/istio/pod
+ volumes:
+ - emptyDir: {}
+ name: workload-socket
+ - emptyDir: {}
+ name: credential-socket
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ csi:
+ driver: workloadcertificates.security.cloud.google.com
+ {{- else}}
+ - emptyDir: {}
+ name: workload-certs
+ {{- end }}
+ # SDS channel between istioagent and Envoy
+ - emptyDir:
+ medium: Memory
+ name: istio-envoy
+ - name: istio-data
+ emptyDir: {}
+ - name: istio-podinfo
+ downwardAPI:
+ items:
+ - path: "labels"
+ fieldRef:
+ fieldPath: metadata.labels
+ - path: "annotations"
+ fieldRef:
+ fieldPath: metadata.annotations
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ path: istio-token
+ expirationSeconds: 43200
+ audience: {{ .Values.global.sds.token.aud }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - name: istiod-ca-cert
+ configMap:
+ name: istio-ca-root-cert
+ {{- end }}
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - name: istio-certs
+ secret:
+ optional: true
+ {{ if eq .Spec.ServiceAccountName "" }}
+ secretName: istio.default
+ {{ else -}}
+ secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
+ {{ end -}}
+ {{- end }}
+ {{- if .Values.global.imagePullSecrets }}
+ imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+ grpc-simple: |
+ metadata:
+ annotations:
+ sidecar.istio.io/rewriteAppHTTPProbers: "false"
+ spec:
+ initContainers:
+ - name: grpc-bootstrap-init
+ image: busybox:1.28
+ volumeMounts:
+ - mountPath: /var/lib/grpc/data/
+ name: grpc-io-proxyless-bootstrap
+ env:
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: ISTIO_NAMESPACE
+ value: |
+ {{ .Values.global.istioNamespace }}
+ command:
+ - sh
+ - "-c"
+ - |-
+ NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local"
+ SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010"
+ echo '
+ {
+ "xds_servers": [
+ {
+ "server_uri": "'${SERVER_URI}'",
+ "channel_creds": [{"type": "insecure"}],
+ "server_features" : ["xds_v3"]
+ }
+ ],
+ "node": {
+ "id": "'${NODE_ID}'",
+ "metadata": {
+ "GENERATOR": "grpc"
+ }
+ }
+ }' > /var/lib/grpc/data/bootstrap.json
+ containers:
+ {{- range $index, $container := .Spec.Containers }}
+ - name: {{ $container.Name }}
+ env:
+ - name: GRPC_XDS_BOOTSTRAP
+ value: /var/lib/grpc/data/bootstrap.json
+ - name: GRPC_GO_LOG_VERBOSITY_LEVEL
+ value: "99"
+ - name: GRPC_GO_LOG_SEVERITY_LEVEL
+ value: info
+ volumeMounts:
+ - mountPath: /var/lib/grpc/data/
+ name: grpc-io-proxyless-bootstrap
+ {{- end }}
+ volumes:
+ - name: grpc-io-proxyless-bootstrap
+ emptyDir: {}
+ grpc-agent: |
+ {{- define "resources" }}
+ {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+ {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }}
+ requests:
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}}
+ cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}"
+ {{ end }}
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}}
+ memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}"
+ {{ end }}
+ {{- end }}
+ {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }}
+ limits:
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}}
+ cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}"
+ {{ end }}
+ {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}}
+ memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}"
+ {{ end }}
+ {{- end }}
+ {{- else }}
+ {{- if .Values.global.proxy.resources }}
+ {{ toYaml .Values.global.proxy.resources | indent 6 }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- $containers := list }}
+ {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
+ metadata:
+ labels:
+ {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}}
+ service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }}
+ service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }}
+ annotations: {
+ istio.io/rev: {{ .Revision | default "default" | quote }},
+ {{- if ge (len $containers) 1 }}
+ {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }}
+ kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}",
+ {{- end }}
+ {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }}
+ kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
+ {{- end }}
+ {{- end }}
+ sidecar.istio.io/rewriteAppHTTPProbers: "false",
+ }
+ spec:
+ containers:
+ - name: istio-proxy
+ {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+ image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+ {{- else }}
+ image: "{{ .ProxyImage }}"
+ {{- end }}
+ ports:
+ - containerPort: 15020
+ protocol: TCP
+ name: mesh-metrics
+ args:
+ - proxy
+ - sidecar
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }}
+ - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }}
+ - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}
+ {{- if .Values.global.sts.servicePort }}
+ - --stsPort={{ .Values.global.sts.servicePort }}
+ {{- end }}
+ {{- if .Values.global.logAsJson }}
+ - --log_as_json
+ {{- end }}
+ lifecycle:
+ postStart:
+ exec:
+ command:
+ - pilot-agent
+ - wait
+ - --url=http://localhost:15020/healthz/ready
+ env:
+ - name: ISTIO_META_GENERATOR
+ value: grpc
+ - name: OUTPUT_CERTS
+ value: /var/lib/istio/data
+ {{- if eq .InboundTrafficPolicyMode "localhost" }}
+ - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION
+ value: "true"
+ {{- end }}
+ - name: PILOT_CERT_PROVIDER
+ value: {{ .Values.global.pilotCertProvider }}
+ - name: CA_ADDR
+ {{- if .Values.global.caAddress }}
+ value: {{ .Values.global.caAddress }}
+ {{- else }}
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+ {{- end }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: PROXY_CONFIG
+ value: |
+ {{ protoToJSON .ProxyConfig }}
+ - name: ISTIO_META_POD_PORTS
+ value: |-
+ [
+ {{- $first := true }}
+ {{- range $index1, $c := .Spec.Containers }}
+ {{- range $index2, $p := $c.Ports }}
+ {{- if (structToJSON $p) }}
+ {{if not $first}},{{end}}{{ structToJSON $p }}
+ {{- $first = false }}
+ {{- end }}
+ {{- end}}
+ {{- end}}
+ ]
+ - name: ISTIO_META_APP_CONTAINERS
+ value: "{{ $containers | join "," }}"
+ - name: ISTIO_META_CLUSTER_ID
+ value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ {{- if .Values.global.network }}
+ - name: ISTIO_META_NETWORK
+ value: "{{ .Values.global.network }}"
+ {{- end }}
+ {{- if .DeploymentMeta.Name }}
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: "{{ .DeploymentMeta.Name }}"
+ {{ end }}
+ {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }}
+ - name: ISTIO_META_OWNER
+ value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }}
+ {{- end}}
+ {{- if .Values.global.meshID }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ .Values.global.meshID }}"
+ {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+ {{- end }}
+ {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: TRUST_DOMAIN
+ value: "{{ . }}"
+ {{- end }}
+ {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ # grpc uses xds:/// to resolve – no need to resolve VIP
+ - name: ISTIO_META_DNS_CAPTURE
+ value: "false"
+ - name: DISABLE_ENVOY
+ value: "true"
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }}
+ readinessProbe:
+ httpGet:
+ path: /healthz/ready
+ port: 15020
+ initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }}
+ periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }}
+ timeoutSeconds: 3
+ failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }}
+ resources:
+ {{ template "resources" . }}
+ volumeMounts:
+ - name: workload-socket
+ mountPath: /var/run/secrets/workload-spiffe-uds
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ readOnly: true
+ {{- else }}
+ - name: workload-certs
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ {{- end }}
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ # UDS channel between istioagent and gRPC client for XDS/SDS
+ - mountPath: /etc/istio/proxy
+ name: istio-xds
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - mountPath: /etc/certs/
+ name: istio-certs
+ readOnly: true
+ {{- end }}
+ - name: istio-podinfo
+ mountPath: /etc/istio/pod
+ {{- end }}
+ {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }}
+ {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }}
+ - name: "{{ $index }}"
+ {{ toYaml $value | indent 6 }}
+ {{ end }}
+ {{- end }}
+ {{- range $index, $container := .Spec.Containers }}
+ {{ if not (eq $container.Name "istio-proxy") }}
+ - name: {{ $container.Name }}
+ env:
+ - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT"
+ value: "true"
+ - name: "GRPC_XDS_BOOTSTRAP"
+ value: "/etc/istio/proxy/grpc-bootstrap.json"
+ volumeMounts:
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ # UDS channel between istioagent and gRPC client for XDS/SDS
+ - mountPath: /etc/istio/proxy
+ name: istio-xds
+ {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ readOnly: true
+ {{- else }}
+ - name: workload-certs
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ volumes:
+ - emptyDir:
+ name: workload-socket
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ csi:
+ driver: workloadcertificates.security.cloud.google.com
+ {{- else }}
+ - emptyDir:
+ name: workload-certs
+ {{- end }}
+ {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
+ - name: custom-bootstrap-volume
+ configMap:
+ name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }}
+ {{- end }}
+ # SDS channel between istioagent and Envoy
+ - emptyDir:
+ medium: Memory
+ name: istio-xds
+ - name: istio-data
+ emptyDir: {}
+ - name: istio-podinfo
+ downwardAPI:
+ items:
+ - path: "labels"
+ fieldRef:
+ fieldPath: metadata.labels
+ - path: "annotations"
+ fieldRef:
+ fieldPath: metadata.annotations
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ path: istio-token
+ expirationSeconds: 43200
+ audience: {{ .Values.global.sds.token.aud }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - name: istiod-ca-cert
+ configMap:
+ name: istio-ca-root-cert
+ {{- end }}
+ {{- if .Values.global.mountMtlsCerts }}
+ # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
+ - name: istio-certs
+ secret:
+ optional: true
+ {{ if eq .Spec.ServiceAccountName "" }}
+ secretName: istio.default
+ {{ else -}}
+ secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }}
+ {{ end -}}
+ {{- end }}
+ {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }}
+ {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }}
+ - name: "{{ $index }}"
+ {{ toYaml $value | indent 4 }}
+ {{ end }}
+ {{ end }}
+ {{- if .Values.global.imagePullSecrets }}
+ imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+ waypoint: |
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: {{.ServiceAccount | quote}}
+ namespace: {{.Namespace | quote}}
+ annotations:
+ {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{- toJsonMap
+ .InfrastructureLabels
+ (strdict
+ "gateway.networking.k8s.io/gateway-name" .Name
+ ) | nindent 4 }}
+ {{- if ge .KubeVersion 128 }}
+ # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+ ownerReferences:
+ - apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ name: "{{.Name}}"
+ uid: "{{.UID}}"
+ {{- end }}
+ ---
