diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 0b1d2b6d5..2cb39e8ca 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,6 +1,6 @@ { "name": "istio build-tools", - "image": "gcr.io/istio-testing/build-tools:master-0aa2afb4bac9a4fd1bfe50a929c077a643066b3a", + "image": "gcr.io/istio-testing/build-tools:master-8463430ba963638b35745d773045701f6d02014d", "privileged": true, "remoteEnv": { "USE_GKE_GCLOUD_AUTH_PLUGIN": "True", diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 000000000..9a3170f7f --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,40 @@ + + +#### What type of PR is this? + + +- [ ] Enhancement / New Feature +- [ ] Bug Fix +- [ ] Refactor +- [ ] Optimization +- [ ] Test +- [ ] Documentation Update + +#### What this PR does / why we need it: + + +#### Which issue(s) this PR fixes: + +Fixes # + +Related Issue/PR # + +#### Additional information: diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml new file mode 100644 index 000000000..c4772fabd --- /dev/null +++ b/.github/workflows/helm.yaml @@ -0,0 +1,32 @@ +name: Publish Helm artifact + +on: + workflow_dispatch: + inputs: + release_version: + description: "Release version" + required: true + +run-name: Publish Helm artifact ${{ inputs.release_version }} + +env: + GIT_USER: ${{ secrets.GIT_USER }} + GITHUB_TOKEN: ${{ secrets.GIT_TOKEN }} + VERSION: ${{ inputs.release_version }} + +jobs: + helm: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Publish Helm artifact to "gh-pages" branch + run: | + make helm-artifacts-publish \ + -e GIT_CONFIG_USER_NAME="$GIT_CONFIG_USER_NAME" \ + -e GIT_CONFIG_USER_EMAIL="$GIT_CONFIG_USER_EMAIL" \ + -e OPERATOR_VERSION=$VERSION + env: + GIT_CONFIG_USER_NAME: "${{ github.actor }}" + GIT_CONFIG_USER_EMAIL: "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 000000000..0ddb40159 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,89 @@ +name: Release workflow + +on: + workflow_dispatch: + inputs: + release_version: + description: "Release version" + required: true + bundle_channels: + description: "Bundle channels" + required: true + default: dev-0.2 + is_draft_release: + description: "Draft release" + type: boolean + required: false + default: true + is_pre_release: + description: "Pre-release" + type: boolean + required: false + default: false + +run-name: Release ${{ inputs.release_version }} + +env: + GIT_USER: ${{ secrets.GIT_USER }} + GITHUB_TOKEN: ${{ secrets.GIT_TOKEN }} + VERSION: ${{ inputs.release_version }} + +jobs: + release: + runs-on: ubuntu-latest + + steps: + - name: Login to quay.io + uses: docker/login-action@v3 + with: + registry: quay.io + username: ${{ secrets.QUAY_USER }} + password: ${{ secrets.QUAY_PWD }} + + - uses: actions/checkout@v4 + + - name: Build and push operator image + run: | + make docker-buildx \ + -e TAG=$VERSION + + - name: Generate bundle metadata + run: | + make bundle \ + -e CHANNELS=$CHANNELS + env: + CHANNELS: ${{ inputs.bundle_channels }} + + - name: Publish bundle in operatorhub.io + run: | + make bundle-publish \ + -e GIT_CONFIG_USER_NAME="$GIT_CONFIG_USER_NAME" \ + -e GIT_CONFIG_USER_EMAIL="$GIT_CONFIG_USER_EMAIL" \ + -e OPERATOR_VERSION=$VERSION \ + -e OPERATOR_HUB=community-operators \ + -e OWNER=k8s-operatorhub \ + -e FORK=maistra + env: + GIT_CONFIG_USER_NAME: "${{ github.actor }}" + GIT_CONFIG_USER_EMAIL: "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" + + - name: Publish bundle in OpenShift OperatorHub + run: | + make bundle-publish \ + -e GIT_CONFIG_USER_NAME="$GIT_CONFIG_USER_NAME" \ + -e GIT_CONFIG_USER_EMAIL="$GIT_CONFIG_USER_EMAIL" \ + -e OPERATOR_VERSION=$VERSION \ + -e OWNER=redhat-openshift-ecosystem \ + -e FORK=maistra + env: + GIT_CONFIG_USER_NAME: "${{ github.actor }}" + GIT_CONFIG_USER_EMAIL: "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com" + + - name: Create GitHub release + run: | + make create-gh-release \ + -e GH_PRE_RELEASE=$GH_PRE_RELEASE \ + -e GH_RELEASE_DRAFT=$GH_RELEASE_DRAFT + env: + GH_PRE_RELEASE: ${{ github.event.inputs.is_pre_release == 'true' }} + GH_RELEASE_DRAFT: ${{ github.event.inputs.is_draft_release == 'true' }} \ No newline at end of file diff --git a/.github/workflows/update-deps.yaml b/.github/workflows/update-deps.yaml new file mode 100644 index 000000000..96bdc372f --- /dev/null +++ b/.github/workflows/update-deps.yaml @@ -0,0 +1,43 @@ +name: Update-deps workflow + +on: + schedule: + - cron: "0 5 * * *" # everyday at 5AM UTC + workflow_dispatch: + inputs: + branch: + description: "Branch to update" + default: "main" + required: true + +run-name: update-deps + +env: + GIT_USER: ${{ secrets.GIT_USER }} + GH_TOKEN: ${{ secrets.GIT_TOKEN }} + AUTOMATOR_ORG: istio-ecosystem + AUTOMATOR_REPO: sail-operator + AUTOMATOR_BRANCH: ${{ inputs.branch || 'main' }} + +jobs: + update-deps: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + with: + repository: istio/test-infra + ref: master + + - name: Run Automator + run: | + ./tools/automator/automator.sh \ + --org=$AUTOMATOR_ORG \ + --repo=sail-operator \ + --branch=$AUTOMATOR_BRANCH \ + '--title=Automator: Update dependencies in $AUTOMATOR_ORG/$AUTOMATOR_REPO@$AUTOMATOR_BRANCH' \ + --labels=auto-merge \ + --modifier=update_deps \ + --token-env \ + --cmd=./tools/update_deps.sh \ + --signoff diff --git a/CODE-OF-CONDUCT.md b/CODE-OF-CONDUCT.md new file mode 100644 index 000000000..880f0a278 --- /dev/null +++ b/CODE-OF-CONDUCT.md @@ -0,0 +1,7 @@ +# Sail Operator Community Code of Conduct + +As contributors and maintainers of this project, and in the interest of fostering an open and welcoming community, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities. + +All members of the Sail Operator community must abide by the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md). +Only by respecting each other can we develop a productive, collaborative community. + diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index d71a391ea..8d6421f53 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -25,20 +25,10 @@ If you want to contribute to the Sail Operator project, you can follow some rule - Discuss your changes before you start working on them. You can open a new issue in the [Sail Operator GitHub repository](https://github.com/istio-ecosystem/sail-operator/issues) or start a discussion in the [Sail Operator Discussion](https://github.com/istio-ecosystem/sail-operator/discussions). By this way, you can get feedback from the community and ensure that your changes are aligned with the project goals. - Use of Labels: We use labels in the issues to help us track the progress of the issues. You can use the labels to help you understand the status of the issue and what is needed to move forward. Those labels are: - `backport/backport-handled`: Use this label to indicate that the issue has been backported to the appropriate branches. - - `testing`: Use this label to indicate that the issue is related to testing. Can be used in combination with other labels to mark the proper testing type, for example: `testing/e2e`, `testing/unit`, `testing/integration`. + - `test`: Use this label to indicate that the issue is related to test or add `test-needed` when a issue needs a test to be added related. Can be used in combination with other labels to mark the proper test type, for example: `test-e2e`, `test-unit`, `test-integration`. - `good first issue`: Use this label to indicate that the issue is a good first issue for new contributors. - `help wanted`: Use this label to indicate that the issue needs help from the community. - `enhancement`: Use this label to indicate that the issue is an enhancement related to a new feature or improvement. -- Pull Requests: When you open a pull request, you can follow this template to help you provide the necessary information to the maintainers: - - **What type of PR is this?** - - **What this PR does / why we need it:** - - **Which issue(s) this PR fixes:** (Mark with Fixes #12345, with this the issue will be autoclosed when the PR is merged) - - **Special notes for your reviewer:** - - **Does this PR introduce a user-facing change?** - - **Additional documentation:** - - **Does this PR introduce a breaking change?** - - **Other information:** - - Labels: You can use the labels to help you track the status of the PR. The labels are the same as the issue labels. Additionally, you can use the `cleanup/refactor` to indicate that the PR is a cleanup or refactor of the codebase. Having the label just helps with filtering pull requests. It also is a hint that this work does not need an entry in the changelog ## Community meetings @@ -46,4 +36,4 @@ This is not defined yet. We are working on defining the community meetings and h ## Security Issues -If you find a security issue in the Sail Operator project, please refer to the [Security Policy](https://github.com/istio-ecosystem/sail-operator/security/policy) for more information on how to report security issues. Please do not report security issues in the public GitHub repository. \ No newline at end of file +If you find a security issue in the Sail Operator project, please refer to the [Security Policy](https://github.com/istio-ecosystem/sail-operator/security/policy) for more information on how to report security issues. Please do not report security issues in the public GitHub repository. diff --git a/Dockerfile b/Dockerfile index f4831aa13..7f249db94 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,9 +2,9 @@ FROM registry.access.redhat.com/ubi9/ubi-minimal:latest ARG TARGETOS TARGETARCH -ADD out/${TARGETOS:-linux}_${TARGETARCH:-amd64}/manager /manager +ADD out/${TARGETOS:-linux}_${TARGETARCH:-amd64}/sail-operator /sail-operator ADD resources /var/lib/sail-operator/resources USER 65532:65532 WORKDIR / -ENTRYPOINT ["/manager"] +ENTRYPOINT ["/sail-operator"] diff --git a/Makefile.core.mk b/Makefile.core.mk index 3a3cd3d7f..a3afbac6c 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -79,7 +79,12 @@ GINKGO_FLAGS := $(if $(VERBOSE),-v) $(if $(CI),--no-color) # To re-generate a bundle for other specific channels without changing the standard setup, you can: # - use the CHANNELS as arg of the bundle target (e.g make bundle CHANNELS=candidate,fast,stable) # - use environment variables to overwrite this value (e.g export CHANNELS="candidate,fast,stable") -CHANNELS ?= ${MINOR_VERSION} +CHANNEL_PREFIX := dev +ifneq (,$(findstring release-,$(shell git rev-parse --abbrev-ref HEAD))) +CHANNEL_PREFIX = stable +endif + +CHANNELS ?= $(CHANNEL_PREFIX)-$(MINOR_VERSION) ifneq ($(origin CHANNELS), undefined) BUNDLE_CHANNELS = --channels=\"$(CHANNELS)\" endif @@ -165,8 +170,8 @@ test.e2e.ocp: ## Run the end-to-end tests against an existing OCP cluster. GINKGO_FLAGS="$(GINKGO_FLAGS)" ${SOURCE_DIR}/tests/e2e/integ-suite-ocp.sh .PHONY: test.e2e.kind -test.e2e.kind: ## Deploy a KinD cluster and run the end-to-end tests against it. - GINKGO_FLAGS="$(GINKGO_FLAGS)" ${SOURCE_DIR}/tests/e2e/integ-suite-kind.sh +test.e2e.kind: istioctl ## Deploy a KinD cluster and run the end-to-end tests against it. + GINKGO_FLAGS="$(GINKGO_FLAGS)" ISTIOCTL="$(ISTIOCTL)" ${SOURCE_DIR}/tests/e2e/integ-suite-kind.sh .PHONY: test.e2e.describe test.e2e.describe: ## Runs ginkgo outline -format indent over the e2e test to show in BDD style the steps and test structure @@ -174,7 +179,7 @@ test.e2e.describe: ## Runs ginkgo outline -format indent over the e2e test to sh ##@ Build .PHONY: build -build: build-$(TARGET_ARCH) ## Build manager binary. +build: build-$(TARGET_ARCH) ## Build the sail-operator binary. .PHONY: run run: gen ## Run a controller from your host. @@ -216,7 +221,7 @@ endif # BUILDX_BUILD_ARGS are the additional --build-arg flags passed to the docker buildx build command. BUILDX_BUILD_ARGS = --build-arg TARGETOS=$(TARGET_OS) -# PLATFORMS defines the target platforms for the manager image be build to provide support to multiple +# PLATFORMS defines the target platforms for the sail-operator image be build to provide support to multiple # architectures. (i.e. make docker-buildx IMAGE=myregistry/mypoperator:0.0.1). To use this option you need to: # - able to use docker buildx . More info: https://docs.docker.com/build/buildx/ # - have enable BuildKit, More info: https://docs.docker.com/develop/develop-images/build_enhancements/ @@ -228,8 +233,8 @@ PLATFORM_ARCHITECTURES = $(shell echo ${PLATFORMS} | sed -e 's/,/\ /g' -e 's/lin ifndef BUILDX define BUILDX .PHONY: build-$(1) -build-$(1): ## Build manager binary for specific architecture. - GOARCH=$(1) LDFLAGS="$(LD_FLAGS)" common/scripts/gobuild.sh $(REPO_ROOT)/out/$(TARGET_OS)_$(1)/manager cmd/main.go +build-$(1): ## Build sail-operator binary for specific architecture. + GOARCH=$(1) LDFLAGS="$(LD_FLAGS)" common/scripts/gobuild.sh $(REPO_ROOT)/out/$(TARGET_OS)_$(1)/sail-operator cmd/main.go .PHONY: build-all build-all: build-$(1) @@ -249,6 +254,9 @@ docker-buildx: build-all ## Build and push docker image with cross-platform supp docker buildx rm project-v4-builder rm Dockerfile.cross +clean: ## Cleans all the intermediate files and folders previously generated. + rm -rf $(REPO_ROOT)/out + ##@ Deployment .PHONY: verify-kubeconfig @@ -381,7 +389,7 @@ gen-charts: ## Pull charts from istio repository. gen: gen-all-except-bundle bundle ## Generate everything. .PHONY: gen-all-except-bundle -gen-all-except-bundle: operator-name operator-chart controller-gen gen-api gen-charts gen-manifests gen-code gen-api-docs +gen-all-except-bundle: operator-name operator-chart controller-gen gen-api gen-charts gen-manifests gen-code gen-api-docs github-workflow .PHONY: gen-check gen-check: gen restore-manifest-dates check-clean-repo ## Verify that changes in generated resources have been checked in. @@ -425,6 +433,9 @@ operator-chart: sed -i -e "s|^\(image: \).*$$|\1${IMAGE}|g" \ -e "s/^\( version: \).*$$/\1${VERSION}/g" chart/values.yaml +github-workflow: + sed -i -e '1,/default:/ s/^\(.*default:\).*$$/\1 ${CHANNELS}/' .github/workflows/release.yaml + .PHONY: update-istio update-istio: ## Update the Istio commit hash in the 'latest' entry in versions.yaml to the latest commit in the branch. @hack/update-istio.sh @@ -450,13 +461,15 @@ CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen ENVTEST ?= $(LOCALBIN)/setup-envtest GITLEAKS ?= $(LOCALBIN)/gitleaks OPM ?= $(LOCALBIN)/opm +ISTIOCTL ?= $(LOCALBIN)/istioctl ## Tool Versions -OPERATOR_SDK_VERSION ?= v1.36.1 -HELM_VERSION ?= v3.15.3 -CONTROLLER_TOOLS_VERSION ?= v0.16.0 -OPM_VERSION ?= v1.45.0 -GITLEAKS_VERSION ?= v8.18.4 +OPERATOR_SDK_VERSION ?= v1.37.0 +HELM_VERSION ?= v3.16.1 +CONTROLLER_TOOLS_VERSION ?= v0.16.3 +OPM_VERSION ?= v1.47.0 +GITLEAKS_VERSION ?= v8.20.0 +ISTIOCTL_VERSION ?= 1.23.0 # GENERATE_RELATED_IMAGES defines whether `spec.relatedImages` is going to be generated or not # To disable set flag to false @@ -483,6 +496,28 @@ $(OPERATOR_SDK): $(LOCALBIN) curl -sSLfo $(LOCALBIN)/operator-sdk https://github.com/operator-framework/operator-sdk/releases/download/$(OPERATOR_SDK_VERSION)/operator-sdk_$(OS)_$(ARCH) && \ chmod +x $(LOCALBIN)/operator-sdk; +.PHONY: istioctl $(ISTIOCTL) +istioctl: $(ISTIOCTL) ## Download istioctl to bin directory. +istioctl: TARGET_OS=$(shell go env GOOS) +istioctl: TARGET_ARCH=$(shell go env GOARCH) +$(ISTIOCTL): $(LOCALBIN) + @test -s $(LOCALBIN)/istioctl || { \ + OSEXT=$(if $(filter $(TARGET_OS),Darwin),osx,linux); \ + URL="https://github.com/istio/istio/releases/download/$(ISTIOCTL_VERSION)/istioctl-$(ISTIOCTL_VERSION)-$$OSEXT-$(TARGET_ARCH).tar.gz"; \ + echo "Fetching istioctl from $$URL"; \ + curl -fsL $$URL -o /tmp/istioctl.tar.gz || { \ + echo "Download failed! Please check the URL and ISTIO_VERSION."; \ + exit 1; \ + }; \ + tar -xzf /tmp/istioctl.tar.gz -C /tmp || { \ + echo "Extraction failed!"; \ + exit 1; \ + }; \ + mv /tmp/istioctl $(LOCALBIN)/istioctl; \ + rm -f /tmp/istioctl.tar.gz; \ + echo "istioctl has been downloaded and placed in $(LOCALBIN)"; \ + } + .PHONY: controller-gen controller-gen: $(LOCALBIN) ## Download controller-gen to bin directory. If wrong version is installed, it will be overwritten. @test -s $(LOCALBIN)/controller-gen && $(LOCALBIN)/controller-gen --version | grep -q $(CONTROLLER_TOOLS_VERSION) || \ @@ -560,6 +595,13 @@ bundle-publish-nightly: OPERATOR_VERSION=$(VERSION)-nightly-$(TODAY) ## Publish bundle-publish-nightly: TAG=$(MINOR_VERSION)-nightly-$(TODAY) bundle-publish-nightly: bundle-nightly bundle-publish +.PHONY: helm-artifacts-publish +helm-artifacts-publish: helm ## Publish Helm artifacts to be available for "Helm repo add" + @export GIT_USER=$(GITHUB_USER); \ + export GITHUB_TOKEN=$(GITHUB_TOKEN); \ + export OPERATOR_VERSION=${OPERATOR_VERSION}; \ + ./hack/helm-artifacts.sh + .PHONY: opm $(OPM) opm: $(OPM) opm: OS=$(shell go env GOOS) @@ -624,7 +666,7 @@ git-hook: gitleaks ## Installs gitleaks as a git pre-commit hook. chmod +x .git/hooks/pre-commit; \ fi -.SILENT: helm $(HELM) $(LOCALBIN) deploy-yaml gen-api operator-name operator-chart +.SILENT: helm $(HELM) $(LOCALBIN) deploy-yaml gen-api operator-name operator-chart github-workflow COMMON_IMPORTS ?= lint-all lint-scripts lint-copyright-banner lint-go lint-yaml lint-helm format-go tidy-go check-clean-repo update-common .PHONY: $(COMMON_IMPORTS) diff --git a/api/v1alpha1/istio_types.go b/api/v1alpha1/istio_types.go index dfeb27df3..f4e492a2e 100644 --- a/api/v1alpha1/istio_types.go +++ b/api/v1alpha1/istio_types.go @@ -37,10 +37,10 @@ const ( type IstioSpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.5", "urn:alm:descriptor:com.tectonic.ui:select:latest"} - // +kubebuilder:validation:Enum=v1.23.0;v1.22.3;v1.21.5;latest - // +kubebuilder:default=v1.23.0 + // Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:latest"} + // +kubebuilder:validation:Enum=v1.23.2;v1.22.5;v1.21.6;latest + // +kubebuilder:default=v1.23.2 Version string `json:"version"` // Defines the update strategy to use when the version in the Istio CR is updated. @@ -114,6 +114,9 @@ type IstioStatus struct { // Reports the current state of the object. State IstioConditionReason `json:"state,omitempty"` + // The name of the active revision. + ActiveRevisionName string `json:"activeRevisionName,omitempty"` + // Reports information about the underlying IstioRevisions. Revisions RevisionSummary `json:"revisions,omitempty"` } @@ -238,7 +241,8 @@ const ( // +kubebuilder:printcolumn:name="Revisions",type="string",JSONPath=".status.revisions.total",description="Total number of IstioRevision objects currently associated with this object." // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.revisions.ready",description="Number of revisions that are ready." // +kubebuilder:printcolumn:name="In use",type="string",JSONPath=".status.revisions.inUse",description="Number of revisions that are currently being used by workloads." -// +kubebuilder:printcolumn:name="Active Revision",type="string",JSONPath=".status.state",description="The current state of the active revision." +// +kubebuilder:printcolumn:name="Active Revision",type="string",JSONPath=".status.activeRevisionName",description="The name of the currently active revision." +// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.state",description="The current state of the active revision." // +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.version",description="The version of the control plane installation." // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="The age of the object" @@ -253,7 +257,7 @@ type Istio struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:default={version: "v1.23.0", namespace: "istio-system", updateStrategy: {type:"InPlace"}} + // +kubebuilder:default={version: "v1.23.2", namespace: "istio-system", updateStrategy: {type:"InPlace"}} Spec IstioSpec `json:"spec,omitempty"` Status IstioStatus `json:"status,omitempty"` diff --git a/api/v1alpha1/istiocni_types.go b/api/v1alpha1/istiocni_types.go index 0bceffb8c..535af7237 100644 --- a/api/v1alpha1/istiocni_types.go +++ b/api/v1alpha1/istiocni_types.go @@ -28,10 +28,10 @@ const ( type IstioCNISpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.5", "urn:alm:descriptor:com.tectonic.ui:select:latest"} - // +kubebuilder:validation:Enum=v1.23.0;v1.22.3;v1.21.5;latest - // +kubebuilder:default=v1.23.0 + // Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:latest"} + // +kubebuilder:validation:Enum=v1.23.2;v1.22.5;v1.21.6;latest + // +kubebuilder:default=v1.23.2 Version string `json:"version"` // +sail:profile @@ -177,7 +177,7 @@ type IstioCNI struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:default={version: "v1.23.0", namespace: "istio-cni"} + // +kubebuilder:default={version: "v1.23.2", namespace: "istio-cni"} Spec IstioCNISpec `json:"spec,omitempty"` Status IstioCNIStatus `json:"status,omitempty"` diff --git a/api/v1alpha1/istiorevision_types.go b/api/v1alpha1/istiorevision_types.go index 9500341f3..289d2f067 100644 --- a/api/v1alpha1/istiorevision_types.go +++ b/api/v1alpha1/istiorevision_types.go @@ -35,9 +35,9 @@ type IstioRevisionSpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.5", "urn:alm:descriptor:com.tectonic.ui:select:latest"} - // +kubebuilder:validation:Enum=v1.23.0;v1.22.3;v1.21.5;latest + // Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:latest"} + // +kubebuilder:validation:Enum=v1.23.2;v1.22.5;v1.21.6;latest Version string `json:"version"` // Namespace to which the Istio components should be installed. diff --git a/api/v1alpha1/remoteistio_types.go b/api/v1alpha1/remoteistio_types.go index 1494a9bc7..463906896 100644 --- a/api/v1alpha1/remoteistio_types.go +++ b/api/v1alpha1/remoteistio_types.go @@ -27,10 +27,10 @@ const RemoteIstioKind = "RemoteIstio" type RemoteIstioSpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.5", "urn:alm:descriptor:com.tectonic.ui:select:latest"} - // +kubebuilder:validation:Enum=v1.23.0;v1.22.3;v1.21.5;latest - // +kubebuilder:default=v1.23.0 + // Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:latest"} + // +kubebuilder:validation:Enum=v1.23.2;v1.22.5;v1.21.6;latest + // +kubebuilder:default=v1.23.2 Version string `json:"version"` // Defines the update strategy to use when the version in the RemoteIstio CR is updated. @@ -71,6 +71,9 @@ type RemoteIstioStatus struct { // Reports the current state of the object. State RemoteIstioConditionReason `json:"state,omitempty"` + // The name of the active revision. + ActiveRevisionName string `json:"activeRevisionName,omitempty"` + // Reports information about the underlying IstioRevisions. Revisions RevisionSummary `json:"revisions,omitempty"` } @@ -183,7 +186,8 @@ const ( // +kubebuilder:printcolumn:name="Revisions",type="string",JSONPath=".status.revisions.total",description="Total number of IstioRevision objects currently associated with this object." // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.revisions.ready",description="Number of revisions that are ready." // +kubebuilder:printcolumn:name="In use",type="string",JSONPath=".status.revisions.inUse",description="Number of revisions that are currently being used by workloads." -// +kubebuilder:printcolumn:name="Active Revision",type="string",JSONPath=".status.state",description="The current state of the active revision." +// +kubebuilder:printcolumn:name="Active Revision",type="string",JSONPath=".status.activeRevisionName",description="The name of the currently active revision." +// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.state",description="The current state of the active revision." // +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.version",description="The version of the control plane installation." // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="The age of the object" @@ -193,7 +197,7 @@ type RemoteIstio struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // +kubebuilder:default={version: "v1.23.0", namespace: "istio-system", updateStrategy: {type:"InPlace"}} + // +kubebuilder:default={version: "v1.23.2", namespace: "istio-system", updateStrategy: {type:"InPlace"}} Spec RemoteIstioSpec `json:"spec,omitempty"` Status RemoteIstioStatus `json:"status,omitempty"` diff --git a/api/v1alpha1/values_types.gen.go b/api/v1alpha1/values_types.gen.go index 76ded79ff..f1d55adb4 100644 --- a/api/v1alpha1/values_types.gen.go +++ b/api/v1alpha1/values_types.gen.go @@ -108,7 +108,7 @@ type CNIConfig struct { Affinity *k8sv1.Affinity `json:"affinity,omitempty"` // Additional annotations to apply to the istio-cni Pods. // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. PodAnnotations map[string]string `json:"podAnnotations,omitempty"` // PodSecurityPolicy cluster role. No longer used anywhere. PspClusterRole string `json:"psp_cluster_role,omitempty"` @@ -126,7 +126,7 @@ type CNIConfig struct { Resources *k8sv1.ResourceRequirements `json:"resources,omitempty"` // No longer used for CNI. See: https://github.com/istio/istio/issues/49004 // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. Privileged *bool `json:"privileged,omitempty"` // The Container seccompProfile // @@ -190,7 +190,7 @@ type CNIRepairConfig struct { RepairPods bool `json:"repairPods,omitempty"` // No longer used. // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. CreateEvents string `json:"createEvents,omitempty"` // The Repair controller has 3 modes (labelPods, deletePods, and repairPods). Pick which one meets your use cases. Note only one may be used. // The mode defines the action the controller will take when a pod is detected as broken. @@ -240,7 +240,7 @@ type GlobalConfig struct { // // Deprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior. // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. Arch *ArchConfig `json:"arch,omitempty"` // List of certSigners to allow "approve" action in the ClusterRole CertSigners []string `json:"certSigners,omitempty"` @@ -250,17 +250,15 @@ type GlobalConfig struct { // // See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. DefaultNodeSelector map[string]string `json:"defaultNodeSelector,omitempty"` // Specifies the default pod disruption budget configuration. - // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. DefaultPodDisruptionBudget *DefaultPodDisruptionBudgetConfig `json:"defaultPodDisruptionBudget,omitempty"` // Default k8s resources settings for all Istio control plane components. // // See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. DefaultResources *k8sv1.ResourceRequirements `json:"defaultResources,omitempty"` // Default node tolerations to be applied to all deployments so that all pods can be // scheduled to nodes with matching taints. Each component can overwrite @@ -269,7 +267,7 @@ type GlobalConfig struct { // Configure this field in case that all pods of Istio control plane are expected to // be scheduled to particular nodes with specified taints. // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. DefaultTolerations []k8sv1.Toleration `json:"defaultTolerations,omitempty"` // Specifies the docker hub for Istio images. Hub string `json:"hub,omitempty"` @@ -363,7 +361,7 @@ type GlobalConfig struct { // // See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. PriorityClassName string `json:"priorityClassName,omitempty"` // Specifies how proxies are configured within Istio. Proxy *ProxyConfig `json:"proxy,omitempty"` @@ -387,7 +385,7 @@ type GlobalConfig struct { // Configure the policy for validating JWT. // This is deprecated and has no effect. // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. JwtPolicy string `json:"jwtPolicy,omitempty"` // Specifies the configuration for Security Token Service. Sts *STSConfig `json:"sts,omitempty"` @@ -476,7 +474,7 @@ type PilotConfig struct { AutoscaleBehavior *autoscalingv2.HorizontalPodAutoscalerBehavior `json:"autoscaleBehavior,omitempty"` // Number of replicas in the Pilot Deployment. // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. ReplicaCount uint32 `json:"replicaCount,omitempty"` // Image name used for Pilot. // @@ -494,19 +492,19 @@ type PilotConfig struct { // // See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. Resources *k8sv1.ResourceRequirements `json:"resources,omitempty"` // Target CPU utilization used in HorizontalPodAutoscaler. // // See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. Cpu *TargetUtilizationConfig `json:"cpu,omitempty"` // K8s node selector. // // See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. NodeSelector map[string]string `json:"nodeSelector,omitempty"` // Maximum duration that a sidecar can be connected to a pilot. // @@ -539,7 +537,7 @@ type PilotConfig struct { Affinity *k8sv1.Affinity `json:"affinity,omitempty"` // K8s rolling update strategy // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. // +kubebuilder:validation:XIntOrString RollingMaxSurge *intstr.IntOrString `json:"rollingMaxSurge,omitempty"` // The number of pods that can be unavailable during a rolling update (see @@ -548,20 +546,20 @@ type PilotConfig struct { // May be specified as a number of pods or as a percent of the total number // of pods at the start of the update. // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. // +kubebuilder:validation:XIntOrString RollingMaxUnavailable *intstr.IntOrString `json:"rollingMaxUnavailable,omitempty"` // The node tolerations to be applied to the Pilot deployment so that it can be // scheduled to particular nodes with matching taints. // More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. Tolerations []k8sv1.Toleration `json:"tolerations,omitempty"` // K8s annotations for pods. // // See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. PodAnnotations map[string]string `json:"podAnnotations,omitempty"` // K8s annotations for the Service. // @@ -602,7 +600,7 @@ type PilotConfig struct { // // See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. Memory *TargetUtilizationConfig `json:"memory,omitempty"` // Configures whether to use an existing CNI installation for workloads Cni *CNIUsageConfig `json:"cni,omitempty"` @@ -610,6 +608,8 @@ type PilotConfig struct { // If set, `istiod` will allow connections from trusted node proxy ztunnels // in the provided namespace. TrustedZtunnelNamespace string `json:"trustedZtunnelNamespace,omitempty"` + // Configuration for the istio-discovery chart when istiod is running in a remote cluster (e.g. "remote control plane"). + IstiodRemote *IstiodRemoteConfig `json:"istiodRemote,omitempty"` } type PilotTaintControllerConfig struct { @@ -726,7 +726,7 @@ type ProxyConfig struct { // // See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. Resources *k8sv1.ResourceRequirements `json:"resources,omitempty"` // Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. // If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. @@ -740,7 +740,7 @@ type ProxyConfig struct { // // Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. HoldApplicationUntilProxyStarts *bool `json:"holdApplicationUntilProxyStarts,omitempty"` // A comma separated list of inbound ports for which traffic is to be redirected to Envoy. // The wildcard character '*' can be used to configure redirection for all ports. @@ -772,7 +772,7 @@ type ProxyInitConfig struct { // // See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. Resources *k8sv1.ResourceRequirements `json:"resources,omitempty"` } @@ -786,7 +786,7 @@ type ResourcesRequestsConfig struct { // Configuration for the SecretDiscoveryService instead of using K8S secrets to mount the certificates. type SDSConfig struct { - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. Token *SDSConfigToken `json:"token,omitempty"` } @@ -884,6 +884,8 @@ type TracerStackdriverConfig struct { } type BaseConfig struct { + // CRDs to exclude. Requires `enableCRDTemplates` + ExcludedCRDs []string `json:"excludedCRDs,omitempty"` // URL to use for validating webhook. ValidationURL string `json:"validationURL,omitempty"` @@ -898,6 +900,8 @@ type IstiodRemoteConfig struct { InjectionPath string `json:"injectionPath,omitempty"` // injector ca bundle InjectionCABundle string `json:"injectionCABundle,omitempty"` + // Indicates if this cluster/install should consume a "remote" istiod instance, + Enabled *bool `json:"enabled,omitempty"` } type Values struct { @@ -921,6 +925,10 @@ type Values struct { // Configuration for the base component. Base *BaseConfig `json:"base,omitempty"` // Configuration for istiod-remote. + // DEPRECATED - istiod-remote chart is removed and replaced with + // `istio-discovery --set values.istiodRemote.enabled=true` + // + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. IstiodRemote *IstiodRemoteConfig `json:"istiodRemote,omitempty"` // Specifies the aliases for the Istio control plane revision. A MutatingWebhookConfiguration // is created for each alias. @@ -957,6 +965,22 @@ type WaypointConfig struct { // // See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Resources *k8sv1.ResourceRequirements `json:"resources,omitempty"` + // K8s affinity settings for waypoint pods. + // + // See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + Affinity *k8sv1.Affinity `json:"affinity,omitempty"` + // K8s topology spread constraints settings. + // + // See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + TopologySpreadConstraints []*k8sv1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"` + // K8s node labels settings. + // + // See https://kubernetes.io/docs/user-guide/node-selection/ + NodeSelector *k8sv1.NodeSelector `json:"nodeSelector,omitempty"` + // K8s tolerations settings. + // + // See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + Toleration []*k8sv1.Toleration `json:"toleration,omitempty"` } // CNIGlobalConfig is a subset of the Global Configuration used in the Istio CNI chart. @@ -964,7 +988,7 @@ type CNIGlobalConfig struct { // Default k8s resources settings for all Istio co // // See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container // - // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. DefaultResources *k8sv1.ResourceRequirements `json:"defaultResources,omitempty"` // Specifies the docker hub for Istio images. @@ -1012,12 +1036,12 @@ const ( MeshConfigIngressControllerModeOff MeshConfigIngressControllerMode = "OFF" // Istio ingress controller will act on ingress resources that do not // contain any annotation or whose annotations match the value - // specified in the ingress_class parameter described earlier. Use this + // specified in the ingressClass parameter described earlier. Use this // mode if Istio ingress controller will be the default ingress // controller for the entire Kubernetes cluster. MeshConfigIngressControllerModeDefault MeshConfigIngressControllerMode = "DEFAULT" // Istio ingress controller will only act on ingress resources whose - // annotations match the value specified in the ingress_class parameter + // annotations match the value specified in the ingressClass parameter // described earlier. Use this mode if Istio ingress controller will be // a secondary ingress controller (e.g., in addition to a // cloud-provided ingress controller). @@ -1190,7 +1214,7 @@ type MeshConfig struct { // the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. // By default, `ingressgateway` is used, which will select the default IngressGateway as it has the // `istio: ingressgateway` labels. - // It is recommended that this is the same value as ingress_service. + // It is recommended that this is the same value as ingressService. IngressSelector string `json:"ingressSelector,omitempty"` // Flag to control generation of trace spans and request IDs. // Requires a trace span collector defined in the proxy configuration. @@ -1251,7 +1275,7 @@ type MeshConfig struct { // The trust domain corresponds to the trust root of a system. // Refer to [SPIFFE-ID](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain) TrustDomain string `json:"trustDomain,omitempty"` - // The trust domain aliases represent the aliases of `trust_domain`. + // The trust domain aliases represent the aliases of `trustDomain`. // For example, if we have // ```yaml // trustDomain: td1 @@ -1265,7 +1289,7 @@ type MeshConfig struct { // are automatically added by Istiod. // The CA certificate that signs the workload certificates is automatically added by Istio Agent. CaCertificates []*MeshConfigCertificateData `json:"caCertificates,omitempty"` - // The default value for the ServiceEntry.export_to field and services + // The default value for the ServiceEntry.exportTo field and services // imported through container registry integrations, e.g. this applies to // Kubernetes Service resources. The value is a list of namespace names and // reserved namespace aliases. The allowed namespace aliases are: @@ -1290,14 +1314,14 @@ type MeshConfig struct { // For further discussion see the reference documentation for `ServiceEntry`, // `Sidecar`, and `Gateway`. DefaultServiceExportTo []string `json:"defaultServiceExportTo,omitempty"` - // The default value for the VirtualService.export_to field. Has the same - // syntax as `default_service_export_to`. + // The default value for the VirtualService.exportTo field. Has the same + // syntax as `defaultServiceExportTo`. // // If not set the system will use "*" as the default value which implies that // virtual services are exported to all namespaces DefaultVirtualServiceExportTo []string `json:"defaultVirtualServiceExportTo,omitempty"` - // The default value for the `DestinationRule.export_to` field. Has the same - // syntax as `default_service_export_to`. + // The default value for the `DestinationRule.exportTo` field. Has the same + // syntax as `defaultServiceExportTo`. // // If not set the system will use "*" as the default value which implies that // destination rules are exported to all namespaces @@ -1478,7 +1502,7 @@ type MeshConfig struct { // Note: Mesh mTLS does not respect ECDH curves. MeshMTLS *MeshConfigTLSConfig `json:"meshMTLS,omitempty"` // Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. - // Currently, this supports configuration of ecdh_curves and cipher_suites only. + // Currently, this supports configuration of ecdhCurves and cipherSuites only. // For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. TlsDefaults *MeshConfigTLSConfig `json:"tlsDefaults,omitempty"` } @@ -1492,7 +1516,7 @@ type ConfigSource struct { // Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or // fs:/// to specify a file-based backend with absolute path to the directory. Address string `json:"address,omitempty"` - // Use the tls_settings to specify the tls mode to use. If the MCP server + // Use the tlsSettings to specify the tls mode to use. If the MCP server // uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS // mode as `ISTIO_MUTUAL`. TlsSettings *ClientTLSSettings `json:"tlsSettings,omitempty"` @@ -1559,12 +1583,12 @@ type MeshConfigCertificateData struct { // Optional. Specify the list of trust domains to which this trustAnchor data belongs. // If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain // and its aliases. - // Note that we can have multiple trustAnchor data for a same trust_domain. + // Note that we can have multiple trustAnchor data for a same trustDomain. // In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. - // If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers. - // If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers. - // If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains. - // If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains. + // If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. + // If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. + // If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. + // If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains. TrustDomains []string `json:"trustDomains,omitempty"` } @@ -1577,7 +1601,7 @@ type MeshConfigCertificateData struct { // ```yaml // serviceSettings: // - settings: -// cluster_local: true +// clusterLocal: true // hosts: // - "*.foo.svc.cluster.local" // - "bar.baz.svc.cluster.local" @@ -1599,8 +1623,8 @@ type MeshConfigCA struct { // Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000 // +kubebuilder:validation:Required Address string `json:"address"` - // Use the tls_settings to specify the tls mode to use. - // Regarding tls_settings: + // Use the tlsSettings to specify the tls mode to use. + // Regarding tlsSettings: // - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. // DISABLE MODE can also be used for testing // - TLS MUTUAL MODE be on by default. If the CA certificates @@ -1610,7 +1634,7 @@ type MeshConfigCA struct { // timeout for forward CSR requests from Istiod to External CA // Default: 10s RequestTimeout *metav1.Duration `json:"requestTimeout,omitempty"` - // Use istiod_side to specify CA Server integrate to Istiod side or Agent side + // Use istiodSide to specify CA Server integrate to Istiod side or Agent side // Default: true IstiodSide bool `json:"istiodSide,omitempty"` } @@ -1675,7 +1699,7 @@ type MeshConfigExtensionProvider struct { // Holds the name references to the providers that will be used by default // in other Istio configuration resources if the provider is not specified. // -// These names must match a provider defined in `extension_providers` that is +// These names must match a provider defined in `extensionProviders` that is // one of the supported tracing providers. type MeshConfigDefaultProviders struct { // Name of the default provider(s) for tracing. @@ -1739,12 +1763,12 @@ type MeshConfigServiceSettingsSettings struct { type MeshConfigExtensionProviderEnvoyExternalAuthorizationRequestBody struct { // Sets the maximum size of a message body that the ext-authz filter will hold in memory. - // If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + // If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). // Otherwise the request will be sent to the provider with a partial message. - // Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - // fail_open is set to true. + // Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + // failOpen is set to true. MaxRequestBytes uint32 `json:"maxRequestBytes,omitempty"` - // When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + // When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. // The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. // A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message // indicating if the body data is partial. @@ -1752,7 +1776,7 @@ type MeshConfigExtensionProviderEnvoyExternalAuthorizationRequestBody struct { // If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes // in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). // Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - // This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + // This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. PackAsBytes bool `json:"packAsBytes,omitempty"` } @@ -1770,7 +1794,7 @@ type MeshConfigExtensionProviderEnvoyExternalAuthorizationHttpProvider struct { Port uint32 `json:"port"` // The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). // When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - // In this situation, the response sent back to the client will depend on the configured `fail_open` field. + // In this situation, the response sent back to the client will depend on the configured `failOpen` field. Timeout *metav1.Duration `json:"timeout,omitempty"` // Sets a prefix to the value of authorization request header *Path*. // For example, setting this to "/check" for an original user request at path "/admin" will cause the @@ -1783,7 +1807,7 @@ type MeshConfigExtensionProviderEnvoyExternalAuthorizationHttpProvider struct { // Sets the HTTP status that is returned to the client when there is a network error to the authorization service. // The default status is "403" (HTTP Forbidden). StatusOnError string `json:"statusOnError,omitempty"` - // DEPRECATED. Use include_request_headers_in_check instead. + // DEPRECATED. Use includeRequestHeadersInCheck instead. // // Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. IncludeHeadersInCheck []string `json:"includeHeadersInCheck,omitempty"` @@ -1791,7 +1815,7 @@ type MeshConfigExtensionProviderEnvoyExternalAuthorizationHttpProvider struct { // Note that in addition to the headers specified here following headers are included by default: // 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. // 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization - // request can include the buffered client request body (controlled by include_request_body_in_check setting), + // request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), // consequently the value of Content-Length of the authorization request reflects the size of its payload size. // // Exact, prefix and suffix matches are supported (similar to the @@ -1803,7 +1827,7 @@ type MeshConfigExtensionProviderEnvoyExternalAuthorizationHttpProvider struct { IncludeRequestHeadersInCheck []string `json:"includeRequestHeadersInCheck,omitempty"` // Set of additional fixed headers that should be included in the authorization request sent to the authorization service. // Key is the header name and value is the header value. - // Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden. + // Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden. IncludeAdditionalHeadersInCheck map[string]string `json:"includeAdditionalHeadersInCheck,omitempty"` // If set, the client request body will be included in the authorization request sent to the authorization service. IncludeRequestBodyInCheck *MeshConfigExtensionProviderEnvoyExternalAuthorizationRequestBody `json:"includeRequestBodyInCheck,omitempty"` @@ -1862,7 +1886,7 @@ type MeshConfigExtensionProviderEnvoyExternalAuthorizationGrpcProvider struct { Port uint32 `json:"port"` // The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). // When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - // In this situation, the response sent back to the client will depend on the configured `fail_open` field. + // In this situation, the response sent back to the client will depend on the configured `failOpen` field. Timeout *metav1.Duration `json:"timeout,omitempty"` // If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, // or if the authorization service has returned a HTTP 5xx error. @@ -1894,6 +1918,9 @@ type MeshConfigExtensionProviderZipkinTracingProvider struct { // Optional. A 128 bit trace id will be used in Istio. // If true, will result in a 64 bit trace id being used. Enable64BitTraceId bool `json:"enable64bitTraceId,omitempty"` + // Optional. Specifies the endpoint of Zipkin API. + // The default value is "/api/v2/spans". + Path string `json:"path,omitempty"` } // Defines configuration for a Lightstep tracer. @@ -2184,6 +2211,47 @@ type MeshConfigExtensionProviderOpenTelemetryTracingProvider struct { // // ``` Http *MeshConfigExtensionProviderHttpService `json:"http,omitempty"` + // Optional. Specifies the configuration for exporting OTLP traces via GRPC. + // When empty, traces will check whether HTTP is set. + // If not, traces will use default GRPC configurations. + // + // The following example shows how to configure the OpenTelemetry ExtensionProvider to export via GRPC: + // + // 1. Add/change the OpenTelemetry extension provider in `MeshConfig` + // ```yaml + // - name: opentelemetry + // opentelemetry: + // port: 8090 + // service: tracing.example.com + // grpc: + // timeout: 10s + // initialMetadata: + // - name: "Authentication" + // value: "token-xxxxx" + // + // ``` + // + // 2. Deploy a `ServiceEntry` for the observability back-end + // ```yaml + // apiVersion: networking.istio.io/v1alpha3 + // kind: ServiceEntry + // metadata: + // + // name: tracing-grpc + // + // spec: + // + // hosts: + // - tracing.example.com + // ports: + // - number: 8090 + // name: grpc-port + // protocol: GRPC + // resolution: DNS + // location: MESH_EXTERNAL + // + // ``` + Grpc *MeshConfigExtensionProviderGrpcService `json:"grpc,omitempty"` // Optional. Specifies [Resource Detectors](https://opentelemetry.io/docs/specs/otel/resource/sdk/) // to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged // according to the OpenTelemetry [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#merge). @@ -2196,7 +2264,7 @@ type MeshConfigExtensionProviderOpenTelemetryTracingProvider struct { // opentelemetry: // port: 443 // service: my.olly-backend.com - // resource_detectors: + // resourceDetectors: // environment: {} // // ``` @@ -2217,11 +2285,11 @@ type MeshConfigExtensionProviderOpenTelemetryTracingProvider struct { // headers: // - name: "Authorization" // value: "Api-Token dt0c01." - // resource_detectors: + // resourceDetectors: // dynatrace: {} - // dynatrace_sampler: + // dynatraceSampler: // tenant: "{your-environment-id}" - // cluster_id: 1234 + // clusterId: 1234 DynatraceSampler *MeshConfigExtensionProviderOpenTelemetryTracingProviderDynatraceSampler `json:"dynatraceSampler,omitempty"` } @@ -2253,6 +2321,17 @@ type MeshConfigExtensionProviderResourceDetectors struct { Dynatrace *MeshConfigExtensionProviderResourceDetectorsDynatraceResourceDetector `json:"dynatrace,omitempty"` } +// Defines configuration for an GRPC service that can be used by an Extension Provider. +// that does communication via GRPC. +type MeshConfigExtensionProviderGrpcService struct { + // Optional. Specifies the timeout for the GRPC request. + Timeout *metav1.Duration `json:"timeout,omitempty"` + // Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for + // scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to + // be injected. + InitialMetadata []*MeshConfigExtensionProviderHttpHeader `json:"initialMetadata,omitempty"` +} + type MeshConfigExtensionProviderStackdriverProviderLogging struct { // Collection of tag names and tag expressions to include in the log // entry. Conflicts are resolved by the tag name by overriding previously @@ -2299,7 +2378,7 @@ type MeshConfigExtensionProviderEnvoyOpenTelemetryLogProviderLogFormat struct { // Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be // used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) // provides more information. - // Alias to `body` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) + // Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) // Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` Text string `json:"text,omitempty"` // Optional. Additional attributes that describe the specific event occurrence. @@ -2308,7 +2387,7 @@ type MeshConfigExtensionProviderEnvoyOpenTelemetryLogProviderLogFormat struct { // as strings, numbers, or boolean values, as appropriate // (see: [format dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). Nested JSON is // supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA). - // Alias to `attributes` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) + // Alias to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) // // Example: // ``` @@ -2338,8 +2417,8 @@ type MeshConfigExtensionProviderOpenTelemetryTracingProviderDynatraceSampler str // // A default value of `1000` is used when: // - // - `root_spans_per_minute` is unset - // - `root_spans_per_minute` is set to 0 + // - `rootSpansPerMinute` is unset + // - `rootSpansPerMinute` is set to 0 RootSpansPerMinute uint32 `json:"rootSpansPerMinute,omitempty"` // Optional. Dynatrace HTTP API to obtain sampling configuration. // @@ -2434,7 +2513,7 @@ type MeshNetworks struct { // 2. Explicitly: // // a. By matching the registry name with one of the "fromRegistry" -// in the mesh config. A "from_registry" can only be assigned to a +// in the mesh config. A "fromRegistry" can only be assigned to a // single network. // // b. By matching the IP against one of the CIDR ranges in a mesh @@ -2493,7 +2572,7 @@ const ( ) // ForwardClientCertDetails controls how the x-forwarded-client-cert (XFCC) -// header is handled by the gateway proxy. +// header is handled by a proxy. // See [Envoy XFCC](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html#enum-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-forwardclientcertdetails) // header handling for more details. // +kubebuilder:validation:Enum=UNDEFINED;SANITIZE;FORWARD_ONLY;APPEND_FORWARD;SANITIZE_SET;ALWAYS_FORWARD_ONLY @@ -2502,16 +2581,16 @@ type ForwardClientCertDetails string const ( // Field is not set ForwardClientCertDetailsUndefined ForwardClientCertDetails = "UNDEFINED" - // Do not send the XFCC header to the next hop. This is the default value. + // Do not send the XFCC header to the next hop. ForwardClientCertDetailsSanitize ForwardClientCertDetails = "SANITIZE" // When the client connection is mTLS (Mutual TLS), forward the XFCC header // in the request. ForwardClientCertDetailsForwardOnly ForwardClientCertDetails = "FORWARD_ONLY" // When the client connection is mTLS, append the client certificate - // information to the request’s XFCC header and forward it. + // information to the request’s XFCC header and forward it. This is the default value for sidecar proxies. ForwardClientCertDetailsAppendForward ForwardClientCertDetails = "APPEND_FORWARD" // When the client connection is mTLS, reset the XFCC header with the client - // certificate information and send it to the next hop. + // certificate information and send it to the next hop. This is the default value for gateway proxies. ForwardClientCertDetailsSanitizeSet ForwardClientCertDetails = "SANITIZE_SET" // Always forward the XFCC header in the request, regardless of whether the // client connection is mTLS. @@ -2545,7 +2624,7 @@ const ( ) // Allows specification of various Istio-supported naming schemes for the -// Envoy `service_cluster` value. The `servce_cluster` value is primarily used +// Envoy `service_cluster` value. The `service_cluster` value is primarily used // by Envoys to provide service names for tracing spans. // +kubebuilder:validation:Enum=APP_LABEL_AND_NAMESPACE;CANONICAL_NAME_ONLY;CANONICAL_NAME_AND_NAMESPACE type ProxyConfigTracingServiceName string @@ -2632,7 +2711,7 @@ type Tracing struct { // The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, // if not requested by the client or not forced. Default is 1.0. Sampling float64 `json:"sampling,omitempty"` - // Use the tls_settings to specify the tls mode to use. If the remote tracing service + // Use the tlsSettings to specify the tls mode to use. If the remote tracing service // uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS // mode as `ISTIO_MUTUAL`. TlsSettings *ClientTLSSettings `json:"tlsSettings,omitempty"` @@ -2665,7 +2744,7 @@ type Topology struct { // address to the X-Forwarded-For (XFF) address and set the // X-Envoy-External-Address header to the trusted client address before // forwarding it to the upstream services in the cluster. - // The default value of num_trusted_proxies is 0. + // The default value of numTrustedProxies is 0. // See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) // header handling for more details. NumTrustedProxies uint32 `json:"numTrustedProxies,omitempty"` @@ -2831,7 +2910,7 @@ type MeshConfigProxyConfig struct { // The amount of time allowed for connections to complete on proxy shutdown. // On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, // discouraging any new connections and allowing existing connections to complete. It then - // sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes. + // sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes. // If not set, a default of `5s` will be applied. TerminationDrainDuration *metav1.Duration `json:"terminationDrainDuration,omitempty"` // The unique identifier for the [service mesh](https://istio.io/docs/reference/glossary/#service-mesh) @@ -2926,7 +3005,7 @@ type RemoteService struct { // receiver, metrics receiver, etc.). Can be IP address or a fully // qualified DNS name. Address string `json:"address,omitempty"` - // Use the `tls_settings` to specify the tls mode to use. If the remote service + // Use the `tlsSettings` to specify the tls mode to use. If the remote service // uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS // mode as `ISTIO_MUTUAL`. TlsSettings *ClientTLSSettings `json:"tlsSettings,omitempty"` @@ -3090,6 +3169,11 @@ type ProxyConfigProxyHeaders struct { // To disable the header, configure either `SANITIZE` (to always remove the header, if present) or `FORWARD_ONLY` (to leave the header as-is). // By default, `APPEND_FORWARD` will be used. ForwardedClientCert ForwardClientCertDetails `json:"forwardedClientCert,omitempty"` + // This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET + // and the client connection is mTLS. It specifies the fields in + // the client certificate to be forwarded. Note that `Hash` is always set, and + // `By` is always set when the client certificate presents the URI type Subject Alternative Name value. + SetCurrentClientCertDetails *ProxyConfigProxyHeadersSetCurrentClientCertDetails `json:"setCurrentClientCertDetails,omitempty"` // Controls the `X-Request-Id` header. If enabled, a request ID is generated for each request if one is not already set. // This applies to all types of traffic (inbound, outbound, and gateways). // If disabled, no request ID will be generate for the request. If it is already present, it will be preserved. @@ -3138,6 +3222,26 @@ type ProxyConfigProxyHeadersMetadataExchangeHeaders struct { Mode ProxyConfigProxyHeadersMetadataExchangeMode `json:"mode,omitempty"` } +type ProxyConfigProxyHeadersSetCurrentClientCertDetails struct { + // Whether to forward the subject of the client cert. Defaults to true. + Subject *bool `json:"subject,omitempty"` + // Whether to forward the entire client cert in URL encoded PEM format. This will appear in the + // XFCC header comma separated from other values with the value Cert="PEM". + // Defaults to false. + Cert bool `json:"cert,omitempty"` + // Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM + // format. This will appear in the XFCC header comma separated from other values with the value + // Chain="PEM". + // Defaults to false. + Chain bool `json:"chain,omitempty"` + // Whether to forward the DNS type Subject Alternative Names of the client cert. + // Defaults to true. + Dns *bool `json:"dns,omitempty"` + // Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to + // true. + Uri *bool `json:"uri,omitempty"` +} + // The following values are used to construct proxy image url. // format: `${hub}/${image_name}/${tag}-${image_type}`, // example: `docker.io/istio/proxyv2:1.11.1` or `docker.io/istio/proxyv2:1.11.1-distroless`. @@ -3186,8 +3290,8 @@ type WorkloadSelector struct { // the configuration namespace in which the resource is present. // +kubebuilder:validation:XValidation:message="wildcard not allowed in label key match",rule="self.all(key, !key.contains('*'))" // +kubebuilder:validation:XValidation:message="key must not be empty",rule="self.all(key, key.size() != 0)" - // +kubebuilder:map-value-validation:XValidation:message="wildcard not allowed in label value match",rule="!self.contains('*')" - // +kubebuilder:map-value-validation:MaxLength=63 + // +protoc-gen-crd:map-value-validation:XValidation:message="wildcard not allowed in label value match",rule="!self.contains('*')" + // +protoc-gen-crd:map-value-validation:MaxLength=63 // +kubebuilder:validation:MaxProperties=4096 MatchLabels map[string]string `json:"matchLabels,omitempty"` } diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 97e2fda45..847e60775 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -45,6 +45,11 @@ func (in *ArchConfig) DeepCopy() *ArchConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *BaseConfig) DeepCopyInto(out *BaseConfig) { *out = *in + if in.ExcludedCRDs != nil { + in, out := &in.ExcludedCRDs, &out.ExcludedCRDs + *out = make([]string, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BaseConfig. @@ -1000,6 +1005,11 @@ func (in *IstiodConfig) DeepCopy() *IstiodConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *IstiodRemoteConfig) DeepCopyInto(out *IstiodRemoteConfig) { *out = *in + if in.Enabled != nil { + in, out := &in.Enabled, &out.Enabled + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstiodRemoteConfig. @@ -1698,6 +1708,37 @@ func (in *MeshConfigExtensionProviderEnvoyTcpGrpcV3LogProvider) DeepCopy() *Mesh return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MeshConfigExtensionProviderGrpcService) DeepCopyInto(out *MeshConfigExtensionProviderGrpcService) { + *out = *in + if in.Timeout != nil { + in, out := &in.Timeout, &out.Timeout + *out = new(metav1.Duration) + **out = **in + } + if in.InitialMetadata != nil { + in, out := &in.InitialMetadata, &out.InitialMetadata + *out = make([]*MeshConfigExtensionProviderHttpHeader, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(MeshConfigExtensionProviderHttpHeader) + **out = **in + } + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshConfigExtensionProviderGrpcService. +func (in *MeshConfigExtensionProviderGrpcService) DeepCopy() *MeshConfigExtensionProviderGrpcService { + if in == nil { + return nil + } + out := new(MeshConfigExtensionProviderGrpcService) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MeshConfigExtensionProviderHttpHeader) DeepCopyInto(out *MeshConfigExtensionProviderHttpHeader) { *out = *in @@ -1787,6 +1828,11 @@ func (in *MeshConfigExtensionProviderOpenTelemetryTracingProvider) DeepCopyInto( *out = new(MeshConfigExtensionProviderHttpService) (*in).DeepCopyInto(*out) } + if in.Grpc != nil { + in, out := &in.Grpc, &out.Grpc + *out = new(MeshConfigExtensionProviderGrpcService) + (*in).DeepCopyInto(*out) + } if in.ResourceDetectors != nil { in, out := &in.ResourceDetectors, &out.ResourceDetectors *out = new(MeshConfigExtensionProviderResourceDetectors) @@ -2528,6 +2574,11 @@ func (in *PilotConfig) DeepCopyInto(out *PilotConfig) { *out = new(PilotTaintControllerConfig) **out = **in } + if in.IstiodRemote != nil { + in, out := &in.IstiodRemote, &out.IstiodRemote + *out = new(IstiodRemoteConfig) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PilotConfig. @@ -2743,6 +2794,11 @@ func (in *ProxyConfig) DeepCopy() *ProxyConfig { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ProxyConfigProxyHeaders) DeepCopyInto(out *ProxyConfigProxyHeaders) { *out = *in + if in.SetCurrentClientCertDetails != nil { + in, out := &in.SetCurrentClientCertDetails, &out.SetCurrentClientCertDetails + *out = new(ProxyConfigProxyHeadersSetCurrentClientCertDetails) + (*in).DeepCopyInto(*out) + } if in.RequestId != nil { in, out := &in.RequestId, &out.RequestId *out = new(ProxyConfigProxyHeadersRequestId) @@ -2875,6 +2931,36 @@ func (in *ProxyConfigProxyHeadersServer) DeepCopy() *ProxyConfigProxyHeadersServ return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProxyConfigProxyHeadersSetCurrentClientCertDetails) DeepCopyInto(out *ProxyConfigProxyHeadersSetCurrentClientCertDetails) { + *out = *in + if in.Subject != nil { + in, out := &in.Subject, &out.Subject + *out = new(bool) + **out = **in + } + if in.Dns != nil { + in, out := &in.Dns, &out.Dns + *out = new(bool) + **out = **in + } + if in.Uri != nil { + in, out := &in.Uri, &out.Uri + *out = new(bool) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyConfigProxyHeadersSetCurrentClientCertDetails. +func (in *ProxyConfigProxyHeadersSetCurrentClientCertDetails) DeepCopy() *ProxyConfigProxyHeadersSetCurrentClientCertDetails { + if in == nil { + return nil + } + out := new(ProxyConfigProxyHeadersSetCurrentClientCertDetails) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ProxyConfigProxyStatsMatcher) DeepCopyInto(out *ProxyConfigProxyStatsMatcher) { *out = *in @@ -3803,12 +3889,12 @@ func (in *Values) DeepCopyInto(out *Values) { if in.Base != nil { in, out := &in.Base, &out.Base *out = new(BaseConfig) - **out = **in + (*in).DeepCopyInto(*out) } if in.IstiodRemote != nil { in, out := &in.IstiodRemote, &out.IstiodRemote *out = new(IstiodRemoteConfig) - **out = **in + (*in).DeepCopyInto(*out) } if in.RevisionTags != nil { in, out := &in.RevisionTags, &out.RevisionTags @@ -3840,6 +3926,38 @@ func (in *WaypointConfig) DeepCopyInto(out *WaypointConfig) { *out = new(v1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.Affinity != nil { + in, out := &in.Affinity, &out.Affinity + *out = new(v1.Affinity) + (*in).DeepCopyInto(*out) + } + if in.TopologySpreadConstraints != nil { + in, out := &in.TopologySpreadConstraints, &out.TopologySpreadConstraints + *out = make([]*v1.TopologySpreadConstraint, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(v1.TopologySpreadConstraint) + (*in).DeepCopyInto(*out) + } + } + } + if in.NodeSelector != nil { + in, out := &in.NodeSelector, &out.NodeSelector + *out = new(v1.NodeSelector) + (*in).DeepCopyInto(*out) + } + if in.Toleration != nil { + in, out := &in.Toleration, &out.Toleration + *out = make([]*v1.Toleration, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(v1.Toleration) + (*in).DeepCopyInto(*out) + } + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WaypointConfig. diff --git a/bundle.Dockerfile b/bundle.Dockerfile index c95e3e9f0..a31d40816 100644 --- a/bundle.Dockerfile +++ b/bundle.Dockerfile @@ -4,9 +4,9 @@ FROM scratch LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ -LABEL operators.operatorframework.io.bundle.package.v1=servicemeshoperator3 -LABEL operators.operatorframework.io.bundle.channels.v1="candidates" -LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.36.1 +LABEL operators.operatorframework.io.bundle.package.v1=sailoperator +LABEL operators.operatorframework.io.bundle.channels.v1="dev-0.2" +LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.37.0 LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v4 diff --git a/bundle/README.md b/bundle/README.md index e2878edf1..078ef4d31 100644 --- a/bundle/README.md +++ b/bundle/README.md @@ -88,9 +88,9 @@ drop down menu when creating a new `Istio` with the OpenShift Container Platform web console. For a list of available versions, see the [versions.yaml](/versions.yaml) file or use the command: - ```sh - $ kubectl explain istio.spec.version - ``` +```sh +$ kubectl explain istio.spec.version +``` ### Customizing Istio configuration @@ -131,9 +131,9 @@ spec: For a list of available configuration for the `spec.values` field, run the following command: - ```sh - $ kubectl explain istio.spec.values - ``` +```sh +$ kubectl explain istio.spec.values +``` For the `IstioCNI` resource, replace `istio` with `istiocni` in the command above. @@ -151,53 +151,7 @@ Alternatively, refer to [Istio's artifacthub chart documentation](https://artifa The `istioctl` tool is a configuration command line utility that allows service operators to debug and diagnose Istio service mesh deployments. - -### Prerequisites - -Use an `istioctl` version that is the same version as the Istio control plane -for the Service Mesh deployment. See [Istio Releases](https://github.com/istio/istio/releases) for a list of valid -releases, including Beta releases. - - -### Procedure - -1. Confirm if you have `istioctl` installed, and if so which version, by running -the following command at the terminal: - - ```sh - $ istioctl version - ``` - -1. Confirm the version of Istio you are using by running the following command -at the terminal: - - ```sh - $ oc -n istio-system get istio - ``` - -1. Install `istioctl` by running the following command at the terminal: - - ```sh - $ curl -sL https://istio.io/downloadIstioctl | ISTIO_VERSION= sh - - ``` - Replace `` with the version of Istio you are using. - -1. Put the `istioctl` directory on path by running the following command at the terminal: - - ```sh - $ export PATH=$HOME/.istioctl/bin:$PATH - ``` - -1. Confirm that the `istioctl` client version and the Istio control plane -version now match (or are within one version) by running the following command -at the terminal: - - ```sh - $ istioctl version - ``` - - -*Note*: `istioctl install` is not supported. The Sail Operator installs Istio. +For installation steps, refer to the following [link](../docs/common/install-istioctl-tool.md). ## Installing the Bookinfo Application @@ -205,30 +159,7 @@ You can use the `bookinfo` example application to explore service mesh features. Using the `bookinfo` application, you can easily confirm that requests from a web browser pass through the mesh and reach the application. -The `bookinfo` application displays information about a book, similar to a -single catalog entry of an online book store. The application displays a page -that describes the book, lists book details (ISBN, number of pages, and other -information), and book reviews. - -The `bookinfo` application is exposed through the mesh, and the mesh configuration -determines how the microservices comprising the application are used to serve -requests. The review information comes from one of three services: `reviews-v1`, -`reviews-v2` or `reviews-v3`. If you deploy the `bookinfo` application without -defining the `reviews` virtual service, then the mesh uses a round-robin rule to -route requests to a service. - -By deploying the `reviews` virtual service, you can specify a different behavior. -For example, you can specify that if a user logs into the `bookinfo` application, -then the mesh routes requests to the `reviews-v2` service, and the application -displays reviews with black stars. If a user does not log into the `bookinfo` -application, then the mesh routes requests to the `reviews-v3` service, and the -application displays reviews with red stars. - -For more information, see [Bookinfo Application](https://istio.io/latest/docs/examples/bookinfo/) in the upstream Istio documentation. - -After following the instructions for [Deploying the application](https://istio.io/latest/docs/examples/bookinfo/#start-the-application-services), **you -will need to create and configure a gateway** for the `bookinfo` application to -be accessible outside the cluster. +For installation steps, refer to the following [link](../docs/common/install-bookinfo-app.md). ## Creating and Configuring Gateways @@ -240,81 +171,7 @@ contains the control plane. You can deploy gateways using either the Gateway API or Gateway Injection methods. - -### Option 1: Istio Gateway Injection - -Gateway Injection uses the same mechanisms as Istio sidecar injection to create -a gateway from a `Deployment` resource that is paired with a `Service` resource -that can be made accessible from outside the cluster. For more information, see -[Installing Gateways](https://preliminary.istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway). - -To configure gateway injection with the `bookinfo` application, we have provided -a [sample gateway configuration](../chart/samples/ingress-gateway.yaml?raw=1) that should be applied in the namespace -where the application is installed: - -1. Create the `istio-ingressgateway` deployment and service: - - ```sh - $ oc apply -f -n ingress-gateway.yaml - ``` - -2. Configure the `bookinfo` application with the new gateway: - - ```sh - $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/networking/bookinfo-gateway.yaml - ``` - -3. On OpenShift, you can use a [Route](https://docs.openshift.com/container-platform/4.13/networking/routes/route-configuration.html) to expose the gateway externally: - - ```sh - $ oc expose service istio-ingressgateway - ``` - -4. Finally, obtain the gateway host name and the URL of the product page: - - ```sh - $ HOST=$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}') - $ echo http://$HOST/productpage - ``` - -Verify that the `productpage` is accessible from a web browser. - - -### Option 2: Kubernetes Gateway API - -Istio includes support for Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) and intends to make it -the default API for [traffic management in the future](https://istio.io/latest/blog/2022/gateway-api-beta/). For more -information, see Istio's [Kubernetes Gateway API](https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/) page. - -As of Kubernetes 1.28 and OpenShift 4.14, the Kubernetes Gateway API CRDs are -not available by default and must be enabled to be used. This can be done with -the command: - -```sh -$ oc get crd gateways.gateway.networking.k8s.io &> /dev/null || { oc kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v1.0.0" | oc apply -f -; } -``` - -To configure `bookinfo` with a gateway using `Gateway API`: - -1. Create and configure a gateway using a `Gateway` and `HTTPRoute` resource: - - ```sh - $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/gateway-api/bookinfo-gateway.yaml - ``` - -2. Retrieve the host, port and gateway URL: - - ```sh - $ export INGRESS_HOST=$(oc get gtw bookinfo-gateway -o jsonpath='{.status.addresses[0].value}') - $ export INGRESS_PORT=$(oc get gtw bookinfo-gateway -o jsonpath='{.spec.listeners[?