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ name: {{.DeploymentName | quote}}
+ namespace: {{.Namespace | quote}}
+ annotations:
+ {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{- toJsonMap
+ .InfrastructureLabels
+ (strdict
+ "gateway.networking.k8s.io/gateway-name" .Name
+ "gateway.istio.io/managed" "istio.io-mesh-controller"
+ ) | nindent 4 }}
+ ownerReferences:
+ - apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ name: "{{.Name}}"
+ uid: "{{.UID}}"
+ spec:
+ selector:
+ matchLabels:
+ "{{.GatewayNameLabel}}": "{{.Name}}"
+ template:
+ metadata:
+ annotations:
+ {{- toJsonMap
+ (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+ (strdict "istio.io/rev" (.Revision | default "default"))
+ (strdict
+ "prometheus.io/path" "/stats/prometheus"
+ "prometheus.io/port" "15020"
+ "prometheus.io/scrape" "true"
+ ) | nindent 8 }}
+ labels:
+ {{- toJsonMap
+ (strdict
+ "sidecar.istio.io/inject" "false"
+ "istio.io/dataplane-mode" "none"
+ "service.istio.io/canonical-name" .DeploymentName
+ "service.istio.io/canonical-revision" "latest"
+ )
+ .InfrastructureLabels
+ (strdict
+ "gateway.networking.k8s.io/gateway-name" .Name
+ "gateway.istio.io/managed" "istio.io-mesh-controller"
+ ) | nindent 8}}
+ spec:
+ {{- if .Values.global.waypoint.affinity }}
+ affinity:
+ {{- toYaml .Values.global.waypoint.affinity | nindent 8 }}
+ {{- end }}
+ {{- if .Values.global.waypoint.topologySpreadConstraints }}
+ topologySpreadConstraints:
+ {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }}
+ {{- end }}
+ {{- if .Values.global.waypoint.nodeSelector }}
+ nodeSelector:
+ {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }}
+ {{- end }}
+ {{- if .Values.global.waypoint.tolerations }}
+ tolerations:
+ {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }}
+ {{- end }}
+ terminationGracePeriodSeconds: 2
+ serviceAccountName: {{.ServiceAccount | quote}}
+ containers:
+ - name: istio-proxy
+ ports:
+ - containerPort: 15020
+ name: metrics
+ protocol: TCP
+ - containerPort: 15021
+ name: status-port
+ protocol: TCP
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+ image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+ {{- else }}
+ image: "{{ .ProxyImage }}"
+ {{- end }}
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ args:
+ - proxy
+ - waypoint
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ - --serviceCluster
+ - {{.ServiceAccount}}.$(POD_NAMESPACE)
+ - --proxyLogLevel
+ - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+ - --proxyComponentLogLevel
+ - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+ - --log_output_level
+ - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+ {{- if .Values.global.logAsJson }}
+ - --log_as_json
+ {{- end }}
+ {{- if .Values.global.proxy.outlierLogPath }}
+ - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }}
+ {{- end}}
+ env:
+ - name: ISTIO_META_SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: PILOT_CERT_PROVIDER
+ value: {{ .Values.global.pilotCertProvider }}
+ - name: CA_ADDR
+ {{- if .Values.global.caAddress }}
+ value: {{ .Values.global.caAddress }}
+ {{- else }}
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+ {{- end }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: PROXY_CONFIG
+ value: |
+ {{ protoToJSON .ProxyConfig }}
+ {{- if .ProxyConfig.ProxyMetadata }}
+ {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{- end }}
+ - name: GOMEMLIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.memory
+ - name: GOMAXPROCS
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: ISTIO_META_CLUSTER_ID
+ value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}"
+ {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }}
+ {{- if $network }}
+ - name: ISTIO_META_NETWORK
+ value: "{{ $network }}"
+ {{- end }}
+ - name: ISTIO_META_INTERCEPTION_MODE
+ value: REDIRECT
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: {{.DeploymentName}}
+ - name: ISTIO_META_OWNER
+ value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}
+ {{- if .Values.global.meshID }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ .Values.global.meshID }}"
+ {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+ {{- end }}
+ {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: TRUST_DOMAIN
+ value: "{{ . }}"
+ {{- end }}
+ {{- if .Values.global.waypoint.resources }}
+ resources:
+ {{- toYaml .Values.global.waypoint.resources | nindent 10 }}
+ {{- end }}
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 1
+ periodSeconds: 1
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ failureThreshold: 4
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 0
+ periodSeconds: 15
+ successThreshold: 1
+ timeoutSeconds: 1
+ securityContext:
+ privileged: false
+ {{- if not (eq .Values.global.platform "openshift") }}
+ runAsGroup: 1337
+ runAsUser: 1337
+ {{- end }}
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ capabilities:
+ drop:
+ - ALL
+ {{- if .Values.gateways.seccompProfile }}
+ seccompProfile:
+ {{- toYaml .Values.gateways.seccompProfile | nindent 12 }}
+ {{- end }}
+ volumeMounts:
+ - mountPath: /var/run/secrets/workload-spiffe-uds
+ name: workload-socket
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ - mountPath: /etc/istio/proxy
+ name: istio-envoy
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ - mountPath: /etc/istio/pod
+ name: istio-podinfo
+ volumes:
+ - emptyDir: {}
+ name: workload-socket
+ - emptyDir:
+ medium: Memory
+ name: istio-envoy
+ - emptyDir:
+ medium: Memory
+ name: go-proxy-envoy
+ - emptyDir: {}
+ name: istio-data
+ - emptyDir: {}
+ name: go-proxy-data
+ - downwardAPI:
+ items:
+ - fieldRef:
+ fieldPath: metadata.labels
+ path: labels
+ - fieldRef:
+ fieldPath: metadata.annotations
+ path: annotations
+ name: istio-podinfo
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ audience: istio-ca
+ expirationSeconds: 43200
+ path: istio-token
+ - configMap:
+ name: istio-ca-root-cert
+ name: istiod-ca-cert
+ {{- if .Values.global.imagePullSecrets }}
+ imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+ ---
+ apiVersion: v1
+ kind: Service
+ metadata:
+ annotations:
+ {{ toJsonMap
+ (strdict "networking.istio.io/traffic-distribution" "PreferClose")
+ (omit .InfrastructureAnnotations
+ "kubectl.kubernetes.io/last-applied-configuration"
+ "gateway.istio.io/name-override"
+ "gateway.istio.io/service-account"
+ "gateway.istio.io/controller-version"
+ ) | nindent 4 }}
+ labels:
+ {{- toJsonMap
+ .InfrastructureLabels
+ (strdict
+ "gateway.networking.k8s.io/gateway-name" .Name
+ ) | nindent 4 }}
+ name: {{.DeploymentName | quote}}
+ namespace: {{.Namespace | quote}}
+ ownerReferences:
+ - apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ name: "{{.Name}}"
+ uid: "{{.UID}}"
+ spec:
+ ipFamilyPolicy: PreferDualStack
+ ports:
+ {{- range $key, $val := .Ports }}
+ - name: {{ $val.Name | quote }}
+ port: {{ $val.Port }}
+ protocol: TCP
+ appProtocol: {{ $val.AppProtocol }}
+ {{- end }}
+ selector:
+ "{{.GatewayNameLabel}}": "{{.Name}}"
+ {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+ loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+ {{- end }}
+ type: {{ .ServiceType | quote }}
+ ---
+ kube-gateway: |
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ name: {{.ServiceAccount | quote}}
+ namespace: {{.Namespace | quote}}
+ annotations:
+ {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{- toJsonMap
+ .InfrastructureLabels
+ (strdict
+ "gateway.networking.k8s.io/gateway-name" .Name
+ ) | nindent 4 }}
+ {{- if ge .KubeVersion 128 }}
+ # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
+ ownerReferences:
+ - apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ name: "{{.Name}}"
+ uid: "{{.UID}}"
+ {{- end }}
+ ---
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ name: {{.DeploymentName | quote}}
+ namespace: {{.Namespace | quote}}
+ annotations:
+ {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{- toJsonMap
+ .InfrastructureLabels
+ (strdict
+ "gateway.networking.k8s.io/gateway-name" .Name
+ "gateway.istio.io/managed" "istio.io-gateway-controller"
+ ) | nindent 4 }}
+ ownerReferences:
+ - apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ name: {{.Name}}
+ uid: "{{.UID}}"
+ spec:
+ selector:
+ matchLabels:
+ "{{.GatewayNameLabel}}": {{.Name}}
+ template:
+ metadata:
+ annotations:
+ {{- toJsonMap
+ (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version")
+ (strdict "istio.io/rev" (.Revision | default "default"))
+ (strdict
+ "prometheus.io/path" "/stats/prometheus"
+ "prometheus.io/port" "15020"
+ "prometheus.io/scrape" "true"
+ ) | nindent 8 }}
+ labels:
+ {{- toJsonMap
+ (strdict
+ "sidecar.istio.io/inject" "false"
+ "service.istio.io/canonical-name" .DeploymentName
+ "service.istio.io/canonical-revision" "latest"
+ )
+ .InfrastructureLabels
+ (strdict
+ "gateway.networking.k8s.io/gateway-name" .Name
+ "gateway.istio.io/managed" "istio.io-gateway-controller"
+ ) | nindent 8 }}
+ spec:
+ securityContext:
+ {{- if .Values.gateways.securityContext }}
+ {{- toYaml .Values.gateways.securityContext | nindent 8 }}
+ {{- else }}
+ sysctls:
+ - name: net.ipv4.ip_unprivileged_port_start
+ value: "0"
+ {{- if .Values.gateways.seccompProfile }}
+ seccompProfile:
+ {{- toYaml .Values.gateways.seccompProfile | nindent 10 }}
+ {{- end }}
+ {{- end }}
+ serviceAccountName: {{.ServiceAccount | quote}}
+ containers:
+ - name: istio-proxy
+ {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }}
+ image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}"
+ {{- else }}
+ image: "{{ .ProxyImage }}"
+ {{- end }}
+ {{- if .Values.global.proxy.resources }}
+ resources:
+ {{- toYaml .Values.global.proxy.resources | nindent 10 }}
+ {{- end }}
+ {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
+ securityContext:
+ capabilities:
+ drop:
+ - ALL
+ allowPrivilegeEscalation: false
+ privileged: false
+ readOnlyRootFilesystem: true
+ runAsUser: {{ .ProxyUID | default "1337" }}
+ runAsGroup: {{ .ProxyGID | default "1337" }}
+ runAsNonRoot: true
+ ports:
+ - containerPort: 15020
+ name: metrics
+ protocol: TCP
+ - containerPort: 15021
+ name: status-port
+ protocol: TCP
+ - containerPort: 15090
+ protocol: TCP
+ name: http-envoy-prom
+ args:
+ - proxy
+ - router
+ - --domain
+ - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }}
+ - --proxyLogLevel
+ - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}}
+ - --proxyComponentLogLevel
+ - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}}
+ - --log_output_level
+ - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}}
+ {{- if .Values.global.sts.servicePort }}
+ - --stsPort={{ .Values.global.sts.servicePort }}
+ {{- end }}
+ {{- if .Values.global.logAsJson }}
+ - --log_as_json
+ {{- end }}
+ {{- if .Values.global.proxy.lifecycle }}
+ lifecycle:
+ {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }}
+ {{- end }}
+ env:
+ - name: PILOT_CERT_PROVIDER
+ value: {{ .Values.global.pilotCertProvider }}
+ - name: CA_ADDR
+ {{- if .Values.global.caAddress }}
+ value: {{ .Values.global.caAddress }}
+ {{- else }}
+ value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012
+ {{- end }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: PROXY_CONFIG
+ value: |
+ {{ protoToJSON .ProxyConfig }}
+ - name: ISTIO_META_POD_PORTS
+ value: "[]"
+ - name: ISTIO_META_APP_CONTAINERS
+ value: ""
+ - name: GOMEMLIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.memory
+ - name: GOMAXPROCS
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: ISTIO_META_CLUSTER_ID
+ value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}"
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: ISTIO_META_INTERCEPTION_MODE
+ value: "{{ .ProxyConfig.InterceptionMode.String }}"
+ {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }}
+ - name: ISTIO_META_NETWORK
+ value: {{.|quote}}
+ {{- end }}
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: {{.DeploymentName|quote}}
+ - name: ISTIO_META_OWNER
+ value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}"
+ {{- if .Values.global.meshID }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ .Values.global.meshID }}"
+ {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: ISTIO_META_MESH_ID
+ value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
+ {{- end }}
+ {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}
+ - name: TRUST_DOMAIN
+ value: "{{ . }}"
+ {{- end }}
+ {{- range $key, $value := .ProxyConfig.ProxyMetadata }}
+ - name: {{ $key }}
+ value: "{{ $value }}"
+ {{- end }}
+ {{- with (index .InfrastructureLabels "topology.istio.io/network") }}
+ - name: ISTIO_META_REQUESTED_NETWORK_VIEW
+ value: {{.|quote}}
+ {{- end }}
+ startupProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 1
+ periodSeconds: 1
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ failureThreshold: 4
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 0
+ periodSeconds: 15
+ successThreshold: 1
+ timeoutSeconds: 1
+ volumeMounts:
+ - name: workload-socket
+ mountPath: /var/run/secrets/workload-spiffe-uds
+ - name: credential-socket
+ mountPath: /var/run/secrets/credential-uds
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ readOnly: true
+ {{- else }}
+ - name: workload-certs
+ mountPath: /var/run/secrets/workload-spiffe-credentials
+ {{- end }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ {{- end }}
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ # SDS channel between istioagent and Envoy
+ - mountPath: /etc/istio/proxy
+ name: istio-envoy
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ - name: istio-podinfo
+ mountPath: /etc/istio/pod
+ volumes:
+ - emptyDir: {}
+ name: workload-socket
+ - emptyDir: {}
+ name: credential-socket
+ {{- if eq .Values.global.caName "GkeWorkloadCertificate" }}
+ - name: gke-workload-certificate
+ csi:
+ driver: workloadcertificates.security.cloud.google.com
+ {{- else}}
+ - emptyDir: {}
+ name: workload-certs
+ {{- end }}
+ # SDS channel between istioagent and Envoy
+ - emptyDir:
+ medium: Memory
+ name: istio-envoy
+ - name: istio-data
+ emptyDir: {}
+ - name: istio-podinfo
+ downwardAPI:
+ items:
+ - path: "labels"
+ fieldRef:
+ fieldPath: metadata.labels
+ - path: "annotations"
+ fieldRef:
+ fieldPath: metadata.annotations
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ path: istio-token
+ expirationSeconds: 43200
+ audience: {{ .Values.global.sds.token.aud }}
+ {{- if eq .Values.global.pilotCertProvider "istiod" }}
+ - name: istiod-ca-cert
+ configMap:
+ name: istio-ca-root-cert
+ {{- end }}
+ {{- if .Values.global.imagePullSecrets }}
+ imagePullSecrets:
+ {{- range .Values.global.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+ ---
+ apiVersion: v1
+ kind: Service
+ metadata:
+ annotations:
+ {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ labels:
+ {{- toJsonMap
+ .InfrastructureLabels
+ (strdict
+ "gateway.networking.k8s.io/gateway-name" .Name
+ ) | nindent 4 }}
+ name: {{.DeploymentName | quote}}
+ namespace: {{.Namespace | quote}}
+ ownerReferences:
+ - apiVersion: gateway.networking.k8s.io/v1beta1
+ kind: Gateway
+ name: {{.Name}}
+ uid: {{.UID}}
+ spec:
+ ipFamilyPolicy: PreferDualStack
+ ports:
+ {{- range $key, $val := .Ports }}
+ - name: {{ $val.Name | quote }}
+ port: {{ $val.Port }}
+ protocol: TCP
+ appProtocol: {{ $val.AppProtocol }}
+ {{- end }}
+ selector:
+ "{{.GatewayNameLabel}}": {{.Name}}
+ {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }}
+ loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}}
+ {{- end }}
+ type: {{ .ServiceType | quote }}
+ ---
+ values: |-
+ {
+ "gateways": {
+ "seccompProfile": {},
+ "securityContext": {}
+ },
+ "global": {
+ "caAddress": "",
+ "caName": "",
+ "certSigners": [],
+ "configCluster": false,
+ "configValidation": true,
+ "defaultPodDisruptionBudget": {
+ "enabled": true
+ },
+ "defaultResources": {
+ "requests": {
+ "cpu": "10m"
+ }
+ },
+ "externalIstiod": false,
+ "hub": "gcr.io/istio-testing",
+ "imagePullPolicy": "",
+ "imagePullSecrets": [],
+ "istioNamespace": "istio-system",
+ "istiod": {
+ "enableAnalysis": false
+ },
+ "logAsJson": false,
+ "logging": {
+ "level": "default:info"
+ },
+ "meshID": "",
+ "meshNetworks": {},
+ "mountMtlsCerts": false,
+ "multiCluster": {
+ "clusterName": "",
+ "enabled": false
+ },
+ "network": "",
+ "omitSidecarInjectorConfigMap": false,
+ "operatorManageWebhooks": false,
+ "pilotCertProvider": "istiod",
+ "priorityClassName": "",
+ "proxy": {
+ "autoInject": "enabled",
+ "clusterDomain": "cluster.local",
+ "componentLogLevel": "misc:error",
+ "excludeIPRanges": "",
+ "excludeInboundPorts": "",
+ "excludeOutboundPorts": "",
+ "image": "proxyv2",
+ "includeIPRanges": "*",
+ "includeInboundPorts": "*",
+ "includeOutboundPorts": "",
+ "logLevel": "warning",
+ "outlierLogPath": "",
+ "privileged": false,
+ "readinessFailureThreshold": 4,
+ "readinessInitialDelaySeconds": 0,
+ "readinessPeriodSeconds": 15,
+ "resources": {
+ "limits": {
+ "cpu": "2000m",
+ "memory": "1024Mi"
+ },
+ "requests": {
+ "cpu": "100m",
+ "memory": "128Mi"
+ }
+ },
+ "startupProbe": {
+ "enabled": true,
+ "failureThreshold": 600
+ },
+ "statusPort": 15020,
+ "tracer": "none"
+ },
+ "proxy_init": {
+ "forceApplyIptables": false,
+ "image": "proxyv2"
+ },
+ "remotePilotAddress": "",
+ "sds": {
+ "token": {
+ "aud": "istio-ca"
+ }
+ },
+ "sts": {
+ "servicePort": 0
+ },
+ "tag": "1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f",
+ "variant": "",
+ "waypoint": {
+ "affinity": {},
+ "nodeSelector": {},
+ "resources": {
+ "limits": {
+ "cpu": "2",
+ "memory": "1Gi"
+ },
+ "requests": {
+ "cpu": "100m",
+ "memory": "128Mi"
+ }
+ },
+ "tolerations": [],
+ "topologySpreadConstraints": []
+ }
+ },
+ "pilot": {
+ "cni": {
+ "enabled": false,
+ "provider": "default"
+ }
+ },
+ "revision": "",
+ "sidecarInjectorWebhook": {
+ "alwaysInjectSelector": [],
+ "defaultTemplates": [],
+ "enableNamespacesByDefault": false,
+ "injectedAnnotations": {},
+ "neverInjectSelector": [],
+ "reinvocationPolicy": "Never",
+ "rewriteAppHTTPProbe": true,
+ "templates": {}
+ }
+ }
+kind: ConfigMap
+metadata:
+ labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: istiod-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ install.operator.istio.io/owning-resource: unknown
+ istio.io/rev: default
+ operator.istio.io/component: Pilot
+ release: istio
+ name: istio-sidecar-injector
+ namespace: istio-system
diff --git a/deploy/components/istio-control-plane/deployments.yaml b/deploy/components/istio-control-plane/deployments.yaml
new file mode 100644
index 000000000..49de6b61c
--- /dev/null
+++ b/deploy/components/istio-control-plane/deployments.yaml
@@ -0,0 +1,183 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: istiod-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ install.operator.istio.io/owning-resource: unknown
+ istio: pilot
+ istio.io/rev: default
+ operator.istio.io/component: Pilot
+ release: istio
+ name: istiod
+ namespace: istio-system
+spec:
+ selector:
+ matchLabels:
+ istio: pilot
+ strategy:
+ rollingUpdate:
+ maxSurge: 100%
+ maxUnavailable: 25%
+ template:
+ metadata:
+ annotations:
+ prometheus.io/port: "15014"
+ prometheus.io/scrape: "true"
+ sidecar.istio.io/inject: "false"
+ labels:
+ app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: istiod-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ install.operator.istio.io/owning-resource: unknown
+ istio: pilot
+ istio.io/dataplane-mode: none
+ istio.io/rev: default
+ operator.istio.io/component: Pilot
+ sidecar.istio.io/inject: "false"
+ spec:
+ containers:
+ - args:
+ - discovery
+ - --monitoringAddr=:15014
+ - --log_output_level=default:info
+ - --domain
+ - cluster.local
+ - --keepaliveMaxServerConnectionAge
+ - 30m
+ env:
+ - name: REVISION
+ value: default
+ - name: PILOT_CERT_PROVIDER
+ value: istiod
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: spec.serviceAccountName
+ - name: KUBECONFIG
+ value: /var/run/secrets/remote/config
+ - name: CA_TRUSTED_NODE_ACCOUNTS
+ value: istio-system/ztunnel
+ - name: PILOT_TRACE_SAMPLING
+ value: "1"
+ - name: PILOT_ENABLE_ANALYSIS
+ value: "false"
+ - name: CLUSTER_ID
+ value: Kubernetes
+ - name: GOMEMLIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.memory
+ - name: GOMAXPROCS
+ valueFrom:
+ resourceFieldRef:
+ divisor: "1"
+ resource: limits.cpu
+ - name: PLATFORM
+ value: ""
+ image: gcr.io/istio-testing/pilot:1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ name: discovery
+ ports:
+ - containerPort: 8080
+ name: http-debug
+ protocol: TCP
+ - containerPort: 15010
+ name: grpc-xds
+ protocol: TCP
+ - containerPort: 15012
+ name: tls-xds
+ protocol: TCP
+ - containerPort: 15017
+ name: https-webhooks
+ protocol: TCP
+ - containerPort: 15014
+ name: http-monitoring
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ path: /ready
+ port: 8080
+ initialDelaySeconds: 1
+ periodSeconds: 3
+ timeoutSeconds: 5
+ resources:
+ requests:
+ cpu: 500m
+ memory: 2048Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ volumeMounts:
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ readOnly: true
+ - mountPath: /var/run/secrets/istio-dns
+ name: local-certs
+ - mountPath: /etc/cacerts
+ name: cacerts
+ readOnly: true
+ - mountPath: /var/run/secrets/remote
+ name: istio-kubeconfig
+ readOnly: true
+ - mountPath: /var/run/secrets/istiod/tls
+ name: istio-csr-dns-cert
+ readOnly: true
+ - mountPath: /var/run/secrets/istiod/ca
+ name: istio-csr-ca-configmap
+ readOnly: true
+ serviceAccountName: istiod
+ tolerations:
+ - key: cni.istio.io/not-ready
+ operator: Exists
+ volumes:
+ - emptyDir:
+ medium: Memory
+ name: local-certs
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ audience: istio-ca
+ expirationSeconds: 43200
+ path: istio-token
+ - name: cacerts
+ secret:
+ optional: true
+ secretName: cacerts
+ - name: istio-kubeconfig
+ secret:
+ optional: true
+ secretName: istio-kubeconfig
+ - name: istio-csr-dns-cert
+ secret:
+ optional: true
+ secretName: istiod-tls
+ - configMap:
+ defaultMode: 420
+ name: istio-ca-root-cert
+ optional: true