(@.name=="http")].port}') - $ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT - ``` - -3. Obtain the `productpage` URL and check that you can visit it from a browser: - - ```sh - $ echo "http://${GATEWAY_URL}/productpage" - ``` +For installation steps, refer to the following [link](../docs/common/create-and-configure-gateways.md). ## Istio Addons Integrations @@ -324,118 +181,7 @@ Istio can be integrated with other software to provide additional functionality The following addons are for demonstration or development purposes only and should not be used in production environments: - -### Prometheus - -`Prometheus` is an open-source systems monitoring and alerting toolkit. You can -use `Prometheus` with the Sail Operator to keep an eye on how healthy Istio and -the apps in the service mesh are, for more information, see [Prometheus](https://istio.io/latest/docs/ops/integrations/prometheus/). - -To install Prometheus, perform the following steps: - -1. Deploy `Prometheus`: - - ```sh - $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/prometheus.yaml - ``` -2. Access to `Prometheus`console: - - * Expose the `Prometheus` service externally: - - ```sh - $ oc expose service prometheus -n istio-system - ``` - * Get the route of the service and open the URL in the web browser - - ```sh - $ oc get route prometheus -o jsonpath='{.spec.host}' -n istio-system - ``` - - -### Grafana - -`Grafana` is an open-source platform for monitoring and observability. You can -use `Grafana` with the Sail Operator to configure dashboards for istio, see -[Grafana](https://istio.io/latest/docs/ops/integrations/grafana/) for more information. - -To install Grafana, perform the following steps: - -1. Deploy `Grafana`: - - ```sh - $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/grafana.yaml - ``` - -2. Access to `Grafana`console: - - * Expose the `Grafana` service externally - - ```sh - $ oc expose service grafana -n istio-system - ``` - * Get the route of the service and open the URL in the web browser - - ```sh - $ oc get route grafana -o jsonpath='{.spec.host}' -n istio-system - ``` - - -### Jaeger - -`Jaeger` is an open-source end-to-end distributed tracing system. You can use -`Jaeger` with the Sail Operator to monitor and troubleshoot transactions in -complex distributed systems, see [Jaeger](https://istio.io/latest/docs/ops/integrations/jaeger/) for more information. - -To install Jaeger, perform the following steps: - -1. Deploy `Jaeger`: - - ```sh - $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/jaeger.yaml - ``` -2. Access to `Jaeger` console: - - * Expose the `Jaeger` service externally: - - ```sh - $ oc expose svc/tracing -n istio-system - ``` - - * Get the route of the service and open the URL in the web browser - - ```sh - $ oc get route tracing -o jsonpath='{.spec.host}' -n istio-system - ``` -*Note*: if you want to see some traces you can refresh several times the product -page of bookinfo app to start generating traces. - - -### Kiali - -`Kiali` is an open-source project that provides a graphical user interface to -visualize the service mesh topology, see [Kiali](https://istio.io/latest/docs/ops/integrations/kiali/) for more information. - -To install Kiali, perform the following steps: - -1. Deploy `Kiali`: - - ```sh - $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/kiali.yaml - ``` - -2. Access to `Kiali` console: - - * Expose the `Kiali` service externally: - - ```sh - $ oc expose service kiali -n istio-system - ``` - - * Get the route of the service and open the URL in the web browser - - ```sh - $ oc get route kiali -o jsonpath='{.spec.host}' -n istio-system - ``` +For installation steps, refer to the following [link](../docs/common/istio-addons-integrations.md). ## Undeploying Istio and the Sail Operator diff --git a/bundle/manifests/extensions.istio.io_wasmplugins.yaml b/bundle/manifests/extensions.istio.io_wasmplugins.yaml index 88e2c95aa..22803cb14 100644 --- a/bundle/manifests/extensions.istio.io_wasmplugins.yaml +++ b/bundle/manifests/extensions.istio.io_wasmplugins.yaml @@ -217,6 +217,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: description: |- @@ -282,6 +283,9 @@ spec: required: - url type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: diff --git a/bundle/manifests/networking.istio.io_envoyfilters.yaml b/bundle/manifests/networking.istio.io_envoyfilters.yaml index 334adad40..f2181cfc6 100644 --- a/bundle/manifests/networking.istio.io_envoyfilters.yaml +++ b/bundle/manifests/networking.istio.io_envoyfilters.yaml @@ -304,6 +304,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array workloadSelector: description: Criteria used to select the specific set of pods/VMs @@ -311,12 +312,20 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object + x-kubernetes-validations: + - message: only one of targetRefs or workloadSelector can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: diff --git a/bundle/manifests/networking.istio.io_serviceentries.yaml b/bundle/manifests/networking.istio.io_serviceentries.yaml index c9bd00434..6fe1824c4 100644 --- a/bundle/manifests/networking.istio.io_serviceentries.yaml +++ b/bundle/manifests/networking.istio.io_serviceentries.yaml @@ -57,7 +57,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -132,6 +134,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -148,14 +155,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -163,11 +175,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -190,14 +212,32 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) + && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))' + - message: NONE mode cannot set endpoints + rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) + : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' status: properties: conditions: @@ -269,6 +309,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -307,7 +349,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -382,6 +426,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -398,14 +447,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -413,11 +467,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -440,14 +504,32 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) + && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))' + - message: NONE mode cannot set endpoints + rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) + : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' status: properties: conditions: @@ -519,6 +601,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -557,7 +641,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -632,6 +718,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -648,14 +739,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -663,11 +759,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -690,14 +796,32 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) + && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))' + - message: NONE mode cannot set endpoints + rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) + : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' status: properties: conditions: @@ -769,6 +893,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: true diff --git a/bundle/manifests/networking.istio.io_sidecars.yaml b/bundle/manifests/networking.istio.io_sidecars.yaml index 690339869..dd6b32b37 100644 --- a/bundle/manifests/networking.istio.io_sidecars.yaml +++ b/bundle/manifests/networking.istio.io_sidecars.yaml @@ -473,9 +473,14 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object @@ -1006,9 +1011,14 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object @@ -1539,9 +1549,14 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object diff --git a/bundle/manifests/networking.istio.io_workloadentries.yaml b/bundle/manifests/networking.istio.io_workloadentries.yaml index e61d58ac9..8ff93a410 100644 --- a/bundle/manifests/networking.istio.io_workloadentries.yaml +++ b/bundle/manifests/networking.istio.io_workloadentries.yaml @@ -175,8 +175,6 @@ spec: x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: false @@ -333,8 +331,6 @@ spec: x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: false @@ -491,8 +487,6 @@ spec: x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: true diff --git a/bundle/manifests/networking.istio.io_workloadgroups.yaml b/bundle/manifests/networking.istio.io_workloadgroups.yaml index 65e0a1b3f..486c0e689 100644 --- a/bundle/manifests/networking.istio.io_workloadgroups.yaml +++ b/bundle/manifests/networking.istio.io_workloadgroups.yaml @@ -45,10 +45,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -77,13 +79,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -98,6 +104,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -111,8 +118,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -120,15 +133,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -139,12 +155,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -204,8 +224,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' @@ -283,6 +301,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -311,10 +331,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -343,13 +365,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -364,6 +390,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -377,8 +404,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -386,15 +419,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -405,12 +441,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -470,8 +510,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' @@ -549,6 +587,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -577,10 +617,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -609,13 +651,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -630,6 +676,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -643,8 +690,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -652,15 +705,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -671,12 +727,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -736,8 +796,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' @@ -815,6 +873,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: true diff --git a/bundle/manifests/sailoperator.io_istiocnis.yaml b/bundle/manifests/sailoperator.io_istiocnis.yaml index 6b37a1d81..e3d386e7e 100644 --- a/bundle/manifests/sailoperator.io_istiocnis.yaml +++ b/bundle/manifests/sailoperator.io_istiocnis.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.0 + controller-gen.kubebuilder.io/version: v0.16.3 creationTimestamp: null name: istiocnis.sailoperator.io spec: @@ -58,7 +58,7 @@ spec: spec: default: namespace: istio-cni - version: v1.23.0 + version: v1.23.2 description: IstioCNISpec defines the desired state of IstioCNI properties: namespace: @@ -379,7 +379,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -394,7 +394,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -562,7 +562,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -577,7 +577,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -743,7 +743,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -758,7 +758,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -926,7 +926,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -941,7 +941,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -1079,13 +1079,13 @@ spec: description: |- Additional annotations to apply to the istio-cni Pods. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object privileged: description: |- No longer used for CNI. See: https://github.com/istio/istio/issues/49004 - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean provider: description: |- @@ -1123,7 +1123,7 @@ spec: description: |- No longer used. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string deletePods: description: |- @@ -1205,6 +1205,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1291,7 +1297,7 @@ spec: description: |- See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -1311,6 +1317,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1392,14 +1404,14 @@ spec: type: object type: object version: - default: v1.23.0 + default: v1.23.2 description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. enum: - - v1.23.0 - - v1.22.3 - - v1.21.5 + - v1.23.2 + - v1.22.5 + - v1.21.6 - latest type: string required: diff --git a/bundle/manifests/sailoperator.io_istiorevisions.yaml b/bundle/manifests/sailoperator.io_istiorevisions.yaml index 091ee88d7..f94de37ce 100644 --- a/bundle/manifests/sailoperator.io_istiorevisions.yaml +++ b/bundle/manifests/sailoperator.io_istiorevisions.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.0 + controller-gen.kubebuilder.io/version: v0.16.3 creationTimestamp: null name: istiorevisions.sailoperator.io spec: @@ -90,6 +90,11 @@ spec: base: description: Configuration for the base component. properties: + excludedCRDs: + description: CRDs to exclude. Requires `enableCRDTemplates` + items: + type: string + type: array validationCABundle: description: validation webhook CA bundle type: string @@ -118,7 +123,7 @@ spec: - Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior.\n\nDeprecated: - Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto." + Marked as deprecated in pkg/apis/values_types.proto." properties: amd64: description: Sets pod scheduling weight for amd64 arch @@ -170,13 +175,10 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object defaultPodDisruptionBudget: - description: |- - Specifies the default pod disruption budget configuration. - - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + description: Specifies the default pod disruption budget configuration. properties: enabled: description: Controls whether a PodDisruptionBudget with @@ -190,7 +192,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -210,6 +212,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -251,7 +259,7 @@ spec: Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -344,7 +352,7 @@ spec: Configure the policy for validating JWT. This is deprecated and has no effect. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string logAsJson: description: Specifies whether istio components should output @@ -411,7 +419,7 @@ spec: with the endpoint by\nadding the `ISTIO_META_NETWORK` environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta. By matching the registry name with one of the \"fromRegistry\"\n\tin - the mesh config. A \"from_registry\" can only be + the mesh config. A \"fromRegistry\" can only be assigned to a\n\tsingle network.\n\n\tb. By matching the IP against one of the CIDR ranges in a mesh\n\tconfig network. The CIDR ranges must not overlap and be @@ -566,7 +574,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string proxy: description: Specifies how proxies are configured within Istio. @@ -610,7 +618,7 @@ spec: Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean image: description: |- @@ -901,7 +909,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -922,6 +930,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1008,7 +1022,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -1029,6 +1043,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1075,7 +1095,7 @@ spec: instead of using K8S secrets to mount the certificates. properties: token: - description: 'Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.' + description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.' properties: aud: type: string @@ -1138,26 +1158,1056 @@ spec: format: int32 type: integer type: object - zipkin: - description: Configuration for the zipkin tracing service. - properties: - address: - description: |- - Address of zipkin instance in host:port format for reporting trace data. + zipkin: + description: Configuration for the zipkin tracing service. + properties: + address: + description: |- + Address of zipkin instance in host:port format for reporting trace data. + + Example: .:941 + type: string + type: object + type: object + variant: + description: The variant of the Istio container images to + use. Options are "debug" or "distroless". Unset will use + the default for the given version. + type: string + waypoint: + description: Specifies how waypoints are configured within + Istio. + properties: + affinity: + description: |- + K8s affinity settings for waypoint pods. + + See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in + the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same node, + zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + nodeSelector: + description: |- + K8s node labels settings. - Example: .:941 - type: string + See https://kubernetes.io/docs/user-guide/node-selection/ + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms type: object - type: object - variant: - description: The variant of the Istio container images to - use. Options are "debug" or "distroless". Unset will use - the default for the given version. - type: string - waypoint: - description: Specifies how waypoints are configured within - Istio. - properties: + x-kubernetes-map-type: atomic resources: description: |- K8s resource settings. @@ -1183,6 +2233,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1215,11 +2271,242 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object + toleration: + description: |- + K8s tolerations settings. + + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: |- + K8s topology spread constraints settings. + + See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + If this value is nil, the behavior is equivalent to the Honor policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + If this value is nil, the behavior is equivalent to the Ignore policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array type: object type: object istiodRemote: - description: Configuration for istiod-remote. + description: |- + Configuration for istiod-remote. + DEPRECATED - istiod-remote chart is removed and replaced with + `istio-discovery --set values.istiodRemote.enabled=true` + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: + enabled: + description: Indicates if this cluster/install should consume + a "remote" istiod instance, + type: boolean injectionCABundle: description: injector ca bundle type: string @@ -1267,7 +2554,7 @@ spec: type: string istiodSide: description: |- - Use istiod_side to specify CA Server integrate to Istiod side or Agent side + Use istiodSide to specify CA Server integrate to Istiod side or Agent side Default: true type: boolean requestTimeout: @@ -1277,8 +2564,8 @@ spec: type: string tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. - Regarding tls_settings: + Use the tlsSettings to specify the tls mode to use. + Regarding tlsSettings: - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. DISABLE MODE can also be used for testing - TLS MUTUAL MODE be on by default. If the CA certificates @@ -1404,12 +2691,12 @@ spec: Optional. Specify the list of trust domains to which this trustAnchor data belongs. If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain and its aliases. - Note that we can have multiple trustAnchor data for a same trust_domain. + Note that we can have multiple trustAnchor data for a same trustDomain. In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. - If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers. - If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers. - If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains. - If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains. + If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. + If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. + If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. + If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains. items: type: string type: array @@ -1481,7 +2768,7 @@ spec: type: array tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the MCP server + Use the tlsSettings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1679,7 +2966,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1807,7 +3094,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1943,7 +3230,7 @@ spec: address to the X-Forwarded-For (XFF) address and set the X-Envoy-External-Address header to the trusted client address before forwarding it to the upstream services in the cluster. - The default value of num_trusted_proxies is 0. + The default value of numTrustedProxies is 0. See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) header handling for more details. format: int32 @@ -2129,6 +3416,41 @@ spec: header. By default, `istio-envoy` will be used. type: string type: object + setCurrentClientCertDetails: + description: |- + This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET + and the client connection is mTLS. It specifies the fields in + the client certificate to be forwarded. Note that `Hash` is always set, and + `By` is always set when the client certificate presents the URI type Subject Alternative Name value. + properties: + cert: + description: |- + Whether to forward the entire client cert in URL encoded PEM format. This will appear in the + XFCC header comma separated from other values with the value Cert="PEM". + Defaults to false. + type: boolean + chain: + description: |- + Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM + format. This will appear in the XFCC header comma separated from other values with the value + Chain="PEM". + Defaults to false. + type: boolean + dns: + description: |- + Whether to forward the DNS type Subject Alternative Names of the client cert. + Defaults to true. + type: boolean + subject: + description: Whether to forward the subject of + the client cert. Defaults to true. + type: boolean + uri: + description: |- + Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to + true. + type: boolean + type: object type: object proxyMetadata: additionalProperties: @@ -2391,7 +3713,7 @@ spec: The amount of time allowed for connections to complete on proxy shutdown. On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, discouraging any new connections and allowing existing connections to complete. It then - sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes. + sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes. If not set, a default of `5s` will be applied. type: string tracing: @@ -2544,7 +3866,7 @@ spec: type: object tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the remote tracing service + Use the tlsSettings to specify the tls mode to use. If the remote tracing service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -2672,8 +3994,8 @@ spec: <= 1 defaultDestinationRuleExportTo: description: |- - The default value for the `DestinationRule.export_to` field. Has the same - syntax as `default_service_export_to`. + The default value for the `DestinationRule.exportTo` field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that destination rules are exported to all namespaces @@ -2749,7 +4071,7 @@ spec: type: object defaultServiceExportTo: description: |- - The default value for the ServiceEntry.export_to field and services + The default value for the ServiceEntry.exportTo field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are: @@ -2778,8 +4100,8 @@ spec: type: array defaultVirtualServiceExportTo: description: |- - The default value for the VirtualService.export_to field. Has the same - syntax as `default_service_export_to`. + The default value for the VirtualService.exportTo field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that virtual services are exported to all namespaces @@ -2962,7 +4284,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -2970,10 +4292,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -2981,7 +4303,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object port: @@ -3007,7 +4329,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3081,11 +4403,11 @@ spec: description: |- Set of additional fixed headers that should be included in the authorization request sent to the authorization service. Key is the header name and value is the header value. - Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden. + Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden. type: object includeHeadersInCheck: description: |- - DEPRECATED. Use include_request_headers_in_check instead. + DEPRECATED. Use includeRequestHeadersInCheck instead. Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. items: @@ -3098,7 +4420,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -3106,10 +4428,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -3117,7 +4439,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object includeRequestHeadersInCheck: @@ -3126,7 +4448,7 @@ spec: Note that in addition to the headers specified here following headers are included by default: 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization - request can include the buffered client request body (controlled by include_request_body_in_check setting), + request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. Exact, prefix and suffix matches are supported (similar to the @@ -3167,7 +4489,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3292,7 +4614,7 @@ spec: dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). Nested JSON is\nsupported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias - to `attributes` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: + to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```" type: object text: @@ -3300,7 +4622,7 @@ spec: Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information. - Alias to `body` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) + Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` type: string type: object @@ -3470,11 +4792,11 @@ spec: headers: - name: "Authorization" value: "Api-Token dt0c01." - resource_detectors: + resourceDetectors: dynatrace: {} - dynatrace_sampler: + dynatraceSampler: tenant: "{your-environment-id}" - cluster_id: 1234 + clusterId: 1234 properties: clusterId: description: |- @@ -3551,8 +4873,8 @@ spec: A default value of `1000` is used when: - - `root_spans_per_minute` is unset - - `root_spans_per_minute` is set to 0 + - `rootSpansPerMinute` is unset + - `rootSpansPerMinute` is set to 0 format: int32 type: integer tenant: @@ -3565,6 +4887,50 @@ spec: - clusterId - tenant type: object + grpc: + description: "Optional. Specifies the configuration + for exporting OTLP traces via GRPC.\nWhen empty, + traces will check whether HTTP is set.\nIf not, + traces will use default GRPC configurations.\n\nThe + following example shows how to configure the OpenTelemetry + ExtensionProvider to export via GRPC:\n\n1. Add/change + the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n + \ - name: opentelemetry\n opentelemetry:\n + \ port: 8090\n service: tracing.example.com\n + \ grpc:\n timeout: 10s\n initialMetadata:\n + \ - name: \"Authentication\"\n value: \"token-xxxxx\"\n\n```\n\n2. + Deploy a `ServiceEntry` for the observability + back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind: + ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t- + tracing.example.com\n\tports:\n\t- number: 8090\n\t + \ name: grpc-port\n\t protocol: GRPC\n\tresolution: + DNS\n\tlocation: MESH_EXTERNAL\n\n```" + properties: + initialMetadata: + description: |- + Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for + scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to + be injected. + items: + properties: + name: + description: REQUIRED. The HTTP header + name. + type: string + value: + description: REQUIRED. The HTTP header + value. + type: string + required: + - name + - value + type: object + type: array + timeout: + description: Optional. Specifies the timeout + for the GRPC request. + type: string + type: object http: description: "Optional. Specifies the configuration for exporting OTLP traces via HTTP.\nWhen empty, @@ -3643,7 +5009,7 @@ spec: opentelemetry: port: 443 service: my.olly-backend.com - resource_detectors: + resourceDetectors: environment: {} ``` @@ -3779,6 +5145,11 @@ spec: NOTE: currently only controls max length of the path tag. format: int32 type: integer + path: + description: |- + Optional. Specifies the endpoint of Zipkin API. + The default value is "/api/v2/spans". + type: string port: description: REQUIRED. Specifies the port of the service. @@ -3880,7 +5251,7 @@ spec: the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. By default, `ingressgateway` is used, which will select the default IngressGateway as it has the `istio: ingressgateway` labels. - It is recommended that this is the same value as ingress_service. + It is recommended that this is the same value as ingressService. type: string ingressService: description: |- @@ -4188,7 +5559,7 @@ spec: ```yaml serviceSettings: - settings: - cluster_local: true + clusterLocal: true hosts: - "*.foo.svc.cluster.local" - "bar.baz.svc.cluster.local" @@ -4257,7 +5628,7 @@ spec: tlsDefaults: description: |- Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. - Currently, this supports configuration of ecdh_curves and cipher_suites only. + Currently, this supports configuration of ecdhCurves and cipherSuites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. properties: cipherSuites: @@ -4304,7 +5675,7 @@ spec: type: string trustDomainAliases: description: |- - The trust domain aliases represent the aliases of `trust_domain`. + The trust domain aliases represent the aliases of `trustDomain`. For example, if we have ```yaml trustDomain: td1 @@ -4632,7 +6003,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4647,7 +6018,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4815,7 +6186,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4830,7 +6201,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4996,7 +6367,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5011,7 +6382,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5179,7 +6550,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5194,7 +6565,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5429,7 +6800,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5488,6 +6859,26 @@ spec: are PreferDualStack, RequireDualStack, and SingleStack. More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services type: string + istiodRemote: + description: Configuration for the istio-discovery chart when + istiod is running in a remote cluster (e.g. "remote control + plane"). + properties: + enabled: + description: Indicates if this cluster/install should + consume a "remote" istiod instance, + type: boolean + injectionCABundle: + description: injector ca bundle + type: string + injectionPath: + description: Path to use for the sidecar injector webhook + service. + type: string + injectionURL: + description: URL to use for sidecar injector webhook. + type: string + type: object jwksResolverExtraRootCA: description: |- Specifies an extra root certificate in PEM format. This certificate will be trusted @@ -5507,7 +6898,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5525,7 +6916,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podAnnotations: additionalProperties: @@ -5535,7 +6926,7 @@ spec: See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podLabels: additionalProperties: @@ -5549,7 +6940,7 @@ spec: description: |- Number of replicas in the Pilot Deployment. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. format: int32 type: integer resources: @@ -5558,7 +6949,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -5578,6 +6969,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -5617,7 +7014,7 @@ spec: description: |- K8s rolling update strategy - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true rollingMaxUnavailable: anyOf: @@ -5630,7 +7027,7 @@ spec: May be specified as a number of pods or as a percent of the total number of pods at the start of the update. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true seccompProfile: description: |- @@ -5693,7 +7090,7 @@ spec: scheduled to particular nodes with matching taints. More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -6047,6 +7444,7 @@ spec: the blob storage type: string fsType: + default: ext4 description: |- fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -6060,6 +7458,7 @@ spec: set). defaults to shared' type: string readOnly: + default: false description: |- readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. @@ -6669,7 +8068,7 @@ spec: set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). type: string volumeMode: description: |- @@ -6892,6 +8291,41 @@ spec: required: - path type: object + image: + description: |- + image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. + The volume is resolved at pod startup depending on which PullPolicy value is provided: + + - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + + The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. + A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. + The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. + The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. + The volume will be mounted read-only (ro) and non-executable files (noexec). + Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). + The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. + properties: + pullPolicy: + description: |- + Policy for pulling OCI objects. Possible values are: + Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + type: string + reference: + description: |- + Required: Image or artifact reference to be used. + Behaves in the same way as pod.spec.containers[*].image. + Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + type: object iscsi: description: |- iscsi represents an ISCSI Disk resource that is attached to a @@ -6923,6 +8357,7 @@ spec: description: iqn is the target iSCSI Qualified Name. type: string iscsiInterface: + default: default description: |- iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp). @@ -7074,10 +8509,13 @@ spec: format: int32 type: integer sources: - description: sources is the list of volume projections + description: |- + sources is the list of volume projections. Each entry in this list + handles one source. items: - description: Projection that may be projected - along with other supported volume types + description: |- + Projection that may be projected along with other supported volume types. + Exactly one of these fields must be set. properties: clusterTrustBundle: description: |- @@ -7462,6 +8900,7 @@ spec: More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string keyring: + default: /etc/ceph/keyring description: |- keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. @@ -7476,6 +8915,7 @@ spec: type: array x-kubernetes-list-type: atomic pool: + default: rbd description: |- pool is the rados pool name. Default is rbd. @@ -7506,6 +8946,7 @@ spec: type: object x-kubernetes-map-type: atomic user: + default: admin description: |- user is the rados user name. Default is admin. @@ -7520,6 +8961,7 @@ spec: volume attached and mounted on Kubernetes nodes. properties: fsType: + default: xfs description: |- fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -7560,6 +9002,7 @@ spec: communication with Gateway, default false type: boolean storageMode: + default: ThinProvisioned description: |- storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. @@ -7927,11 +9370,11 @@ spec: version: description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. enum: - - v1.23.0 - - v1.22.3 - - v1.21.5 + - v1.23.2 + - v1.22.5 + - v1.21.6 - latest type: string required: diff --git a/bundle/manifests/sailoperator.io_istios.yaml b/bundle/manifests/sailoperator.io_istios.yaml index 3ba422ba5..57cd36751 100644 --- a/bundle/manifests/sailoperator.io_istios.yaml +++ b/bundle/manifests/sailoperator.io_istios.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.0 + controller-gen.kubebuilder.io/version: v0.16.3 creationTimestamp: null name: istios.sailoperator.io spec: @@ -30,9 +30,13 @@ spec: jsonPath: .status.revisions.inUse name: In use type: string + - description: The name of the currently active revision. + jsonPath: .status.activeRevisionName + name: Active Revision + type: string - description: The current state of the active revision. jsonPath: .status.state - name: Active Revision + name: Status type: string - description: The version of the control plane installation. jsonPath: .spec.version @@ -76,7 +80,7 @@ spec: namespace: istio-system updateStrategy: type: InPlace - version: v1.23.0 + version: v1.23.2 description: IstioSpec defines the desired state of Istio properties: namespace: @@ -145,6 +149,11 @@ spec: base: description: Configuration for the base component. properties: + excludedCRDs: + description: CRDs to exclude. Requires `enableCRDTemplates` + items: + type: string + type: array validationCABundle: description: validation webhook CA bundle type: string @@ -173,7 +182,7 @@ spec: - Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior.\n\nDeprecated: - Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto." + Marked as deprecated in pkg/apis/values_types.proto." properties: amd64: description: Sets pod scheduling weight for amd64 arch @@ -225,13 +234,10 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object defaultPodDisruptionBudget: - description: |- - Specifies the default pod disruption budget configuration. - - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + description: Specifies the default pod disruption budget configuration. properties: enabled: description: Controls whether a PodDisruptionBudget with @@ -245,7 +251,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -265,6 +271,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -306,7 +318,7 @@ spec: Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -399,7 +411,7 @@ spec: Configure the policy for validating JWT. This is deprecated and has no effect. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string logAsJson: description: Specifies whether istio components should output @@ -466,7 +478,7 @@ spec: with the endpoint by\nadding the `ISTIO_META_NETWORK` environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta. By matching the registry name with one of the \"fromRegistry\"\n\tin - the mesh config. A \"from_registry\" can only be + the mesh config. A \"fromRegistry\" can only be assigned to a\n\tsingle network.\n\n\tb. By matching the IP against one of the CIDR ranges in a mesh\n\tconfig network. The CIDR ranges must not overlap and be @@ -621,7 +633,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string proxy: description: Specifies how proxies are configured within Istio. @@ -665,7 +677,7 @@ spec: Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean image: description: |- @@ -956,7 +968,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -977,6 +989,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1063,7 +1081,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -1084,6 +1102,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1130,7 +1154,7 @@ spec: instead of using K8S secrets to mount the certificates. properties: token: - description: 'Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.' + description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.' properties: aud: type: string @@ -1193,26 +1217,1056 @@ spec: format: int32 type: integer type: object - zipkin: - description: Configuration for the zipkin tracing service. - properties: - address: - description: |- - Address of zipkin instance in host:port format for reporting trace data. + zipkin: + description: Configuration for the zipkin tracing service. + properties: + address: + description: |- + Address of zipkin instance in host:port format for reporting trace data. + + Example: .:941 + type: string + type: object + type: object + variant: + description: The variant of the Istio container images to + use. Options are "debug" or "distroless". Unset will use + the default for the given version. + type: string + waypoint: + description: Specifies how waypoints are configured within + Istio. + properties: + affinity: + description: |- + K8s affinity settings for waypoint pods. + + See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in + the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same node, + zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + nodeSelector: + description: |- + K8s node labels settings. - Example: .:941 - type: string + See https://kubernetes.io/docs/user-guide/node-selection/ + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms type: object - type: object - variant: - description: The variant of the Istio container images to - use. Options are "debug" or "distroless". Unset will use - the default for the given version. - type: string - waypoint: - description: Specifies how waypoints are configured within - Istio. - properties: + x-kubernetes-map-type: atomic resources: description: |- K8s resource settings. @@ -1238,6 +2292,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1270,11 +2330,242 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object + toleration: + description: |- + K8s tolerations settings. + + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: |- + K8s topology spread constraints settings. + + See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + If this value is nil, the behavior is equivalent to the Honor policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + If this value is nil, the behavior is equivalent to the Ignore policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array type: object type: object istiodRemote: - description: Configuration for istiod-remote. + description: |- + Configuration for istiod-remote. + DEPRECATED - istiod-remote chart is removed and replaced with + `istio-discovery --set values.istiodRemote.enabled=true` + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: + enabled: + description: Indicates if this cluster/install should consume + a "remote" istiod instance, + type: boolean injectionCABundle: description: injector ca bundle type: string @@ -1322,7 +2613,7 @@ spec: type: string istiodSide: description: |- - Use istiod_side to specify CA Server integrate to Istiod side or Agent side + Use istiodSide to specify CA Server integrate to Istiod side or Agent side Default: true type: boolean requestTimeout: @@ -1332,8 +2623,8 @@ spec: type: string tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. - Regarding tls_settings: + Use the tlsSettings to specify the tls mode to use. + Regarding tlsSettings: - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. DISABLE MODE can also be used for testing - TLS MUTUAL MODE be on by default. If the CA certificates @@ -1459,12 +2750,12 @@ spec: Optional. Specify the list of trust domains to which this trustAnchor data belongs. If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain and its aliases. - Note that we can have multiple trustAnchor data for a same trust_domain. + Note that we can have multiple trustAnchor data for a same trustDomain. In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. - If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers. - If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers. - If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains. - If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains. + If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. + If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. + If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. + If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains. items: type: string type: array @@ -1536,7 +2827,7 @@ spec: type: array tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the MCP server + Use the tlsSettings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1734,7 +3025,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1862,7 +3153,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1998,7 +3289,7 @@ spec: address to the X-Forwarded-For (XFF) address and set the X-Envoy-External-Address header to the trusted client address before forwarding it to the upstream services in the cluster. - The default value of num_trusted_proxies is 0. + The default value of numTrustedProxies is 0. See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) header handling for more details. format: int32 @@ -2184,6 +3475,41 @@ spec: header. By default, `istio-envoy` will be used. type: string type: object + setCurrentClientCertDetails: + description: |- + This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET + and the client connection is mTLS. It specifies the fields in + the client certificate to be forwarded. Note that `Hash` is always set, and + `By` is always set when the client certificate presents the URI type Subject Alternative Name value. + properties: + cert: + description: |- + Whether to forward the entire client cert in URL encoded PEM format. This will appear in the + XFCC header comma separated from other values with the value Cert="PEM". + Defaults to false. + type: boolean + chain: + description: |- + Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM + format. This will appear in the XFCC header comma separated from other values with the value + Chain="PEM". + Defaults to false. + type: boolean + dns: + description: |- + Whether to forward the DNS type Subject Alternative Names of the client cert. + Defaults to true. + type: boolean + subject: + description: Whether to forward the subject of + the client cert. Defaults to true. + type: boolean + uri: + description: |- + Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to + true. + type: boolean + type: object type: object proxyMetadata: additionalProperties: @@ -2446,7 +3772,7 @@ spec: The amount of time allowed for connections to complete on proxy shutdown. On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, discouraging any new connections and allowing existing connections to complete. It then - sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes. + sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes. If not set, a default of `5s` will be applied. type: string tracing: @@ -2599,7 +3925,7 @@ spec: type: object tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the remote tracing service + Use the tlsSettings to specify the tls mode to use. If the remote tracing service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -2727,8 +4053,8 @@ spec: <= 1 defaultDestinationRuleExportTo: description: |- - The default value for the `DestinationRule.export_to` field. Has the same - syntax as `default_service_export_to`. + The default value for the `DestinationRule.exportTo` field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that destination rules are exported to all namespaces @@ -2804,7 +4130,7 @@ spec: type: object defaultServiceExportTo: description: |- - The default value for the ServiceEntry.export_to field and services + The default value for the ServiceEntry.exportTo field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are: @@ -2833,8 +4159,8 @@ spec: type: array defaultVirtualServiceExportTo: description: |- - The default value for the VirtualService.export_to field. Has the same - syntax as `default_service_export_to`. + The default value for the VirtualService.exportTo field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that virtual services are exported to all namespaces @@ -3017,7 +4343,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -3025,10 +4351,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -3036,7 +4362,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object port: @@ -3062,7 +4388,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3136,11 +4462,11 @@ spec: description: |- Set of additional fixed headers that should be included in the authorization request sent to the authorization service. Key is the header name and value is the header value. - Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden. + Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden. type: object includeHeadersInCheck: description: |- - DEPRECATED. Use include_request_headers_in_check instead. + DEPRECATED. Use includeRequestHeadersInCheck instead. Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. items: @@ -3153,7 +4479,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -3161,10 +4487,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -3172,7 +4498,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object includeRequestHeadersInCheck: @@ -3181,7 +4507,7 @@ spec: Note that in addition to the headers specified here following headers are included by default: 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization - request can include the buffered client request body (controlled by include_request_body_in_check setting), + request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. Exact, prefix and suffix matches are supported (similar to the @@ -3222,7 +4548,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3347,7 +4673,7 @@ spec: dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). Nested JSON is\nsupported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias - to `attributes` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: + to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```" type: object text: @@ -3355,7 +4681,7 @@ spec: Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information. - Alias to `body` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) + Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` type: string type: object @@ -3525,11 +4851,11 @@ spec: headers: - name: "Authorization" value: "Api-Token dt0c01." - resource_detectors: + resourceDetectors: dynatrace: {} - dynatrace_sampler: + dynatraceSampler: tenant: "{your-environment-id}" - cluster_id: 1234 + clusterId: 1234 properties: clusterId: description: |- @@ -3606,8 +4932,8 @@ spec: A default value of `1000` is used when: - - `root_spans_per_minute` is unset - - `root_spans_per_minute` is set to 0 + - `rootSpansPerMinute` is unset + - `rootSpansPerMinute` is set to 0 format: int32 type: integer tenant: @@ -3620,6 +4946,50 @@ spec: - clusterId - tenant type: object + grpc: + description: "Optional. Specifies the configuration + for exporting OTLP traces via GRPC.\nWhen empty, + traces will check whether HTTP is set.\nIf not, + traces will use default GRPC configurations.\n\nThe + following example shows how to configure the OpenTelemetry + ExtensionProvider to export via GRPC:\n\n1. Add/change + the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n + \ - name: opentelemetry\n opentelemetry:\n + \ port: 8090\n service: tracing.example.com\n + \ grpc:\n timeout: 10s\n initialMetadata:\n + \ - name: \"Authentication\"\n value: \"token-xxxxx\"\n\n```\n\n2. + Deploy a `ServiceEntry` for the observability + back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind: + ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t- + tracing.example.com\n\tports:\n\t- number: 8090\n\t + \ name: grpc-port\n\t protocol: GRPC\n\tresolution: + DNS\n\tlocation: MESH_EXTERNAL\n\n```" + properties: + initialMetadata: + description: |- + Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for + scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to + be injected. + items: + properties: + name: + description: REQUIRED. The HTTP header + name. + type: string + value: + description: REQUIRED. The HTTP header + value. + type: string + required: + - name + - value + type: object + type: array + timeout: + description: Optional. Specifies the timeout + for the GRPC request. + type: string + type: object http: description: "Optional. Specifies the configuration for exporting OTLP traces via HTTP.\nWhen empty, @@ -3698,7 +5068,7 @@ spec: opentelemetry: port: 443 service: my.olly-backend.com - resource_detectors: + resourceDetectors: environment: {} ``` @@ -3834,6 +5204,11 @@ spec: NOTE: currently only controls max length of the path tag. format: int32 type: integer + path: + description: |- + Optional. Specifies the endpoint of Zipkin API. + The default value is "/api/v2/spans". + type: string port: description: REQUIRED. Specifies the port of the service. @@ -3935,7 +5310,7 @@ spec: the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. By default, `ingressgateway` is used, which will select the default IngressGateway as it has the `istio: ingressgateway` labels. - It is recommended that this is the same value as ingress_service. + It is recommended that this is the same value as ingressService. type: string ingressService: description: |- @@ -4243,7 +5618,7 @@ spec: ```yaml serviceSettings: - settings: - cluster_local: true + clusterLocal: true hosts: - "*.foo.svc.cluster.local" - "bar.baz.svc.cluster.local" @@ -4312,7 +5687,7 @@ spec: tlsDefaults: description: |- Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. - Currently, this supports configuration of ecdh_curves and cipher_suites only. + Currently, this supports configuration of ecdhCurves and cipherSuites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. properties: cipherSuites: @@ -4359,7 +5734,7 @@ spec: type: string trustDomainAliases: description: |- - The trust domain aliases represent the aliases of `trust_domain`. + The trust domain aliases represent the aliases of `trustDomain`. For example, if we have ```yaml trustDomain: td1 @@ -4687,7 +6062,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4702,7 +6077,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4870,7 +6245,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4885,7 +6260,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5051,7 +6426,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5066,7 +6441,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5234,7 +6609,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5249,7 +6624,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5484,7 +6859,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5543,6 +6918,26 @@ spec: are PreferDualStack, RequireDualStack, and SingleStack. More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services type: string + istiodRemote: + description: Configuration for the istio-discovery chart when + istiod is running in a remote cluster (e.g. "remote control + plane"). + properties: + enabled: + description: Indicates if this cluster/install should + consume a "remote" istiod instance, + type: boolean + injectionCABundle: + description: injector ca bundle + type: string + injectionPath: + description: Path to use for the sidecar injector webhook + service. + type: string + injectionURL: + description: URL to use for sidecar injector webhook. + type: string + type: object jwksResolverExtraRootCA: description: |- Specifies an extra root certificate in PEM format. This certificate will be trusted @@ -5562,7 +6957,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5580,7 +6975,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podAnnotations: additionalProperties: @@ -5590,7 +6985,7 @@ spec: See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podLabels: additionalProperties: @@ -5604,7 +6999,7 @@ spec: description: |- Number of replicas in the Pilot Deployment. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. format: int32 type: integer resources: @@ -5613,7 +7008,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -5633,6 +7028,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -5672,7 +7073,7 @@ spec: description: |- K8s rolling update strategy - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true rollingMaxUnavailable: anyOf: @@ -5685,7 +7086,7 @@ spec: May be specified as a number of pods or as a percent of the total number of pods at the start of the update. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true seccompProfile: description: |- @@ -5748,7 +7149,7 @@ spec: scheduled to particular nodes with matching taints. More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -6102,6 +7503,7 @@ spec: the blob storage type: string fsType: + default: ext4 description: |- fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -6115,6 +7517,7 @@ spec: set). defaults to shared' type: string readOnly: + default: false description: |- readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. @@ -6724,7 +8127,7 @@ spec: set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). type: string volumeMode: description: |- @@ -6947,6 +8350,41 @@ spec: required: - path type: object + image: + description: |- + image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. + The volume is resolved at pod startup depending on which PullPolicy value is provided: + + - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + + The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. + A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. + The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. + The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. + The volume will be mounted read-only (ro) and non-executable files (noexec). + Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). + The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. + properties: + pullPolicy: + description: |- + Policy for pulling OCI objects. Possible values are: + Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + type: string + reference: + description: |- + Required: Image or artifact reference to be used. + Behaves in the same way as pod.spec.containers[*].image. + Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + type: object iscsi: description: |- iscsi represents an ISCSI Disk resource that is attached to a @@ -6978,6 +8416,7 @@ spec: description: iqn is the target iSCSI Qualified Name. type: string iscsiInterface: + default: default description: |- iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp). @@ -7129,10 +8568,13 @@ spec: format: int32 type: integer sources: - description: sources is the list of volume projections + description: |- + sources is the list of volume projections. Each entry in this list + handles one source. items: - description: Projection that may be projected - along with other supported volume types + description: |- + Projection that may be projected along with other supported volume types. + Exactly one of these fields must be set. properties: clusterTrustBundle: description: |- @@ -7517,6 +8959,7 @@ spec: More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string keyring: + default: /etc/ceph/keyring description: |- keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. @@ -7531,6 +8974,7 @@ spec: type: array x-kubernetes-list-type: atomic pool: + default: rbd description: |- pool is the rados pool name. Default is rbd. @@ -7561,6 +9005,7 @@ spec: type: object x-kubernetes-map-type: atomic user: + default: admin description: |- user is the rados user name. Default is admin. @@ -7575,6 +9020,7 @@ spec: volume attached and mounted on Kubernetes nodes. properties: fsType: + default: xfs description: |- fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -7615,6 +9061,7 @@ spec: communication with Gateway, default false type: boolean storageMode: + default: ThinProvisioned description: |- storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. @@ -7980,14 +9427,14 @@ spec: type: object type: object version: - default: v1.23.0 + default: v1.23.2 description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. enum: - - v1.23.0 - - v1.22.3 - - v1.21.5 + - v1.23.2 + - v1.22.5 + - v1.21.6 - latest type: string required: @@ -8001,6 +9448,9 @@ spec: status: description: IstioStatus defines the observed state of Istio properties: + activeRevisionName: + description: The name of the active revision. + type: string conditions: description: Represents the latest available observations of the object's current state. diff --git a/bundle/manifests/sailoperator.io_remoteistios.yaml b/bundle/manifests/sailoperator.io_remoteistios.yaml index f77d7cc7a..f0511ee38 100644 --- a/bundle/manifests/sailoperator.io_remoteistios.yaml +++ b/bundle/manifests/sailoperator.io_remoteistios.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.0 + controller-gen.kubebuilder.io/version: v0.16.3 creationTimestamp: null name: remoteistios.sailoperator.io spec: @@ -30,9 +30,13 @@ spec: jsonPath: .status.revisions.inUse name: In use type: string + - description: The name of the currently active revision. + jsonPath: .status.activeRevisionName + name: Active Revision + type: string - description: The current state of the active revision. jsonPath: .status.state - name: Active Revision + name: Status type: string - description: The version of the control plane installation. jsonPath: .spec.version @@ -71,7 +75,7 @@ spec: namespace: istio-system updateStrategy: type: InPlace - version: v1.23.0 + version: v1.23.2 description: RemoteIstioSpec defines the desired state of RemoteIstio properties: namespace: @@ -140,6 +144,11 @@ spec: base: description: Configuration for the base component. properties: + excludedCRDs: + description: CRDs to exclude. Requires `enableCRDTemplates` + items: + type: string + type: array validationCABundle: description: validation webhook CA bundle type: string @@ -168,7 +177,7 @@ spec: - Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior.\n\nDeprecated: - Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto." + Marked as deprecated in pkg/apis/values_types.proto." properties: amd64: description: Sets pod scheduling weight for amd64 arch @@ -220,13 +229,10 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object defaultPodDisruptionBudget: - description: |- - Specifies the default pod disruption budget configuration. - - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + description: Specifies the default pod disruption budget configuration. properties: enabled: description: Controls whether a PodDisruptionBudget with @@ -240,7 +246,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -260,6 +266,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -301,7 +313,7 @@ spec: Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -394,7 +406,7 @@ spec: Configure the policy for validating JWT. This is deprecated and has no effect. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string logAsJson: description: Specifies whether istio components should output @@ -461,7 +473,7 @@ spec: with the endpoint by\nadding the `ISTIO_META_NETWORK` environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta. By matching the registry name with one of the \"fromRegistry\"\n\tin - the mesh config. A \"from_registry\" can only be + the mesh config. A \"fromRegistry\" can only be assigned to a\n\tsingle network.\n\n\tb. By matching the IP against one of the CIDR ranges in a mesh\n\tconfig network. The CIDR ranges must not overlap and be @@ -616,7 +628,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string proxy: description: Specifies how proxies are configured within Istio. @@ -660,7 +672,7 @@ spec: Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean image: description: |- @@ -951,7 +963,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -972,6 +984,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1058,7 +1076,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -1079,6 +1097,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1125,7 +1149,7 @@ spec: instead of using K8S secrets to mount the certificates. properties: token: - description: 'Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.' + description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.' properties: aud: type: string @@ -1188,26 +1212,1056 @@ spec: format: int32 type: integer type: object - zipkin: - description: Configuration for the zipkin tracing service. - properties: - address: - description: |- - Address of zipkin instance in host:port format for reporting trace data. + zipkin: + description: Configuration for the zipkin tracing service. + properties: + address: + description: |- + Address of zipkin instance in host:port format for reporting trace data. + + Example: .:941 + type: string + type: object + type: object + variant: + description: The variant of the Istio container images to + use. Options are "debug" or "distroless". Unset will use + the default for the given version. + type: string + waypoint: + description: Specifies how waypoints are configured within + Istio. + properties: + affinity: + description: |- + K8s affinity settings for waypoint pods. + + See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in + the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same node, + zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + nodeSelector: + description: |- + K8s node labels settings. - Example: .:941 - type: string + See https://kubernetes.io/docs/user-guide/node-selection/ + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms type: object - type: object - variant: - description: The variant of the Istio container images to - use. Options are "debug" or "distroless". Unset will use - the default for the given version. - type: string - waypoint: - description: Specifies how waypoints are configured within - Istio. - properties: + x-kubernetes-map-type: atomic resources: description: |- K8s resource settings. @@ -1233,6 +2287,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1265,11 +2325,242 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object + toleration: + description: |- + K8s tolerations settings. + + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: |- + K8s topology spread constraints settings. + + See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + If this value is nil, the behavior is equivalent to the Honor policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + If this value is nil, the behavior is equivalent to the Ignore policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array type: object type: object istiodRemote: - description: Configuration for istiod-remote. + description: |- + Configuration for istiod-remote. + DEPRECATED - istiod-remote chart is removed and replaced with + `istio-discovery --set values.istiodRemote.enabled=true` + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: + enabled: + description: Indicates if this cluster/install should consume + a "remote" istiod instance, + type: boolean injectionCABundle: description: injector ca bundle type: string @@ -1317,7 +2608,7 @@ spec: type: string istiodSide: description: |- - Use istiod_side to specify CA Server integrate to Istiod side or Agent side + Use istiodSide to specify CA Server integrate to Istiod side or Agent side Default: true type: boolean requestTimeout: @@ -1327,8 +2618,8 @@ spec: type: string tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. - Regarding tls_settings: + Use the tlsSettings to specify the tls mode to use. + Regarding tlsSettings: - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. DISABLE MODE can also be used for testing - TLS MUTUAL MODE be on by default. If the CA certificates @@ -1454,12 +2745,12 @@ spec: Optional. Specify the list of trust domains to which this trustAnchor data belongs. If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain and its aliases. - Note that we can have multiple trustAnchor data for a same trust_domain. + Note that we can have multiple trustAnchor data for a same trustDomain. In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. - If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers. - If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers. - If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains. - If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains. + If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. + If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. + If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. + If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains. items: type: string type: array @@ -1531,7 +2822,7 @@ spec: type: array tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the MCP server + Use the tlsSettings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1729,7 +3020,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1857,7 +3148,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1993,7 +3284,7 @@ spec: address to the X-Forwarded-For (XFF) address and set the X-Envoy-External-Address header to the trusted client address before forwarding it to the upstream services in the cluster. - The default value of num_trusted_proxies is 0. + The default value of numTrustedProxies is 0. See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) header handling for more details. format: int32 @@ -2179,6 +3470,41 @@ spec: header. By default, `istio-envoy` will be used. type: string type: object + setCurrentClientCertDetails: + description: |- + This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET + and the client connection is mTLS. It specifies the fields in + the client certificate to be forwarded. Note that `Hash` is always set, and + `By` is always set when the client certificate presents the URI type Subject Alternative Name value. + properties: + cert: + description: |- + Whether to forward the entire client cert in URL encoded PEM format. This will appear in the + XFCC header comma separated from other values with the value Cert="PEM". + Defaults to false. + type: boolean + chain: + description: |- + Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM + format. This will appear in the XFCC header comma separated from other values with the value + Chain="PEM". + Defaults to false. + type: boolean + dns: + description: |- + Whether to forward the DNS type Subject Alternative Names of the client cert. + Defaults to true. + type: boolean + subject: + description: Whether to forward the subject of + the client cert. Defaults to true. + type: boolean + uri: + description: |- + Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to + true. + type: boolean + type: object type: object proxyMetadata: additionalProperties: @@ -2441,7 +3767,7 @@ spec: The amount of time allowed for connections to complete on proxy shutdown. On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, discouraging any new connections and allowing existing connections to complete. It then - sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes. + sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes. If not set, a default of `5s` will be applied. type: string tracing: @@ -2594,7 +3920,7 @@ spec: type: object tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the remote tracing service + Use the tlsSettings to specify the tls mode to use. If the remote tracing service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -2722,8 +4048,8 @@ spec: <= 1 defaultDestinationRuleExportTo: description: |- - The default value for the `DestinationRule.export_to` field. Has the same - syntax as `default_service_export_to`. + The default value for the `DestinationRule.exportTo` field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that destination rules are exported to all namespaces @@ -2799,7 +4125,7 @@ spec: type: object defaultServiceExportTo: description: |- - The default value for the ServiceEntry.export_to field and services + The default value for the ServiceEntry.exportTo field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are: @@ -2828,8 +4154,8 @@ spec: type: array defaultVirtualServiceExportTo: description: |- - The default value for the VirtualService.export_to field. Has the same - syntax as `default_service_export_to`. + The default value for the VirtualService.exportTo field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that virtual services are exported to all namespaces @@ -3012,7 +4338,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -3020,10 +4346,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -3031,7 +4357,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object port: @@ -3057,7 +4383,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3131,11 +4457,11 @@ spec: description: |- Set of additional fixed headers that should be included in the authorization request sent to the authorization service. Key is the header name and value is the header value. - Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden. + Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden. type: object includeHeadersInCheck: description: |- - DEPRECATED. Use include_request_headers_in_check instead. + DEPRECATED. Use includeRequestHeadersInCheck instead. Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. items: @@ -3148,7 +4474,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -3156,10 +4482,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -3167,7 +4493,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object includeRequestHeadersInCheck: @@ -3176,7 +4502,7 @@ spec: Note that in addition to the headers specified here following headers are included by default: 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization - request can include the buffered client request body (controlled by include_request_body_in_check setting), + request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. Exact, prefix and suffix matches are supported (similar to the @@ -3217,7 +4543,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3342,7 +4668,7 @@ spec: dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). Nested JSON is\nsupported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias - to `attributes` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: + to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```" type: object text: @@ -3350,7 +4676,7 @@ spec: Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information. - Alias to `body` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) + Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` type: string type: object @@ -3520,11 +4846,11 @@ spec: headers: - name: "Authorization" value: "Api-Token dt0c01." - resource_detectors: + resourceDetectors: dynatrace: {} - dynatrace_sampler: + dynatraceSampler: tenant: "{your-environment-id}" - cluster_id: 1234 + clusterId: 1234 properties: clusterId: description: |- @@ -3601,8 +4927,8 @@ spec: A default value of `1000` is used when: - - `root_spans_per_minute` is unset - - `root_spans_per_minute` is set to 0 + - `rootSpansPerMinute` is unset + - `rootSpansPerMinute` is set to 0 format: int32 type: integer tenant: @@ -3615,6 +4941,50 @@ spec: - clusterId - tenant type: object + grpc: + description: "Optional. Specifies the configuration + for exporting OTLP traces via GRPC.