+ name: istio-csr-ca-configmap
diff --git a/deploy/components/istio-control-plane/hpa.yaml b/deploy/components/istio-control-plane/hpa.yaml
new file mode 100644
index 000000000..4c12098f0
--- /dev/null
+++ b/deploy/components/istio-control-plane/hpa.yaml
@@ -0,0 +1,31 @@
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+ labels:
+ app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: istiod-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ install.operator.istio.io/owning-resource: unknown
+ istio.io/rev: default
+ operator.istio.io/component: Pilot
+ release: istio
+ name: istiod
+ namespace: istio-system
+spec:
+ maxReplicas: 5
+ metrics:
+ - resource:
+ name: cpu
+ target:
+ averageUtilization: 80
+ type: Utilization
+ type: Resource
+ minReplicas: 1
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: istiod
diff --git a/deploy/components/istio-control-plane/kustomization.yaml b/deploy/components/istio-control-plane/kustomization.yaml
new file mode 100644
index 000000000..8ebad207e
--- /dev/null
+++ b/deploy/components/istio-control-plane/kustomization.yaml
@@ -0,0 +1,25 @@
+# ------------------------------------------------------------------------------
+# Istio Control Plane
+#
+# **WARNING**: This is currently using a custom build which supports GIE.
+#
+# This deploys the Istio Control Plane to enable the creation of Gateways.
+# It is expected that the CRDs are deployed separately, before deploying
+# this.
+#
+# ------------------------------------------------------------------------------
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: istio-system
+
+resources:
+- namespaces.yaml
+- configmaps.yaml
+- policies.yaml
+- service-accounts.yaml
+- rbac.yaml
+- services.yaml
+- webhooks.yaml
+- deployments.yaml
+- hpa.yaml
diff --git a/deploy/components/istio-control-plane/namespaces.yaml b/deploy/components/istio-control-plane/namespaces.yaml
new file mode 100644
index 000000000..f394e916f
--- /dev/null
+++ b/deploy/components/istio-control-plane/namespaces.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: istio-system
diff --git a/deploy/components/istio-control-plane/policies.yaml b/deploy/components/istio-control-plane/policies.yaml
new file mode 100644
index 000000000..204023657
--- /dev/null
+++ b/deploy/components/istio-control-plane/policies.yaml
@@ -0,0 +1,49 @@
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ labels:
+ app: istio-ingressgateway
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-ingressgateway
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: istio-ingress-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a7
+ install.operator.istio.io/owning-resource: unknown
+ istio: ingressgateway
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ name: istio-ingressgateway
+ namespace: istio-system
+spec:
+ minAvailable: 1
+ selector:
+ matchLabels:
+ app: istio-ingressgateway
+ istio: ingressgateway
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ labels:
+ app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: istiod-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ install.operator.istio.io/owning-resource: unknown
+ istio: pilot
+ istio.io/rev: default
+ operator.istio.io/component: Pilot
+ release: istio
+ name: istiod
+ namespace: istio-system
+spec:
+ minAvailable: 1
+ selector:
+ matchLabels:
+ app: istiod
+ istio: pilot
diff --git a/deploy/components/istio-control-plane/rbac.yaml b/deploy/components/istio-control-plane/rbac.yaml
new file mode 100644
index 000000000..db744c8b5
--- /dev/null
+++ b/deploy/components/istio-control-plane/rbac.yaml
@@ -0,0 +1,591 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app: istio-reader
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-reader
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: istiod-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ release: istio
+ name: istio-reader-clusterrole-istio-system
+rules:
+- apiGroups:
+ - config.istio.io
+ - security.istio.io
+ - networking.istio.io
+ - authentication.istio.io
+ - rbac.istio.io
+ - telemetry.istio.io
+ - extensions.istio.io
+ resources:
+ - '*'
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - endpoints
+ - pods
+ - services
+ - nodes
+ - replicationcontrollers
+ - namespaces
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - networking.istio.io
+ resources:
+ - workloadentries
+ verbs:
+ - get
+ - watch
+ - list
+- apiGroups:
+ - networking.x-k8s.io
+ - gateway.networking.k8s.io
+ resources:
+ - gateways
+ verbs:
+ - get
+ - watch
+ - list
+- apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - multicluster.x-k8s.io
+ resources:
+ - serviceexports
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - delete
+- apiGroups:
+ - multicluster.x-k8s.io
+ resources:
+ - serviceimports
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - apps
+ resources:
+ - replicasets
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+- apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: istiod-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ release: istio
+ name: istiod-clusterrole-istio-system
+rules:
+- apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - mutatingwebhookconfigurations
+ verbs:
+ - get
+ - list
+ - watch
+ - update
+ - patch
+- apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - validatingwebhookconfigurations
+ verbs:
+ - get
+ - list
+ - watch
+ - update
+- apiGroups:
+ - config.istio.io
+ - security.istio.io
+ - networking.istio.io
+ - authentication.istio.io
+ - rbac.istio.io
+ - telemetry.istio.io
+ - extensions.istio.io
+ resources:
+ - '*'
+ verbs:
+ - get
+ - watch
+ - list
+- apiGroups:
+ - networking.istio.io
+ resources:
+ - workloadentries
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+- apiGroups:
+ - networking.istio.io
+ resources:
+ - workloadentries/status
+ - serviceentries/status
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+- apiGroups:
+ - security.istio.io
+ resources:
+ - authorizationpolicies/status
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+- apiGroups:
+ - ""
+ resources:
+ - services/status
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+- apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ - nodes
+ - services
+ - namespaces
+ - endpoints
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - discovery.k8s.io
+ resources:
+ - endpointslices
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ - ingressclasses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses/status
+ verbs:
+ - '*'
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - create
+ - get
+ - list
+ - watch
+ - update
+- apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+- apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - '*'
+ verbs:
+ - get
+ - watch
+ - list
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - backendtlspolicies/status
+ - gatewayclasses/status
+ - gateways/status
+ - grpcroutes/status
+ - httproutes/status
+ - referencegrants/status
+ - tcproutes/status
+ - tlsroutes/status
+ - udproutes/status
+ verbs:
+ - update
+ - patch
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - gatewayclasses
+ verbs:
+ - create
+ - update
+ - patch
+ - delete
+- apiGroups:
+ - inference.networking.x-k8s.io
+ resources:
+ - inferencepools
+ verbs:
+ - get
+ - watch
+ - list
+- apiGroups:
+ - inference.networking.x-k8s.io
+ resources:
+ - inferencepools/status
+ verbs:
+ - update
+ - patch
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - watch
+ - list
+- apiGroups:
+ - multicluster.x-k8s.io
+ resources:
+ - serviceexports
+ verbs:
+ - get
+ - watch
+ - list
+ - create
+ - delete
+- apiGroups:
+ - multicluster.x-k8s.io
+ resources:
+ - serviceimports
+ verbs:
+ - get
+ - watch
+ - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: istiod-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ release: istio
+ name: istiod-gateway-controller-istio-system
+rules:
+- apiGroups:
+ - apps
+ resources:
+ - deployments
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+- apiGroups:
+ - ""
+ resources:
+ - services
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+- apiGroups:
+ - ""
+ resources:
+ - serviceaccounts
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app: istio-reader
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-reader
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: istiod-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ release: istio
+ name: istio-reader-clusterrole-istio-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istio-reader-clusterrole-istio-system
+subjects:
+- kind: ServiceAccount
+ name: istio-reader-service-account
+ namespace: istio-system
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: istiod-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ release: istio
+ name: istiod-clusterrole-istio-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istiod-clusterrole-istio-system
+subjects:
+- kind: ServiceAccount
+ name: istiod
+ namespace: istio-system
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: istiod-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ release: istio
+ name: istiod-gateway-controller-istio-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: istiod-gateway-controller-istio-system
+subjects:
+- kind: ServiceAccount
+ name: istiod
+ namespace: istio-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-ingressgateway
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: istio-ingress-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a7
+ install.operator.istio.io/owning-resource: unknown
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ name: istio-ingressgateway-sds
+ namespace: istio-system
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - watch
+ - list
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ labels:
+ app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: istiod-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ release: istio
+ name: istiod
+ namespace: istio-system
+rules:
+- apiGroups:
+ - networking.istio.io
+ resources:
+ - gateways
+ verbs:
+ - create
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - create
+ - get
+ - watch
+ - list
+ - update
+ - delete
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - delete
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - get
+ - update
+ - patch
+ - create
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-ingressgateway
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: istio-ingress-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a7
+ install.operator.istio.io/owning-resource: unknown
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ name: istio-ingressgateway-sds
+ namespace: istio-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: istio-ingressgateway-sds
+subjects:
+- kind: ServiceAccount
+ name: istio-ingressgateway-service-account
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels:
+ app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: istiod-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ release: istio
+ name: istiod
+ namespace: istio-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: istiod
+subjects:
+- kind: ServiceAccount
+ name: istiod
+ namespace: istio-system
diff --git a/deploy/components/istio-control-plane/service-accounts.yaml b/deploy/components/istio-control-plane/service-accounts.yaml
new file mode 100644
index 000000000..da977b800
--- /dev/null
+++ b/deploy/components/istio-control-plane/service-accounts.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app: istio-reader
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-reader
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: base-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ release: istio
+ name: istio-reader-service-account
+ namespace: istio-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: istiod-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ release: istio
+ name: istiod
+ namespace: istio-system
diff --git a/deploy/components/istio-control-plane/services.yaml b/deploy/components/istio-control-plane/services.yaml
new file mode 100644
index 000000000..5132adb33
--- /dev/null
+++ b/deploy/components/istio-control-plane/services.yaml
@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: istiod-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ install.operator.istio.io/owning-resource: unknown
+ istio: pilot
+ istio.io/rev: default
+ operator.istio.io/component: Pilot
+ release: istio
+ name: istiod
+ namespace: istio-system
+spec:
+ ports:
+ - name: grpc-xds
+ port: 15010
+ protocol: TCP
+ - name: https-dns
+ port: 15012
+ protocol: TCP
+ - name: https-webhook
+ port: 443
+ protocol: TCP
+ targetPort: 15017
+ - name: http-monitoring
+ port: 15014
+ protocol: TCP
+ selector:
+ app: istiod
+ istio: pilot
diff --git a/deploy/components/istio-control-plane/webhooks.yaml b/deploy/components/istio-control-plane/webhooks.yaml
new file mode 100644
index 000000000..863c79a8c
--- /dev/null
+++ b/deploy/components/istio-control-plane/webhooks.yaml
@@ -0,0 +1,203 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ labels:
+ app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: istiod-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ istio: istiod
+ istio.io/rev: default
+ release: istio
+ name: istio-validator-istio-system
+webhooks:
+- admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: istiod
+ namespace: istio-system
+ path: /validate
+ failurePolicy: Ignore
+ name: rev.validation.istio.io
+ objectSelector:
+ matchExpressions:
+ - key: istio.io/rev
+ operator: In
+ values:
+ - default
+ rules:
+ - apiGroups:
+ - security.istio.io
+ - networking.istio.io
+ - telemetry.istio.io
+ - extensions.istio.io
+ apiVersions:
+ - '*'
+ operations:
+ - CREATE
+ - UPDATE
+ resources:
+ - '*'
+ sideEffects: None
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+ labels:
+ app: sidecar-injector
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ helm.sh/chart: istiod-1.26-alpha.80c74f7f43482c226f4f4b10b4dda6261b67a71f
+ install.operator.istio.io/owning-resource: unknown
+ istio.io/rev: default
+ operator.istio.io/component: Pilot
+ release: istio
+ name: istio-sidecar-injector
+webhooks:
+- admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: istiod
+ namespace: istio-system
+ path: /inject
+ port: 443
+ failurePolicy: Fail
+ name: rev.namespace.sidecar-injector.istio.io
+ namespaceSelector:
+ matchExpressions:
+ - key: istio.io/rev
+ operator: In
+ values:
+ - default
+ - key: istio-injection
+ operator: DoesNotExist
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: NotIn
+ values:
+ - "false"
+ reinvocationPolicy: Never
+ rules:
+ - apiGroups:
+ - ""
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ resources:
+ - pods
+ sideEffects: None
+- admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: istiod
+ namespace: istio-system
+ path: /inject
+ port: 443
+ failurePolicy: Fail
+ name: rev.object.sidecar-injector.istio.io
+ namespaceSelector:
+ matchExpressions:
+ - key: istio.io/rev
+ operator: DoesNotExist
+ - key: istio-injection
+ operator: DoesNotExist
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: NotIn
+ values:
+ - "false"
+ - key: istio.io/rev
+ operator: In
+ values:
+ - default
+ reinvocationPolicy: Never
+ rules:
+ - apiGroups:
+ - ""
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ resources:
+ - pods
+ sideEffects: None
+- admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: istiod
+ namespace: istio-system
+ path: /inject
+ port: 443
+ failurePolicy: Fail
+ name: namespace.sidecar-injector.istio.io
+ namespaceSelector:
+ matchExpressions:
+ - key: istio-injection
+ operator: In
+ values:
+ - enabled
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: NotIn
+ values:
+ - "false"
+ reinvocationPolicy: Never
+ rules:
+ - apiGroups:
+ - ""
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ resources:
+ - pods
+ sideEffects: None
+- admissionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: istiod
+ namespace: istio-system
+ path: /inject
+ port: 443
+ failurePolicy: Fail
+ name: object.sidecar-injector.istio.io
+ namespaceSelector:
+ matchExpressions:
+ - key: istio-injection
+ operator: DoesNotExist
+ - key: istio.io/rev
+ operator: DoesNotExist
+ objectSelector:
+ matchExpressions:
+ - key: sidecar.istio.io/inject
+ operator: In
+ values:
+ - "true"
+ - key: istio.io/rev
+ operator: DoesNotExist
+ reinvocationPolicy: Never
+ rules:
+ - apiGroups:
+ - ""
+ apiVersions:
+ - v1
+ operations:
+ - CREATE
+ resources:
+ - pods
+ sideEffects: None
diff --git a/deploy/components/sail-operator/.gitignore b/deploy/components/sail-operator/.gitignore
new file mode 100644
index 000000000..ee3892e87
--- /dev/null
+++ b/deploy/components/sail-operator/.gitignore
@@ -0,0 +1 @@
+charts/
diff --git a/deploy/components/sail-operator/kustomization.yaml b/deploy/components/sail-operator/kustomization.yaml
new file mode 100644
index 000000000..125a1c82f
--- /dev/null
+++ b/deploy/components/sail-operator/kustomization.yaml
@@ -0,0 +1,28 @@
+# ------------------------------------------------------------------------------
+# Istio Sail Operator
+#
+# This deploys the Istio Sail Operator via Helm chart to enable the creation
+# of Istio Control Planes, and ultimately Gateways. This will also deploy all
+# the Istio CRDs.
+#
+# **Warning**: This needs to be deployed before, and separately from other
+# components as it deploys CRDs. It can be deployed with:
+#
+# $ kubectl kustomize --enable-helm deploy/components/sail-operator/ \
+# | kubectl apply --server-side --force-conflicts -f -
+#
+# ------------------------------------------------------------------------------
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: sail-operator
+
+resources:
+- namespaces.yaml
+
+helmCharts:
+- name: sail-operator
+ namespace: sail-operator
+ repo: https://istio-ecosystem.github.io/sail-operator
+ version: 1.25.1
+ includeCRDs: true
diff --git a/deploy/components/sail-operator/namespaces.yaml b/deploy/components/sail-operator/namespaces.yaml
new file mode 100644
index 000000000..ddc027d84
--- /dev/null
+++ b/deploy/components/sail-operator/namespaces.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: sail-operator
diff --git a/deploy/components/vllm-sim/deployments.yaml b/deploy/components/vllm-sim/deployments.yaml
new file mode 100644
index 000000000..308d97ddb
--- /dev/null
+++ b/deploy/components/vllm-sim/deployments.yaml
@@ -0,0 +1,28 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: vllm-sim
+ labels:
+ app: vllm-llama3-8b-instruct
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: vllm-llama3-8b-instruct
+ template:
+ metadata:
+ labels:
+ app: vllm-llama3-8b-instruct
+ ai-aware-router-pod: "true"
+ spec:
+ containers:
+ - name: vllm
+ image: quay.io/vllm-d/vllm-sim:latest
+ imagePullPolicy: IfNotPresent
+ args:
+ - "--port=8000"
+ - "--model=food-review"
+ # - "--lora=lora10,lora20,lora30"
+ # - "--time-to-first-token=500"
+ ports:
+ - containerPort: 8000
diff --git a/deploy/components/vllm-sim/kustomization.yaml b/deploy/components/vllm-sim/kustomization.yaml
new file mode 100644
index 000000000..594d4ba86
--- /dev/null
+++ b/deploy/components/vllm-sim/kustomization.yaml
@@ -0,0 +1,16 @@
+# ------------------------------------------------------------------------------
+# VLLM Simulator
+#
+# This deploys a VLLM simulator which can be used to simulate inference for
+# small environments (e.g. Kubernetes In Docker (KIND) clusters), or for when
+# all that is needed is some basic functionality.
+# ------------------------------------------------------------------------------
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- deployments.yaml
+
+images:
+- name: quay.io/vllm-d/vllm-sim
+ newTag: 0.0.2
diff --git a/deploy/environments/dev/kind/kustomization.yaml b/deploy/environments/dev/kind/kustomization.yaml
new file mode 100644
index 000000000..57fa4b319
--- /dev/null
+++ b/deploy/environments/dev/kind/kustomization.yaml
@@ -0,0 +1,18 @@
+# ------------------------------------------------------------------------------
+# Kubernetes In Docker (KIND) Environment
+#
+# This will deploy the full development stack on a KIND cluster:
+#
+# * Istio Control Plane
+# * VLLM Simulator
+# * Inference Gateway
+#
+# This will expose the VLLM simulator via InferencePool and an HTTPRoute.
+# ------------------------------------------------------------------------------
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ../../../components/istio-control-plane/
+- ../../../components/vllm-sim/
+- ../../../components/inference-gateway/
diff --git a/deploy/common/patch-service.yaml b/deploy/environments/dev/openshift/common/patch-service.yaml
similarity index 100%
rename from deploy/common/patch-service.yaml
rename to deploy/environments/dev/openshift/common/patch-service.yaml
diff --git a/deploy/common/patch-statefulset.yaml b/deploy/environments/dev/openshift/common/patch-statefulset.yaml
similarity index 100%
rename from deploy/common/patch-statefulset.yaml
rename to deploy/environments/dev/openshift/common/patch-statefulset.yaml
diff --git a/deploy/common/service.yaml b/deploy/environments/dev/openshift/common/service.yaml
similarity index 100%
rename from deploy/common/service.yaml
rename to deploy/environments/dev/openshift/common/service.yaml
diff --git a/deploy/common/statefulset.yaml b/deploy/environments/dev/openshift/common/statefulset.yaml
similarity index 100%
rename from deploy/common/statefulset.yaml
rename to deploy/environments/dev/openshift/common/statefulset.yaml
diff --git a/deploy/environments/dev/openshift/kustomization.yaml b/deploy/environments/dev/openshift/kustomization.yaml
new file mode 100644
index 000000000..e242bdae5
--- /dev/null
+++ b/deploy/environments/dev/openshift/kustomization.yaml
@@ -0,0 +1,36 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+# Set the namespace for all resources using a placeholder.
+namespace: ${NAMESPACE}
+
+# Use a prefix for all object names. You can substitute the PROJECT_NAME variable.
+namePrefix: ${PROJECT_NAME}-
+
+# List all the resources (manifests) you want to deploy.
+resources:
+- common/statefulset.yaml
+- common/service.yaml
+- openshift/route.yaml
+- rbac/exec-rbac-role.yaml
+- rbac/exec-rbac-rolebinding.yaml
+
+# Generate the ConfigMap with a variable name.
+configMapGenerator:
+- name: config
+ options:
+ disableNameSuffixHash: true
+
+# Include patches to update the Service, StatefulSet, Route, and RBAC resources.
+
+# Define the image to be updated.
+# images:
+# - name: quay.io/vllm-d/placeholder
+# newName: quay.io/vllm-d/${IMAGE_TAG_BASE}
+# newTag: ${VERSION}
+patches:
+- path: common/patch-service.yaml
+- path: common/patch-statefulset.yaml
+- path: openshift/patch-route.yaml
+- path: rbac/patch-rbac-role.yaml
+- path: rbac/patch-rbac-rolebinding.yaml
diff --git a/deploy/openshift/patch-route.yaml b/deploy/environments/dev/openshift/openshift/patch-route.yaml
similarity index 100%
rename from deploy/openshift/patch-route.yaml
rename to deploy/environments/dev/openshift/openshift/patch-route.yaml
diff --git a/deploy/openshift/route.yaml b/deploy/environments/dev/openshift/openshift/route.yaml
similarity index 100%
rename from deploy/openshift/route.yaml
rename to deploy/environments/dev/openshift/openshift/route.yaml
diff --git a/deploy/rbac/exec-rbac-role.yaml b/deploy/environments/dev/openshift/rbac/exec-rbac-role.yaml
similarity index 100%
rename from deploy/rbac/exec-rbac-role.yaml
rename to deploy/environments/dev/openshift/rbac/exec-rbac-role.yaml
diff --git a/deploy/rbac/exec-rbac-rolebinding.yaml b/deploy/environments/dev/openshift/rbac/exec-rbac-rolebinding.yaml
similarity index 100%
rename from deploy/rbac/exec-rbac-rolebinding.yaml
rename to deploy/environments/dev/openshift/rbac/exec-rbac-rolebinding.yaml
diff --git a/deploy/rbac/patch-rbac-role.yaml b/deploy/environments/dev/openshift/rbac/patch-rbac-role.yaml
similarity index 100%
rename from deploy/rbac/patch-rbac-role.yaml
rename to deploy/environments/dev/openshift/rbac/patch-rbac-role.yaml
diff --git a/deploy/rbac/patch-rbac-rolebinding.yaml b/deploy/environments/dev/openshift/rbac/patch-rbac-rolebinding.yaml
similarity index 100%
rename from deploy/rbac/patch-rbac-rolebinding.yaml
rename to deploy/environments/dev/openshift/rbac/patch-rbac-rolebinding.yaml
diff --git a/deploy/kustomization.yaml b/deploy/kustomization.yaml
index e242bdae5..cfed0773b 100644
--- a/deploy/kustomization.yaml
+++ b/deploy/kustomization.yaml
@@ -8,29 +8,5 @@ namespace: ${NAMESPACE}
namePrefix: ${PROJECT_NAME}-
# List all the resources (manifests) you want to deploy.
-resources:
-- common/statefulset.yaml
-- common/service.yaml
-- openshift/route.yaml
-- rbac/exec-rbac-role.yaml
-- rbac/exec-rbac-rolebinding.yaml
-# Generate the ConfigMap with a variable name.
-configMapGenerator:
-- name: config
- options:
- disableNameSuffixHash: true
-
-# Include patches to update the Service, StatefulSet, Route, and RBAC resources.
-
-# Define the image to be updated.
-# images:
-# - name: quay.io/vllm-d/placeholder
-# newName: quay.io/vllm-d/${IMAGE_TAG_BASE}
-# newTag: ${VERSION}
-patches:
-- path: common/patch-service.yaml
-- path: common/patch-statefulset.yaml
-- path: openshift/patch-route.yaml
-- path: rbac/patch-rbac-role.yaml
-- path: rbac/patch-rbac-rolebinding.yaml
+# Include patches to update existing resources, if any
diff --git a/go.mod b/go.mod
index 20cf017a5..ab80d1535 100644
--- a/go.mod
+++ b/go.mod
@@ -108,8 +108,8 @@ require (
golang.org/x/crypto v0.36.0 // indirect
golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
golang.org/x/mod v0.24.0 // indirect
- golang.org/x/net v0.37.0 // indirect
- golang.org/x/oauth2 v0.25.0 // indirect
+ golang.org/x/net v0.38.0 // indirect
+ golang.org/x/oauth2 v0.27.0 // indirect
golang.org/x/sync v0.12.0 // indirect
golang.org/x/sys v0.32.0 // indirect
golang.org/x/term v0.30.0 // indirect
diff --git a/go.sum b/go.sum
index cd6cd380b..fcfd3ebf6 100644
--- a/go.sum
+++ b/go.sum
@@ -238,10 +238,12 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
-golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70=
golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
diff --git a/hooks/pre-commit b/hooks/pre-commit
new file mode 100755
index 000000000..aa065a73d
--- /dev/null
+++ b/hooks/pre-commit
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -e
+
+echo "▶️ Running lint…"
+make lint
+
+echo "▶️ Running tests…"
+make test
+
+echo "✔️ All checks passed!"
diff --git a/pkg/epp/datastore/datastore.go b/pkg/epp/datastore/datastore.go
index 5435e3af8..db37c06bd 100644
--- a/pkg/epp/datastore/datastore.go
+++ b/pkg/epp/datastore/datastore.go
@@ -21,6 +21,7 @@ import (
"errors"
"fmt"
"sync"
+ "time"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/labels"
@@ -34,7 +35,9 @@ import (
)
const (
- ModelNameIndexKey = "spec.modelName"
+ ModelNameIndexKey = "spec.modelName"
+ sessionKeepAliveTime = 60 * time.Minute // How long should an idle session be kept alive
+ sessionKeepAliveCheckFrequency = 15 * time.Minute // How often to check for overly idle sessions
)
var (
@@ -65,6 +68,9 @@ type Datastore interface {
PodDelete(namespacedName types.NamespacedName)
PodResyncAll(ctx context.Context, ctrlClient client.Client, pool *v1alpha2.InferencePool)
+ SetPodForSession(sessionID string, pod *backendmetrics.Pod)
+ GetPodForSession(sessionID string) *backendmetrics.Pod
+
// Clears the store state, happens when the pool gets deleted.
Clear()
}
@@ -75,8 +81,12 @@ func NewDatastore(parentCtx context.Context, pmf *backendmetrics.PodMetricsFacto
poolAndModelsMu: sync.RWMutex{},
models: make(map[string]*v1alpha2.InferenceModel),
pods: &sync.Map{},
+ sessions: &sync.Map{},
pmf: pmf,
}
+
+ go store.cleanupSessions(sessionKeepAliveCheckFrequency, sessionKeepAliveTime, parentCtx)
+
return store
}
@@ -90,7 +100,9 @@ type datastore struct {
models map[string]*v1alpha2.InferenceModel
// key: types.NamespacedName, value: backendmetrics.PodMetrics
pods *sync.Map
- pmf *backendmetrics.PodMetricsFactory
+ // key: session id, value: *backendmetrics.Pod
+ sessions *sync.Map
+ pmf *backendmetrics.PodMetricsFactory
}
func (ds *datastore) Clear() {
@@ -291,6 +303,61 @@ func (ds *datastore) PodDelete(namespacedName types.NamespacedName) {
}
}
+type sessionInfo struct {
+ pod *backendmetrics.Pod
+ lru time.Time
+}
+
+// cleanup Cleans up the set of stored session information by removing information
+// of old sessions.
+func (ds *datastore) cleanupSessions(keepAliveCheckFrequency time.Duration, sessionKeepAlive time.Duration, ctx context.Context) {
+ logger := log.FromContext(ctx)
+
+ logger.Info("Session-affinity cleanup started")
+ ticker := time.NewTicker(keepAliveCheckFrequency)
+ defer ticker.Stop()
+
+ for {
+ select {
+ case <-ctx.Done():
+ logger.Info("Session-affinity cleanup stopped:")
+ return
+ case now := <-ticker.C:
+ logger.Info("Session affinity checking")
+ ds.sessions.Range(
+ func(sessionID any, rawSessionInfo any) bool {
+ if sessionInfo, ok := rawSessionInfo.(*sessionInfo); ok {
+ if now.Sub(sessionInfo.lru) > sessionKeepAlive {
+ // Session is stale, remove it
+ ds.sessions.Delete(sessionID)
+ }
+ } else {
+ // Value is not of the correct type, remove it
+ ds.sessions.Delete(sessionID)
+ }
+ return true
+ })
+ }
+ }
+}
+
+func (ds *datastore) SetPodForSession(sessionID string, pod *backendmetrics.Pod) {
+ ds.sessions.Store(sessionID, &sessionInfo{
+ pod: pod,
+ lru: time.Now(),
+ })
+}
+
+func (ds *datastore) GetPodForSession(sessionID string) *backendmetrics.Pod {
+ if value, ok := ds.sessions.Load(sessionID); ok {
+ if sessionInfo, ok := value.(*sessionInfo); ok {
+ return sessionInfo.pod
+ }
+ }
+
+ return nil
+}
+
func selectorFromInferencePoolSelector(selector map[v1alpha2.LabelKey]v1alpha2.LabelValue) labels.Selector {
return labels.SelectorFromSet(stripLabelKeyAliasFromLabelMap(selector))
}
diff --git a/pkg/epp/handlers/request.go b/pkg/epp/handlers/request.go
index 44537923d..10b7c015c 100644
--- a/pkg/epp/handlers/request.go
+++ b/pkg/epp/handlers/request.go
@@ -21,9 +21,11 @@ import (
"encoding/json"
"fmt"
"strconv"
+ "strings"
"time"
extProcPb "github.com/envoyproxy/go-control-plane/envoy/service/ext_proc/v3"
+ "github.com/google/uuid"
"sigs.k8s.io/controller-runtime/pkg/log"
"sigs.k8s.io/gateway-api-inference-extension/api/v1alpha2"
schedulingtypes "sigs.k8s.io/gateway-api-inference-extension/pkg/epp/scheduling/types"
@@ -62,12 +64,14 @@ func (s *StreamingServer) HandleRequestBody(
return reqCtx, errutil.Error{Code: errutil.BadConfiguration, Msg: fmt.Sprintf("error getting target model name for model %v", modelObj.Name)}
}
}
+
llmReq := &schedulingtypes.LLMRequest{
Model: model,
ResolvedTargetModel: modelName,
Critical: modelObj.Spec.Criticality != nil && *modelObj.Spec.Criticality == v1alpha2.Critical,
+ SessionID: reqCtx.SessionID,
}
- logger.V(logutil.DEBUG).Info("LLM request assembled", "model", llmReq.Model, "targetModel", llmReq.ResolvedTargetModel, "critical", llmReq.Critical)
+ logger.V(logutil.DEBUG).Info("LLM request assembled", "model", llmReq.Model, "targetModel", llmReq.ResolvedTargetModel, "critical", llmReq.Critical, "session id", reqCtx.SessionID)
var err error
// Update target models in the body.
@@ -132,6 +136,16 @@ func (s *StreamingServer) HandleRequestBody(
func (s *StreamingServer) HandleRequestHeaders(ctx context.Context, reqCtx *RequestContext, req *extProcPb.ProcessingRequest_RequestHeaders) error {
reqCtx.RequestReceivedTimestamp = time.Now()
+ for _, header := range req.RequestHeaders.Headers.GetHeaders() {
+ value := string(header.RawValue)
+ if strings.ToLower(header.Key) == strings.ToLower(SessionIDHeader) && value != "" {
+ reqCtx.SessionID = value
+ }
+ }
+ if reqCtx.SessionID == "" {
+ reqCtx.SessionID = uuid.NewString()
+ }
+
// an EoS in the request headers means this request has no body or trailers.
if req.RequestHeaders.EndOfStream {
// We will route this request to a random pod as this is assumed to just be a GET
diff --git a/pkg/epp/handlers/server.go b/pkg/epp/handlers/server.go
index 7bb0fcb16..1daed9b3b 100644
--- a/pkg/epp/handlers/server.go
+++ b/pkg/epp/handlers/server.go
@@ -73,6 +73,7 @@ type RequestContext struct {
TargetPod string
TargetEndpoint string
Model string
+ SessionID string
ResolvedTargetModel string
RequestReceivedTimestamp time.Time
ResponseCompleteTimestamp time.Time
@@ -108,6 +109,8 @@ const (
TrailerResponseResponsesComplete StreamRequestState = 7
)
+const SessionIDHeader = "Session-ID"
+
func (s *StreamingServer) Process(srv extProcPb.ExternalProcessor_ProcessServer) error {
ctx := srv.Context()
logger := log.FromContext(ctx)
@@ -197,6 +200,16 @@ func (s *StreamingServer) Process(srv extProcPb.ExternalProcessor_ProcessServer)
loggerTrace.Info("model server is streaming response")
}
}
+ // Save session is -> pod mapping
+ allPods := s.datastore.PodGetAll()
+
+ for _, pod := range allPods {
+ if pod.GetPod().NamespacedName.String() == reqCtx.TargetPod {
+ s.datastore.SetPodForSession(reqCtx.SessionID, pod.GetPod())
+ break
+ }
+ }
+
reqCtx.RequestState = ResponseRecieved
reqCtx.respHeaderResp = &extProcPb.ProcessingResponse{
Response: &extProcPb.ProcessingResponse_ResponseHeaders{
@@ -211,6 +224,12 @@ func (s *StreamingServer) Process(srv extProcPb.ExternalProcessor_ProcessServer)
RawValue: []byte("true"),
},
},
+ {
+ Header: &configPb.HeaderValue{
+ Key: SessionIDHeader,
+ RawValue: []byte(reqCtx.SessionID),
+ },
+ },
},
},
},
diff --git a/pkg/epp/scheduling/scheduler.go b/pkg/epp/scheduling/scheduler.go
index 8679ffbad..cdb03fc40 100644
--- a/pkg/epp/scheduling/scheduler.go
+++ b/pkg/epp/scheduling/scheduler.go
@@ -20,7 +20,6 @@ package scheduling
import (
"context"
"fmt"
- "math/rand"
"sigs.k8s.io/controller-runtime/pkg/log"
backendmetrics "sigs.k8s.io/gateway-api-inference-extension/pkg/epp/backend/metrics"
@@ -116,10 +115,14 @@ var (
)
func NewScheduler(datastore Datastore) *Scheduler {
+ sMng := NewScorerMng()
+ sMng.addScorer(NewSessionAffinityScorer(1, datastore))
+
return &Scheduler{
datastore: datastore,
criticalRequestFilter: lowLatencyFilter,
sheddableRequestFilter: sheddableRequestFilter,
+ scorerMng: sMng,
}
}
@@ -127,10 +130,12 @@ type Scheduler struct {
datastore Datastore
criticalRequestFilter Filter
sheddableRequestFilter Filter
+ scorerMng *ScorerMng
}
type Datastore interface {
PodGetAll() []backendmetrics.PodMetrics
+ GetPodForSession(SessionID string) *backendmetrics.Pod
}
// Schedule finds the target pod based on metrics and the requested lora adapter.
@@ -154,7 +159,11 @@ func (s *Scheduler) Schedule(ctx context.Context, req *types.LLMRequest) (target
if err != nil || len(pods) == 0 {
return nil, fmt.Errorf("failed to apply filter, resulted %v pods, this should never happen: %w", len(pods), err)
}
- logger.V(logutil.DEBUG).Info(fmt.Sprintf("Selecting a random pod from %d candidates: %+v", len(pods), pods))
- i := rand.Intn(len(pods))
- return pods[i], nil
+
+ selectedPod, err := s.scorerMng.scoreTargets(sCtx, pods)
+ if err != nil {
+ return nil, fmt.Errorf("failed to apply scorers: %w", err)
+ }
+
+ return selectedPod, nil
}
diff --git a/pkg/epp/scheduling/scheduler_test.go b/pkg/epp/scheduling/scheduler_test.go
index 3fd3fb244..64f609da8 100644
--- a/pkg/epp/scheduling/scheduler_test.go
+++ b/pkg/epp/scheduling/scheduler_test.go
@@ -230,3 +230,7 @@ func (fds *fakeDataStore) PodGetAll() []backendmetrics.PodMetrics {
}
return pm
}
+
+func (fds *fakeDataStore) GetPodForSession(sessionID string) *backendmetrics.Pod {
+ return nil
+}
diff --git a/pkg/epp/scheduling/scorer.go b/pkg/epp/scheduling/scorer.go
new file mode 100644
index 000000000..703342ecc
--- /dev/null
+++ b/pkg/epp/scheduling/scorer.go
@@ -0,0 +1,113 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package scheduling
+
+import (
+ "errors"
+ "math/rand/v2"
+
+ "sigs.k8s.io/controller-runtime/pkg/log"
+ "sigs.k8s.io/gateway-api-inference-extension/pkg/epp/scheduling/types"
+)
+
+type PodScore struct {
+ Score float64
+ Pod *types.PodMetrics
+}
+
+// Scorer is the interface that scorers must implement
+type Scorer interface {
+ ScoreTargets(ctx *types.Context, pods []*types.PodMetrics) ([]PodScore, error)
+}
+
+// Scorer is the interface that scorers must implement
+type ScorerMng struct {
+ scorers []Scorer
+}
+
+func NewScorerMng() *ScorerMng {
+ return &ScorerMng{
+ scorers: make([]Scorer, 0),
+ }
+}
+
+func (sm *ScorerMng) addScorer(scorer Scorer) {
+ sm.scorers = append(sm.scorers, scorer)
+}
+
+func (sm *ScorerMng) scoreTargets(ctx *types.Context, pods []*types.PodMetrics) (*types.PodMetrics, error) {
+ logger := log.FromContext(ctx)
+
+ podsTotalScore := make(map[*types.PodMetrics]float64)
+ validPods := make([]*types.PodMetrics, 0)
+
+ // initialize zero score for all pods + check that pods are valid
+ for _, pod := range pods {
+ if pod == nil || pod.Pod == nil || pod.Metrics == nil {
+ logger.Info("Invalid/empty pod skipped in scoring process")
+ } else {
+ validPods = append(validPods, pod)
+ podsTotalScore[pod] = 0.0
+ }
+ }
+
+ if len(validPods) == 0 {
+ return nil, errors.New("Empty list of valid pods to score")
+ }
+
+ // add scores from all scorers
+ for _, scorer := range sm.scorers {
+ scoredPods, err := scorer.ScoreTargets(ctx, validPods)
+ if err != nil {
+ // in case scorer failed - don't use it in the total score, but continue to other scorers
+ logger.Error(err, "Score targets returned error in scorer")
+ } else {
+ for _, scoredPod := range scoredPods {
+ podsTotalScore[scoredPod.Pod] += scoredPod.Score
+ }
+ }
+ }
+
+ // select pod with maximum score, if more than one with the max score - use random pods from the list
+ var highestScoreTargets []*types.PodMetrics
+ // score weights cound be negative
+ maxScore := 0.0
+ isFirst := true
+
+ for pod, score := range podsTotalScore {
+ if isFirst {
+ maxScore = score
+ highestScoreTargets = []*types.PodMetrics{pod}
+ isFirst = false
+ } else {
+ if score > maxScore {
+ maxScore = score
+ highestScoreTargets = []*types.PodMetrics{pod}
+ } else if score == maxScore {
+ highestScoreTargets = append(highestScoreTargets, pod)
+ }
+ }
+ }
+
+ // single pod with max score
+ if len(highestScoreTargets) == 1 {
+ return highestScoreTargets[0], nil
+ }
+
+ // select random pod from list of pods with max score
+ return highestScoreTargets[rand.IntN(len(highestScoreTargets))], nil
+}
diff --git a/pkg/epp/scheduling/session_affinity_scorer.go b/pkg/epp/scheduling/session_affinity_scorer.go
new file mode 100644
index 000000000..678bc0692
--- /dev/null
+++ b/pkg/epp/scheduling/session_affinity_scorer.go
@@ -0,0 +1,63 @@
+/*
+Copyright 2025 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package scheduling
+
+import (
+ "sigs.k8s.io/controller-runtime/pkg/log"
+ "sigs.k8s.io/gateway-api-inference-extension/pkg/epp/scheduling/types"
+)
+
+// sessionAffinity is a routing scorer that routes subsequent
+// requests in a session to the same pod as the first request in the
+// session was sent to, by giving that pod the specified weight and assigning
+// zero score to the rest of the targets
+type SessionAffinityScorer struct {
+ weight float64
+ datastore Datastore
+}
+
+func NewSessionAffinityScorer(weight float64, datastore Datastore) Scorer {
+ return SessionAffinityScorer{
+ weight: weight,
+ datastore: datastore,
+ }
+}
+
+// ScoreTargets does the actual scoring of the target pods by the session affinity.
+func (s SessionAffinityScorer) ScoreTargets(ctx *types.Context, pods []*types.PodMetrics) ([]PodScore, error) {
+ logger := log.FromContext(ctx)
+
+ scoredPods := make([]PodScore, len(pods))
+ selectedPodFullName := ""
+
+ if ctx.Req.SessionID != "" {
+ selectedPod := s.datastore.GetPodForSession(ctx.Req.SessionID)
+ if selectedPod != nil {
+ selectedPodFullName = selectedPod.NamespacedName.String()
+ }
+ }
+
+ // session is not defined - no score for all pods
+ for i, pod := range pods {
+ if selectedPodFullName == pod.NamespacedName.String() {
+ logger.Info("Pod found for session", "session id", ctx.Req.SessionID, "pod", pod.NamespacedName.String())
+ scoredPods[i].Score = s.weight
+ }
+ scoredPods[i].Pod = pod
+ }
+
+ return scoredPods, nil
+}
diff --git a/pkg/epp/scheduling/types/types.go b/pkg/epp/scheduling/types/types.go
index 9450652ed..2a0605145 100644
--- a/pkg/epp/scheduling/types/types.go
+++ b/pkg/epp/scheduling/types/types.go
@@ -33,6 +33,7 @@ type LLMRequest struct {
// Resolved target model is the final target model after traffic split.
ResolvedTargetModel string
Critical bool
+ SessionID string
}
// Context holds contextual information during a scheduling operation.
diff --git a/scripts/kind-dev-env.sh b/scripts/kind-dev-env.sh
new file mode 100755
index 000000000..3cad7fbad
--- /dev/null
+++ b/scripts/kind-dev-env.sh
@@ -0,0 +1,138 @@
+#!/bin/bash
+
+# This shell script deploys a kind cluster with an Istio-based Gateway API
+# implementation fully configured. It deploys the vllm simulator, which it
+# exposes with a Gateway -> HTTPRoute -> InferencePool. The Gateway is
+# configured with the a filter for the ext_proc endpoint picker.
+
+set -eo pipefail
+
+# ------------------------------------------------------------------------------
+# Variables
+# ------------------------------------------------------------------------------
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# TODO: get image names, paths, versions, etc. from the .version.json file
+# See: https://github.com/neuralmagic/gateway-api-inference-extension/issues/28
+
+# Set a default CLUSTER_NAME if not provided
+: "${CLUSTER_NAME:=gie-dev}"
+
+# Set the namespace to deploy the Gateway stack to
+: "${PROJECT_NAMESPACE:=default}"
+
+# ------------------------------------------------------------------------------
+# Setup & Requirement Checks
+# ------------------------------------------------------------------------------
+
+# Check for a supported container runtime if an explicit one was not set
+if [ -z "${CONTAINER_RUNTIME}" ]; then
+ if command -v docker &> /dev/null; then
+ CONTAINER_RUNTIME="docker"
+ elif command -v podman &> /dev/null; then
+ CONTAINER_RUNTIME="podman"
+ else
+ echo "Neither docker nor podman could be found in PATH" >&2
+ exit 1
+ fi
+fi
+
+set -u
+
+# Check for required programs
+for cmd in kind kubectl ${CONTAINER_RUNTIME}; do
+ if ! command -v "$cmd" &> /dev/null; then
+ echo "Error: $cmd is not installed or not in the PATH."
+ exit 1
+ fi
+done
+
+# @TODO Make sure the EPP and vllm-sim images are present or built
+# EPP: `make image-load` in the GIE repo
+# vllm-sim: ``
+# note: you may need to retag the built images to match the expected path and
+# versions listed above
+# See: https://github.com/neuralmagic/gateway-api-inference-extension/issues/28
+
+# ------------------------------------------------------------------------------
+# Cluster Deployment
+# ------------------------------------------------------------------------------
+
+# Check if the cluster already exists
+if kind get clusters 2>/dev/null | grep -q "^${CLUSTER_NAME}$"; then
+ echo "Cluster '${CLUSTER_NAME}' already exists, re-using"
+else
+ kind create cluster --name "${CLUSTER_NAME}"
+fi
+
+# Set the kubectl context to the kind cluster
+KUBE_CONTEXT="kind-${CLUSTER_NAME}"
+
+set -x
+
+# Load the required container images
+"${SCRIPT_DIR}/kind-load-images.sh"
+
+# Hotfix for https://github.com/kubernetes-sigs/kind/issues/3880
+CONTAINER_NAME="${CLUSTER_NAME}-control-plane"
+${CONTAINER_RUNTIME} exec -it ${CONTAINER_NAME} /bin/bash -c "sysctl net.ipv4.conf.all.arp_ignore=0"
+
+# Wait for all pods to be ready
+kubectl --context ${KUBE_CONTEXT} -n kube-system wait --for=condition=Ready --all pods --timeout=300s
+kubectl --context ${KUBE_CONTEXT} -n local-path-storage wait --for=condition=Ready --all pods --timeout=300s
+
+# ------------------------------------------------------------------------------
+# CRD Deployment (Gateway API + GIE)
+# ------------------------------------------------------------------------------
+
+kubectl kustomize deploy/components/crds |
+ kubectl --context ${KUBE_CONTEXT} apply --server-side --force-conflicts -f -
+
+# ------------------------------------------------------------------------------
+# Istio Control Plane Deployment
+# ------------------------------------------------------------------------------
+
+kubectl kustomize deploy/components/istio-control-plane | kubectl --context ${KUBE_CONTEXT} apply -f -
+
+# ------------------------------------------------------------------------------
+# Development Environment
+# ------------------------------------------------------------------------------
+
+# Deploy the environment to the "default" namespace
+kubectl kustomize deploy/environments/dev/kind | sed "s/REPLACE_NAMESPACE/${PROJECT_NAMESPACE}/gI" \
+ | kubectl --context ${KUBE_CONTEXT} apply -f -
+
+# Wait for all pods to be ready
+kubectl --context ${KUBE_CONTEXT} wait --for=condition=Ready --all pods --timeout=300s
+
+# Wait for the gateway to be ready
+kubectl --context ${KUBE_CONTEXT} wait gateway/inference-gateway --for=condition=Programmed --timeout=60s
+
+cat <<EOF
+-----------------------------------------
+Deployment completed!
+
+* Kind Cluster Name: ${CLUSTER_NAME}
+* Kubectl Context: ${KUBE_CONTEXT}
+
+Status:
+
+* The vllm simulator is running and exposed via InferencePool
+* The Gateway is exposing the InferencePool via HTTPRoute
+* The Endpoint Picker is loaded into the Gateway via ext_proc
+
+You can watch the Endpoint Picker logs with:
+
+ $ kubectl --context ${KUBE_CONTEXT} logs -f deployments/endpoint-picker
+
+You can use a port-forward to access the Gateway:
+
+ $ kubectl --context ${KUBE_CONTEXT} port-forward service/inference-gateway-istio 8080:80
+
+With that running in the background, you can make requests:
+
+ $ curl -s -w '\n' http://localhost:8080/v1/completions -H 'Content-Type: application/json' -d '{"model":"food-review","prompt":"hi","max_tokens":10,"temperature":0}' | jq
+
+-----------------------------------------
+EOF
diff --git a/scripts/kind-load-images.sh b/scripts/kind-load-images.sh
new file mode 100755
index 000000000..b152f9592
--- /dev/null
+++ b/scripts/kind-load-images.sh
@@ -0,0 +1,74 @@
+#!/bin/bash
+
+# ------------------------------------------------------------------------------
+# This shell script loads images into a kind cluster that are needed for a
+# development environment including the vllm simulator and the GIE itself.
+# ------------------------------------------------------------------------------
+
+set -eo pipefail
+
+# ------------------------------------------------------------------------------
+# Variables
+# ------------------------------------------------------------------------------
+
+# Set a default CLUSTER_NAME if not provided
+: "${CLUSTER_NAME:=gie-dev}"
+
+# Set the default IMAGE_REGISTRY if not provided
+: "${IMAGE_REGISTRY:=quay.io/vllm-d}"
+
+# Set a default VLLM_SIMULATOR_IMAGE if not provided
+: "${VLLM_SIMULATOR_IMAGE:=vllm-sim}"
+
+# Set a default VLLM_SIMULATOR_TAG if not provided
+: "${VLLM_SIMULATOR_TAG:=0.0.2}"
+
+# Set a default ENDPOINT_PICKER_IMAGE if not provided
+: "${ENDPOINT_PICKER_IMAGE:=gateway-api-inference-extension/epp}"
+
+# Set a default ENDPOINT_PICKER_TAG if not provided
+: "${ENDPOINT_PICKER_TAG:=0.0.1}"
+
+# ------------------------------------------------------------------------------
+# Setup & Requirement Checks
+# ------------------------------------------------------------------------------
+
+# Check for a supported container runtime if an explicit one was not set
+if [ -z "${CONTAINER_RUNTIME}" ]; then
+ if command -v docker &> /dev/null; then
+ CONTAINER_RUNTIME="docker"
+ elif command -v podman &> /dev/null; then
+ CONTAINER_RUNTIME="podman"
+ else
+ echo "Neither docker nor podman could be found in PATH" >&2
+ exit 1
+ fi
+fi
+
+set -u
+
+# Check for required programs
+for cmd in kind ${CONTAINER_RUNTIME}; do
+ if ! command -v "$cmd" &> /dev/null; then
+ echo "Error: $cmd is not installed or not in the PATH."
+ exit 1
+ fi
+done
+
+# ------------------------------------------------------------------------------
+# Load Container Images
+# ------------------------------------------------------------------------------
+
+# Load the vllm simulator image into the cluster
+if [ "${CONTAINER_RUNTIME}" == "podman" ]; then
+ podman save ${IMAGE_REGISTRY}/${VLLM_SIMULATOR_IMAGE}:${VLLM_SIMULATOR_TAG} -o /dev/stdout | kind --name ${CLUSTER_NAME} load image-archive /dev/stdin
+else
+ kind --name ${CLUSTER_NAME} load docker-image ${IMAGE_REGISTRY}/${VLLM_SIMULATOR_IMAGE}:${VLLM_SIMULATOR_TAG}
+fi
+
+# Load the ext_proc endpoint-picker image into the cluster
+if [ "${CONTAINER_RUNTIME}" == "podman" ]; then
+ podman save ${IMAGE_REGISTRY}/${ENDPOINT_PICKER_IMAGE}:${ENDPOINT_PICKER_TAG} -o /dev/stdout | kind --name ${CLUSTER_NAME} load image-archive /dev/stdin
+else
+ kind --name ${CLUSTER_NAME} load docker-image ${IMAGE_REGISTRY}/${ENDPOINT_PICKER_IMAGE}:${ENDPOINT_PICKER_TAG}
+fi