\nWhen empty, + traces will check whether HTTP is set.\nIf not, + traces will use default GRPC configurations.\n\nThe + following example shows how to configure the OpenTelemetry + ExtensionProvider to export via GRPC:\n\n1. Add/change + the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n + \ - name: opentelemetry\n opentelemetry:\n + \ port: 8090\n service: tracing.example.com\n + \ grpc:\n timeout: 10s\n initialMetadata:\n + \ - name: \"Authentication\"\n value: \"token-xxxxx\"\n\n```\n\n2. + Deploy a `ServiceEntry` for the observability + back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind: + ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t- + tracing.example.com\n\tports:\n\t- number: 8090\n\t + \ name: grpc-port\n\t protocol: GRPC\n\tresolution: + DNS\n\tlocation: MESH_EXTERNAL\n\n```" + properties: + initialMetadata: + description: |- + Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for + scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to + be injected. + items: + properties: + name: + description: REQUIRED. The HTTP header + name. + type: string + value: + description: REQUIRED. The HTTP header + value. + type: string + required: + - name + - value + type: object + type: array + timeout: + description: Optional. Specifies the timeout + for the GRPC request. + type: string + type: object http: description: "Optional. Specifies the configuration for exporting OTLP traces via HTTP.\nWhen empty, @@ -3693,7 +5063,7 @@ spec: opentelemetry: port: 443 service: my.olly-backend.com - resource_detectors: + resourceDetectors: environment: {} ``` @@ -3829,6 +5199,11 @@ spec: NOTE: currently only controls max length of the path tag. format: int32 type: integer + path: + description: |- + Optional. Specifies the endpoint of Zipkin API. + The default value is "/api/v2/spans". + type: string port: description: REQUIRED. Specifies the port of the service. @@ -3930,7 +5305,7 @@ spec: the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. By default, `ingressgateway` is used, which will select the default IngressGateway as it has the `istio: ingressgateway` labels. - It is recommended that this is the same value as ingress_service. + It is recommended that this is the same value as ingressService. type: string ingressService: description: |- @@ -4238,7 +5613,7 @@ spec: ```yaml serviceSettings: - settings: - cluster_local: true + clusterLocal: true hosts: - "*.foo.svc.cluster.local" - "bar.baz.svc.cluster.local" @@ -4307,7 +5682,7 @@ spec: tlsDefaults: description: |- Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. - Currently, this supports configuration of ecdh_curves and cipher_suites only. + Currently, this supports configuration of ecdhCurves and cipherSuites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. properties: cipherSuites: @@ -4354,7 +5729,7 @@ spec: type: string trustDomainAliases: description: |- - The trust domain aliases represent the aliases of `trust_domain`. + The trust domain aliases represent the aliases of `trustDomain`. For example, if we have ```yaml trustDomain: td1 @@ -4682,7 +6057,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4697,7 +6072,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4865,7 +6240,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4880,7 +6255,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5046,7 +6421,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5061,7 +6436,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5229,7 +6604,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5244,7 +6619,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5479,7 +6854,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5538,6 +6913,26 @@ spec: are PreferDualStack, RequireDualStack, and SingleStack. More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services type: string + istiodRemote: + description: Configuration for the istio-discovery chart when + istiod is running in a remote cluster (e.g. "remote control + plane"). + properties: + enabled: + description: Indicates if this cluster/install should + consume a "remote" istiod instance, + type: boolean + injectionCABundle: + description: injector ca bundle + type: string + injectionPath: + description: Path to use for the sidecar injector webhook + service. + type: string + injectionURL: + description: URL to use for sidecar injector webhook. + type: string + type: object jwksResolverExtraRootCA: description: |- Specifies an extra root certificate in PEM format. This certificate will be trusted @@ -5557,7 +6952,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5575,7 +6970,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podAnnotations: additionalProperties: @@ -5585,7 +6980,7 @@ spec: See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podLabels: additionalProperties: @@ -5599,7 +6994,7 @@ spec: description: |- Number of replicas in the Pilot Deployment. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. format: int32 type: integer resources: @@ -5608,7 +7003,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -5628,6 +7023,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -5667,7 +7068,7 @@ spec: description: |- K8s rolling update strategy - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true rollingMaxUnavailable: anyOf: @@ -5680,7 +7081,7 @@ spec: May be specified as a number of pods or as a percent of the total number of pods at the start of the update. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true seccompProfile: description: |- @@ -5743,7 +7144,7 @@ spec: scheduled to particular nodes with matching taints. More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -6097,6 +7498,7 @@ spec: the blob storage type: string fsType: + default: ext4 description: |- fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -6110,6 +7512,7 @@ spec: set). defaults to shared' type: string readOnly: + default: false description: |- readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. @@ -6719,7 +8122,7 @@ spec: set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). type: string volumeMode: description: |- @@ -6942,6 +8345,41 @@ spec: required: - path type: object + image: + description: |- + image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. + The volume is resolved at pod startup depending on which PullPolicy value is provided: + + - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + + The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. + A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. + The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. + The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. + The volume will be mounted read-only (ro) and non-executable files (noexec). + Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). + The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. + properties: + pullPolicy: + description: |- + Policy for pulling OCI objects. Possible values are: + Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + type: string + reference: + description: |- + Required: Image or artifact reference to be used. + Behaves in the same way as pod.spec.containers[*].image. + Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + type: object iscsi: description: |- iscsi represents an ISCSI Disk resource that is attached to a @@ -6973,6 +8411,7 @@ spec: description: iqn is the target iSCSI Qualified Name. type: string iscsiInterface: + default: default description: |- iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp). @@ -7124,10 +8563,13 @@ spec: format: int32 type: integer sources: - description: sources is the list of volume projections + description: |- + sources is the list of volume projections. Each entry in this list + handles one source. items: - description: Projection that may be projected - along with other supported volume types + description: |- + Projection that may be projected along with other supported volume types. + Exactly one of these fields must be set. properties: clusterTrustBundle: description: |- @@ -7512,6 +8954,7 @@ spec: More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string keyring: + default: /etc/ceph/keyring description: |- keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. @@ -7526,6 +8969,7 @@ spec: type: array x-kubernetes-list-type: atomic pool: + default: rbd description: |- pool is the rados pool name. Default is rbd. @@ -7556,6 +9000,7 @@ spec: type: object x-kubernetes-map-type: atomic user: + default: admin description: |- user is the rados user name. Default is admin. @@ -7570,6 +9015,7 @@ spec: volume attached and mounted on Kubernetes nodes. properties: fsType: + default: xfs description: |- fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -7610,6 +9056,7 @@ spec: communication with Gateway, default false type: boolean storageMode: + default: ThinProvisioned description: |- storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. @@ -7975,14 +9422,14 @@ spec: type: object type: object version: - default: v1.23.0 + default: v1.23.2 description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. enum: - - v1.23.0 - - v1.22.3 - - v1.21.5 + - v1.23.2 + - v1.22.5 + - v1.21.6 - latest type: string required: @@ -7996,6 +9443,9 @@ spec: status: description: RemoteIstioStatus defines the observed state of RemoteIstio properties: + activeRevisionName: + description: The name of the active revision. + type: string conditions: description: Represents the latest available observations of the object's current state. diff --git a/bundle/manifests/security.istio.io_authorizationpolicies.yaml b/bundle/manifests/security.istio.io_authorizationpolicies.yaml index c7aef487f..bebc1b2c6 100644 --- a/bundle/manifests/security.istio.io_authorizationpolicies.yaml +++ b/bundle/manifests/security.istio.io_authorizationpolicies.yaml @@ -296,8 +296,12 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: @@ -645,8 +649,12 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: diff --git a/bundle/manifests/security.istio.io_requestauthentications.yaml b/bundle/manifests/security.istio.io_requestauthentications.yaml index 94dad1c0e..2d1b0ba00 100644 --- a/bundle/manifests/security.istio.io_requestauthentications.yaml +++ b/bundle/manifests/security.istio.io_requestauthentications.yaml @@ -230,10 +230,11 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object x-kubernetes-validations: - - message: only one of targetRefs or workloadSelector can be set + - message: only one of targetRefs or selector can be set rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: @@ -516,10 +517,11 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object x-kubernetes-validations: - - message: only one of targetRefs or workloadSelector can be set + - message: only one of targetRefs or selector can be set rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: diff --git a/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml b/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml index a2c740b29..fbae851d5 100644 --- a/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml +++ b/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml @@ -16,7 +16,7 @@ metadata: "inactiveRevisionDeletionGracePeriodSeconds": 30, "type": "InPlace" }, - "version": "v1.23.0" + "version": "v1.23.2" } }, { @@ -27,17 +27,15 @@ metadata: }, "spec": { "namespace": "istio-cni", - "version": "v1.23.0" + "version": "v1.23.2" } } ] capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security - containerImage: quay.io/maistra-dev/sail-operator:3.0-latest - createdAt: "2024-08-29T15:46:07Z" - description: The OpenShift Service Mesh Operator enables you to install, configure, - and manage an instance of Red Hat OpenShift Service Mesh. OpenShift Service - Mesh is based on the open source Istio project. + containerImage: quay.io/maistra-dev/sail-operator:0.2-latest + createdAt: "2024-10-08T15:48:56Z" + description: Experimental operator for installing Istio service mesh features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" features.operators.openshift.io/csi: "false" @@ -48,9 +46,7 @@ metadata: features.operators.openshift.io/token-auth-aws: "false" features.operators.openshift.io/token-auth-azure: "false" features.operators.openshift.io/token-auth-gcp: "false" - operators.openshift.io/valid-subscription: '["OpenShift Container Platform", "OpenShift - Platform Plus"]' - operators.operatorframework.io/builder: operator-sdk-v1.36.1 + operators.operatorframework.io/builder: operator-sdk-v1.37.0 operators.operatorframework.io/internal-objects: '["wasmplugins.extensions.istio.io","destinationrules.networking.istio.io","envoyfilters.networking.istio.io","gateways.networking.istio.io","proxyconfigs.networking.istio.io","serviceentries.networking.istio.io","sidecars.networking.istio.io","virtualservices.networking.istio.io","workloadentries.networking.istio.io","workloadgroups.networking.istio.io","authorizationpolicies.security.istio.io","peerauthentications.security.istio.io","requestauthentications.security.istio.io","telemetries.telemetry.istio.io"]' operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 repository: https://github.com/istio-ecosystem/sail-operator @@ -164,14 +160,14 @@ spec: specDescriptors: - description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. displayName: Istio Version path: version x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General - - urn:alm:descriptor:com.tectonic.ui:select:v1.23.0 - - urn:alm:descriptor:com.tectonic.ui:select:v1.22.3 - - urn:alm:descriptor:com.tectonic.ui:select:v1.21.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.23.2 + - urn:alm:descriptor:com.tectonic.ui:select:v1.22.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.21.6 - urn:alm:descriptor:com.tectonic.ui:select:latest - description: Namespace to which the Istio CNI component should be installed. displayName: Namespace @@ -202,14 +198,14 @@ spec: specDescriptors: - description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. displayName: Istio Version path: version x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General - - urn:alm:descriptor:com.tectonic.ui:select:v1.23.0 - - urn:alm:descriptor:com.tectonic.ui:select:v1.22.3 - - urn:alm:descriptor:com.tectonic.ui:select:v1.21.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.23.2 + - urn:alm:descriptor:com.tectonic.ui:select:v1.22.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.21.6 - urn:alm:descriptor:com.tectonic.ui:select:latest - description: Namespace to which the Istio components should be installed. displayName: Namespace @@ -248,14 +244,14 @@ spec: - urn:alm:descriptor:com.tectonic.ui:select:RevisionBased - description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. displayName: Istio Version path: version x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General - - urn:alm:descriptor:com.tectonic.ui:select:v1.23.0 - - urn:alm:descriptor:com.tectonic.ui:select:v1.22.3 - - urn:alm:descriptor:com.tectonic.ui:select:v1.21.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.23.2 + - urn:alm:descriptor:com.tectonic.ui:select:v1.22.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.21.6 - urn:alm:descriptor:com.tectonic.ui:select:latest - description: |- Defines how many seconds the operator should wait before removing a non-active revision after all @@ -320,14 +316,14 @@ spec: - urn:alm:descriptor:com.tectonic.ui:select:RevisionBased - description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. displayName: Istio Version path: version x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General - - urn:alm:descriptor:com.tectonic.ui:select:v1.23.0 - - urn:alm:descriptor:com.tectonic.ui:select:v1.22.3 - - urn:alm:descriptor:com.tectonic.ui:select:v1.21.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.23.2 + - urn:alm:descriptor:com.tectonic.ui:select:v1.22.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.21.6 - urn:alm:descriptor:com.tectonic.ui:select:latest - description: |- Defines how many seconds the operator should wait before removing a non-active revision after all @@ -375,10 +371,10 @@ spec: ### Overview - Red Hat OpenShift Service Mesh, based on the open source [Istio](https://istio.io/) project, adds a transparent layer on existing - distributed applications without requiring any changes to the service code. You add Red Hat OpenShift Service Mesh - support to services by deploying a special sidecar proxy throughout your environment that intercepts all network - communication between microservices. You configure and manage the service mesh using the control plane features. + - v1.23.2 + - v1.22.5 + - v1.21.6 + - latest (6f95f8c9) Red Hat OpenShift Service Mesh provides an easy way to create a network of deployed services that provides discovery, load balancing, service-to-service authentication, failure recovery, metrics, and monitoring. A service mesh also @@ -608,9 +604,9 @@ spec: serviceAccountName: servicemesh-operator3 deployments: - label: - app.kubernetes.io/component: manager - app.kubernetes.io/created-by: servicemeshoperator3 - app.kubernetes.io/instance: servicemesh-operator3 + app.kubernetes.io/component: sail-operator + app.kubernetes.io/created-by: sailoperator + app.kubernetes.io/instance: sail-operator app.kubernetes.io/managed-by: helm app.kubernetes.io/name: deployment app.kubernetes.io/part-of: servicemeshoperator3 @@ -627,12 +623,23 @@ spec: template: metadata: annotations: - images.v1_23_0.cni: registry.redhat.io/openshift-service-mesh/istio-cni-rhel9:1.23.0.tp.1 - images.v1_23_0.istiod: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9:1.23.0.tp.1 - images.v1_23_0.must-gather: registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9:3.0.0.tp.1 - images.v1_23_0.proxy: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9:3.0.0.tp.1 - images.v1_23_0.ztunnel: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9:1.23.0.tp.1 - kubectl.kubernetes.io/default-container: manager + images.latest.cni: gcr.io/istio-testing/install-cni:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + images.latest.istiod: gcr.io/istio-testing/pilot:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + images.latest.proxy: gcr.io/istio-testing/proxyv2:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + images.latest.ztunnel: gcr.io/istio-testing/ztunnel:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + images.v1_21_6.cni: docker.io/istio/install-cni:1.21.6 + images.v1_21_6.istiod: docker.io/istio/pilot:1.21.6 + images.v1_21_6.proxy: docker.io/istio/proxyv2:1.21.6 + images.v1_21_6.ztunnel: docker.io/istio/ztunnel:1.21.6 + images.v1_22_5.cni: docker.io/istio/install-cni:1.22.5 + images.v1_22_5.istiod: docker.io/istio/pilot:1.22.5 + images.v1_22_5.proxy: docker.io/istio/proxyv2:1.22.5 + images.v1_22_5.ztunnel: docker.io/istio/ztunnel:1.22.5 + images.v1_23_2.cni: docker.io/istio/install-cni:1.23.2 + images.v1_23_2.istiod: docker.io/istio/pilot:1.23.2 + images.v1_23_2.proxy: docker.io/istio/proxyv2:1.23.2 + images.v1_23_2.ztunnel: docker.io/istio/ztunnel:1.23.2 + kubectl.kubernetes.io/default-container: sail-operator labels: app.kubernetes.io/created-by: servicemeshoperator3 app.kubernetes.io/part-of: servicemeshoperator3 @@ -683,16 +690,15 @@ spec: - --metrics-bind-address=127.0.0.1:8080 - --default-profile=openshift command: - - /manager - image: quay.io/maistra-dev/sail-operator:3.0-latest - imagePullPolicy: Always + - /sail-operator + image: quay.io/maistra-dev/sail-operator:0.2-latest livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 - name: manager + name: sail-operator readinessProbe: httpGet: path: /readyz @@ -784,4 +790,37 @@ spec: maturity: alpha provider: name: Red Hat, Inc. - version: 3.0.0-tp.1 + relatedImages: + - image: gcr.io/istio-testing/install-cni:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + name: latest.cni + - image: gcr.io/istio-testing/pilot:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + name: latest.istiod + - image: gcr.io/istio-testing/proxyv2:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + name: latest.proxy + - image: gcr.io/istio-testing/ztunnel:1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 + name: latest.ztunnel + - image: docker.io/istio/install-cni:1.21.6 + name: v1_21_6.cni + - image: docker.io/istio/pilot:1.21.6 + name: v1_21_6.istiod + - image: docker.io/istio/proxyv2:1.21.6 + name: v1_21_6.proxy + - image: docker.io/istio/ztunnel:1.21.6 + name: v1_21_6.ztunnel + - image: docker.io/istio/install-cni:1.22.5 + name: v1_22_5.cni + - image: docker.io/istio/pilot:1.22.5 + name: v1_22_5.istiod + - image: docker.io/istio/proxyv2:1.22.5 + name: v1_22_5.proxy + - image: docker.io/istio/ztunnel:1.22.5 + name: v1_22_5.ztunnel + - image: docker.io/istio/install-cni:1.23.2 + name: v1_23_2.cni + - image: docker.io/istio/pilot:1.23.2 + name: v1_23_2.istiod + - image: docker.io/istio/proxyv2:1.23.2 + name: v1_23_2.proxy + - image: docker.io/istio/ztunnel:1.23.2 + name: v1_23_2.ztunnel + version: 0.2.0 diff --git a/bundle/manifests/telemetry.istio.io_telemetries.yaml b/bundle/manifests/telemetry.istio.io_telemetries.yaml index 2839a1467..ec3cf100a 100644 --- a/bundle/manifests/telemetry.istio.io_telemetries.yaml +++ b/bundle/manifests/telemetry.istio.io_telemetries.yaml @@ -282,6 +282,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array tracing: description: Optional. @@ -393,6 +394,9 @@ spec: type: object type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: @@ -726,6 +730,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array tracing: description: Optional. @@ -837,6 +842,9 @@ spec: type: object type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: diff --git a/bundle/metadata/annotations.yaml b/bundle/metadata/annotations.yaml index 5fd517b82..b90d1a6be 100644 --- a/bundle/metadata/annotations.yaml +++ b/bundle/metadata/annotations.yaml @@ -3,9 +3,9 @@ annotations: operators.operatorframework.io.bundle.mediatype.v1: registry+v1 operators.operatorframework.io.bundle.manifests.v1: manifests/ operators.operatorframework.io.bundle.metadata.v1: metadata/ - operators.operatorframework.io.bundle.package.v1: servicemeshoperator3 - operators.operatorframework.io.bundle.channels.v1: "candidates" - operators.operatorframework.io.metrics.builder: operator-sdk-v1.36.1 + operators.operatorframework.io.bundle.package.v1: sailoperator + operators.operatorframework.io.bundle.channels.v1: "dev-0.2" + operators.operatorframework.io.metrics.builder: operator-sdk-v1.37.0 operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v4 diff --git a/bundle/tests/scorecard/config.yaml b/bundle/tests/scorecard/config.yaml index 798809dc7..bd9bf1e03 100644 --- a/bundle/tests/scorecard/config.yaml +++ b/bundle/tests/scorecard/config.yaml @@ -8,7 +8,7 @@ stages: - entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.36.1 + image: quay.io/operator-framework/scorecard-test:v1.37.0 labels: suite: basic test: basic-check-spec-test @@ -18,7 +18,7 @@ stages: - entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.36.1 + image: quay.io/operator-framework/scorecard-test:v1.37.0 labels: suite: olm test: olm-bundle-validation-test @@ -28,7 +28,7 @@ stages: - entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.36.1 + image: quay.io/operator-framework/scorecard-test:v1.37.0 labels: suite: olm test: olm-crds-have-validation-test @@ -38,7 +38,7 @@ stages: - entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.36.1 + image: quay.io/operator-framework/scorecard-test:v1.37.0 labels: suite: olm test: olm-spec-descriptors-test @@ -48,7 +48,7 @@ stages: - entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.36.1 + image: quay.io/operator-framework/scorecard-test:v1.37.0 labels: suite: olm test: olm-status-descriptors-test diff --git a/chart/README.md b/chart/README.md new file mode 100644 index 000000000..b7b40273e --- /dev/null +++ b/chart/README.md @@ -0,0 +1,242 @@ +# Deploy Sail Operator by using Helm charts + +Follow this guide to install and configure Sail Operator by using [Helm](https://helm.sh/docs/) + +## Prerequisites + +Kubernetes: +* You have deployed a cluster on Kubernetes platform 1.27 or later. +* You are logged in to the Kubernetes cluster with admin permissions level user. + +OpenShift: +* You have deployed a cluster on OpenShift Container Platform 4.14 or later. +* You are logged in to the OpenShift Container Platform web console as a user with the `cluster-admin` role. + +[Install the Helm client](https://helm.sh/docs/intro/install/), version 3.6 or above. + +## Prepare the Helm charts + +```sh +$ helm repo add sail-operator https://istio-ecosystem.github.io/sail-operator +$ helm repo update +``` + +## Installation steps + +This section describes the procedure to install `Sail Operator` using Helm. The general syntax for helm installation is: + +```sh +$ helm install --create-namespace --namespace [--set ] +``` + +The variables specified in the command are as follows: +* `` - A name to identify and manage the Helm chart once installed. +* `` - A path to a packaged chart, a path to an unpacked chart directory or a URL. +* `` - The namespace in which the chart is to be installed. + +Default configuration values can be changed using one or more `--set =` arguments. Alternatively, you can specify several parameters in a custom values file using the `--values ` argument. + +1. Create the namespace, `sail-operator`, for the Sail Operator components: + + ```sh + $ kubectl create namespace sail-operator + ``` + +**Note** - This step could be skipped by using the `--create-namespace` argument in step 2. + +2. Install the Sail Operator base charts which will manage all the Custom Resource Definitions(CRDs) to be able to deploy the Istio control plane: + +* Kubernetes + + ```sh + $ helm install sail-operator sail-operator/sail-operator --namespace sail-operator + ``` + +* OpenShift + + ```sh + $ helm install sail-operator sail-operator/sail-operator --namespace sail-operator --set platform=openshift + ``` + +3. Validate the CRD installation with the `helm ls` command: + + ```sh + $ helm ls -n sail-operator + + NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION + sail-operator sail-operator 1 2024-09-26 21:15:52.508983383 +0300 IDT deployed sail-operator-0.1.0 0.1.0 + ``` + +4. Get the status of the installed helm chart to ensure it is deployed: + + ```bash + $ helm status sail-operator -n sail-operator + + NAME: sail-operator + LAST DEPLOYED: Thu Sep 26 21:15:52 2024 + NAMESPACE: sail-operator + STATUS: deployed + REVISION: 1 + TEST SUITE: None + ``` + +5. Check `sail-operator` deployment is successfully installed and its pods are running: + + ```sh + $ kubectl -n sail-operator get deployment --output wide + + NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR + sail-operator 1/1 1 1 107s kube-rbac-proxy,sail-operator gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0,quay.io/maistra-dev/sail-operator:0.1-latest app.kubernetes.io/created-by=sailoperator,app.kubernetes.io/part-of=sailoperator,control-plane=sail-operator + + $ kubectl -n sail-operator get pods -o wide + + NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES + sail-operator-666f84b6f4-9hw4t 2/2 Running 0 43s 10.244.0.8 sail-control-plane + ``` + +## Deploying Istio + +To deploy Istio, you must create the following resources: +* `Istio`. +* If you are using OpenShift, the `IstioCNI` must also be created. + +The `Istio` resource deploys and configures the Istio Control Plane, whereas the `IstioCNI` resource (in OpenShift) deploys and configures the Istio CNI plugin. You should create these resources in separate projects. + +### Create a namespace for Istio project. + +* Kubernetes + + ```sh + $ kubectl create namespace istio-system + ``` + +* OpenShift + + ```sh + $ kubectl create namespace istio-system + $ kubectl create namespace istio-cni + ``` + +### Create the Istio resource + +The `sail-operator` charts directory contains `samples` directory, which contains manifests that could be used for Istio deployment. + +* Kubernetes + + ```sh + $ kubectl apply -f sail-operator/samples/istio-sample-kubernetes.yaml + ``` + +* OpenShift + + ```sh + $ kubectl apply -f sail-operator/samples/istio-sample-openshift.yaml + $ kubectl apply -f sail-operator/samples/istiocni-sample.yaml + ``` + +**Note** - The version can be specified by modifying the `version` field within `Istio` and `IstioCNI` manifests. + +### Customizing Istio configuration + +The `spec.values` field of the `Istio` and `IstioCNI` resource can be used to customize Istio and Istio CNI plugin configuration using Istio's `Helm` configuration values. + +An example configuration: + + ```yaml + apiVersion: sailoperator.io/v1alpha1 + kind: Istio + metadata: + name: example + spec: + version: v1.23.0 + values: + global: + mtls: + enabled: true + trustDomainAliases: + - example.net + meshConfig: + trustDomain: example.com + trustDomainAliases: + - example.net + ``` + +For a list of available configuration for the `spec.values` field, run the following command: + +```sh +$ kubectl explain istio.spec.values +``` + +For the `IstioCNI` resource, replace `istio` with `istiocni` in the command above. + +Alternatively, refer to [Istio's artifacthub chart documentation](https://artifacthub.io/packages/search?org=istio&sort=relevance&page=1) for: + +- [Base parameters](https://artifacthub.io/packages/helm/istio-official/base?modal=values) +- [Istiod parameters](https://artifacthub.io/packages/helm/istio-official/istiod?modal=values) +- [Gateway parameters](https://artifacthub.io/packages/helm/istio-official/gateway?modal=values) +- [CNI parameters](https://artifacthub.io/packages/helm/istio-official/cni?modal=values) +- [ZTunnel parameters](https://artifacthub.io/packages/helm/istio-official/ztunnel?modal=values) + +## Installing the istioctl tool + +The `istioctl` tool is a configuration command line utility that allows service +operators to debug and diagnose Istio service mesh deployments. + +For installation steps, refer to the following [link](../docs/common/install-istioctl-tool.md). + +## Installing the Bookinfo Application + +You can use the `bookinfo` example application to explore service mesh features. +Using the `bookinfo` application, you can easily confirm that requests from a +web browser pass through the mesh and reach the application. + +For installation steps, refer to the following [link](../docs/common/install-bookinfo-app.md). + +## Creating and Configuring Gateways + +The Sail Operator does not deploy Ingress or Egress Gateways. Gateways are not +part of the control plane. As a security best-practice, Ingress and Egress +Gateways should be deployed in a different namespace than the namespace that +contains the control plane. + +You can deploy gateways using either the Gateway API or Gateway Injection methods. + +For installation steps, refer to the following [link](../docs/common/create-and-configure-gateways.md). + +## Istio Addons Integrations + +Istio can be integrated with other software to provide additional functionality +(More information can be found in: https://istio.io/latest/docs/ops/integrations/). +The following addons are for demonstration or development purposes only and +should not be used in production environments: + +For installation steps, refer to the following [link](../docs/common/istio-addons-integrations.md). + + +## Undeploying Istio and the Sail Operator + +### Deleting Istio + +```sh +$ kubectl -n istio-system delete istio default +``` + +### Deleting IstioCNI (in OpenShift cluster platform) + +```sh +$ kubectl -n istio-cni delete istiocni default +``` + +### Uninstall the Sail Operator using Helm + +```sh +$ helm uninstall sail-operator --namespace sail-operator +``` + +### Deleting the Project namespaces + +```sh +$ kubectl delete namespace istio-system +$ kubectl delete namespace istio-cni +$ kubectl delete namespace sail-operator +``` diff --git a/chart/crds/extensions.istio.io_wasmplugins.yaml b/chart/crds/extensions.istio.io_wasmplugins.yaml index 334b5af14..1acec4b67 100644 --- a/chart/crds/extensions.istio.io_wasmplugins.yaml +++ b/chart/crds/extensions.istio.io_wasmplugins.yaml @@ -217,6 +217,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: description: |- @@ -282,6 +283,9 @@ spec: required: - url type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: diff --git a/chart/crds/networking.istio.io_envoyfilters.yaml b/chart/crds/networking.istio.io_envoyfilters.yaml index 678f9e714..e2be5b942 100644 --- a/chart/crds/networking.istio.io_envoyfilters.yaml +++ b/chart/crds/networking.istio.io_envoyfilters.yaml @@ -303,6 +303,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array workloadSelector: description: Criteria used to select the specific set of pods/VMs @@ -310,12 +311,20 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object + x-kubernetes-validations: + - message: only one of targetRefs or workloadSelector can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: diff --git a/chart/crds/networking.istio.io_serviceentries.yaml b/chart/crds/networking.istio.io_serviceentries.yaml index f5dd5c258..bc244d50b 100644 --- a/chart/crds/networking.istio.io_serviceentries.yaml +++ b/chart/crds/networking.istio.io_serviceentries.yaml @@ -56,7 +56,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -131,6 +133,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -147,14 +154,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -162,11 +174,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -189,14 +211,32 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) + && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))' + - message: NONE mode cannot set endpoints + rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) + : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' status: properties: conditions: @@ -268,6 +308,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -306,7 +348,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -381,6 +425,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -397,14 +446,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -412,11 +466,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -439,14 +503,32 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) + && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))' + - message: NONE mode cannot set endpoints + rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) + : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' status: properties: conditions: @@ -518,6 +600,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -556,7 +640,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -631,6 +717,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -647,14 +738,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -662,11 +758,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -689,14 +795,32 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) + && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))' + - message: NONE mode cannot set endpoints + rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) + : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' status: properties: conditions: @@ -768,6 +892,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: true diff --git a/chart/crds/networking.istio.io_sidecars.yaml b/chart/crds/networking.istio.io_sidecars.yaml index 7ff9a81c4..560e8fbb1 100644 --- a/chart/crds/networking.istio.io_sidecars.yaml +++ b/chart/crds/networking.istio.io_sidecars.yaml @@ -472,9 +472,14 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object @@ -1005,9 +1010,14 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object @@ -1538,9 +1548,14 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object diff --git a/chart/crds/networking.istio.io_workloadentries.yaml b/chart/crds/networking.istio.io_workloadentries.yaml index ec4ed86ed..cf682cd2d 100644 --- a/chart/crds/networking.istio.io_workloadentries.yaml +++ b/chart/crds/networking.istio.io_workloadentries.yaml @@ -174,8 +174,6 @@ spec: x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: false @@ -332,8 +330,6 @@ spec: x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: false @@ -490,8 +486,6 @@ spec: x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: true diff --git a/chart/crds/networking.istio.io_workloadgroups.yaml b/chart/crds/networking.istio.io_workloadgroups.yaml index 6659317d5..9f06ab833 100644 --- a/chart/crds/networking.istio.io_workloadgroups.yaml +++ b/chart/crds/networking.istio.io_workloadgroups.yaml @@ -44,10 +44,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -76,13 +78,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -97,6 +103,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -110,8 +117,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -119,15 +132,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -138,12 +154,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -203,8 +223,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' @@ -282,6 +300,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -310,10 +330,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -342,13 +364,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -363,6 +389,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -376,8 +403,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -385,15 +418,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -404,12 +440,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -469,8 +509,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' @@ -548,6 +586,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -576,10 +616,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -608,13 +650,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -629,6 +675,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -642,8 +689,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -651,15 +704,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -670,12 +726,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -735,8 +795,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' @@ -814,6 +872,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: true diff --git a/chart/crds/sailoperator.io_istiocnis.yaml b/chart/crds/sailoperator.io_istiocnis.yaml index 3852ba680..927c61c91 100644 --- a/chart/crds/sailoperator.io_istiocnis.yaml +++ b/chart/crds/sailoperator.io_istiocnis.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.0 + controller-gen.kubebuilder.io/version: v0.16.3 name: istiocnis.sailoperator.io spec: group: sailoperator.io @@ -58,7 +58,7 @@ spec: spec: default: namespace: istio-cni - version: v1.23.0 + version: v1.23.2 description: IstioCNISpec defines the desired state of IstioCNI properties: namespace: @@ -379,7 +379,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -394,7 +394,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -562,7 +562,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -577,7 +577,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -743,7 +743,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -758,7 +758,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -926,7 +926,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -941,7 +941,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -1079,13 +1079,13 @@ spec: description: |- Additional annotations to apply to the istio-cni Pods. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object privileged: description: |- No longer used for CNI. See: https://github.com/istio/istio/issues/49004 - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean provider: description: |- @@ -1123,7 +1123,7 @@ spec: description: |- No longer used. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string deletePods: description: |- @@ -1205,6 +1205,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1291,7 +1297,7 @@ spec: description: |- See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -1311,6 +1317,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1392,14 +1404,14 @@ spec: type: object type: object version: - default: v1.23.0 + default: v1.23.2 description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. enum: - - v1.23.0 - - v1.22.3 - - v1.21.5 + - v1.23.2 + - v1.22.5 + - v1.21.6 - latest type: string required: diff --git a/chart/crds/sailoperator.io_istiorevisions.yaml b/chart/crds/sailoperator.io_istiorevisions.yaml index 0dabf6f01..4cad3c0c0 100644 --- a/chart/crds/sailoperator.io_istiorevisions.yaml +++ b/chart/crds/sailoperator.io_istiorevisions.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.0 + controller-gen.kubebuilder.io/version: v0.16.3 name: istiorevisions.sailoperator.io spec: group: sailoperator.io @@ -90,6 +90,11 @@ spec: base: description: Configuration for the base component. properties: + excludedCRDs: + description: CRDs to exclude. Requires `enableCRDTemplates` + items: + type: string + type: array validationCABundle: description: validation webhook CA bundle type: string @@ -118,7 +123,7 @@ spec: - Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior.\n\nDeprecated: - Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto." + Marked as deprecated in pkg/apis/values_types.proto." properties: amd64: description: Sets pod scheduling weight for amd64 arch @@ -170,13 +175,10 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object defaultPodDisruptionBudget: - description: |- - Specifies the default pod disruption budget configuration. - - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + description: Specifies the default pod disruption budget configuration. properties: enabled: description: Controls whether a PodDisruptionBudget with @@ -190,7 +192,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -210,6 +212,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -251,7 +259,7 @@ spec: Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -344,7 +352,7 @@ spec: Configure the policy for validating JWT. This is deprecated and has no effect. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string logAsJson: description: Specifies whether istio components should output @@ -411,7 +419,7 @@ spec: with the endpoint by\nadding the `ISTIO_META_NETWORK` environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta. By matching the registry name with one of the \"fromRegistry\"\n\tin - the mesh config. A \"from_registry\" can only be + the mesh config. A \"fromRegistry\" can only be assigned to a\n\tsingle network.\n\n\tb. By matching the IP against one of the CIDR ranges in a mesh\n\tconfig network. The CIDR ranges must not overlap and be @@ -566,7 +574,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string proxy: description: Specifies how proxies are configured within Istio. @@ -610,7 +618,7 @@ spec: Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean image: description: |- @@ -901,7 +909,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -922,6 +930,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1008,7 +1022,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -1029,6 +1043,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1075,7 +1095,7 @@ spec: instead of using K8S secrets to mount the certificates. properties: token: - description: 'Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.' + description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.' properties: aud: type: string @@ -1138,26 +1158,1056 @@ spec: format: int32 type: integer type: object - zipkin: - description: Configuration for the zipkin tracing service. - properties: - address: - description: |- - Address of zipkin instance in host:port format for reporting trace data. + zipkin: + description: Configuration for the zipkin tracing service. + properties: + address: + description: |- + Address of zipkin instance in host:port format for reporting trace data. + + Example: .:941 + type: string + type: object + type: object + variant: + description: The variant of the Istio container images to + use. Options are "debug" or "distroless". Unset will use + the default for the given version. + type: string + waypoint: + description: Specifies how waypoints are configured within + Istio. + properties: + affinity: + description: |- + K8s affinity settings for waypoint pods. + + See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in + the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same node, + zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + nodeSelector: + description: |- + K8s node labels settings. - Example: .:941 - type: string + See https://kubernetes.io/docs/user-guide/node-selection/ + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms type: object - type: object - variant: - description: The variant of the Istio container images to - use. Options are "debug" or "distroless". Unset will use - the default for the given version. - type: string - waypoint: - description: Specifies how waypoints are configured within - Istio. - properties: + x-kubernetes-map-type: atomic resources: description: |- K8s resource settings. @@ -1183,6 +2233,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1215,11 +2271,242 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object + toleration: + description: |- + K8s tolerations settings. + + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: |- + K8s topology spread constraints settings. + + See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + If this value is nil, the behavior is equivalent to the Honor policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + If this value is nil, the behavior is equivalent to the Ignore policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array type: object type: object istiodRemote: - description: Configuration for istiod-remote. + description: |- + Configuration for istiod-remote. + DEPRECATED - istiod-remote chart is removed and replaced with + `istio-discovery --set values.istiodRemote.enabled=true` + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: + enabled: + description: Indicates if this cluster/install should consume + a "remote" istiod instance, + type: boolean injectionCABundle: description: injector ca bundle type: string @@ -1267,7 +2554,7 @@ spec: type: string istiodSide: description: |- - Use istiod_side to specify CA Server integrate to Istiod side or Agent side + Use istiodSide to specify CA Server integrate to Istiod side or Agent side Default: true type: boolean requestTimeout: @@ -1277,8 +2564,8 @@ spec: type: string tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. - Regarding tls_settings: + Use the tlsSettings to specify the tls mode to use. + Regarding tlsSettings: - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. DISABLE MODE can also be used for testing - TLS MUTUAL MODE be on by default. If the CA certificates @@ -1404,12 +2691,12 @@ spec: Optional. Specify the list of trust domains to which this trustAnchor data belongs. If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain and its aliases. - Note that we can have multiple trustAnchor data for a same trust_domain. + Note that we can have multiple trustAnchor data for a same trustDomain. In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. - If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers. - If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers. - If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains. - If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains. + If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. + If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. + If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. + If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains. items: type: string type: array @@ -1481,7 +2768,7 @@ spec: type: array tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the MCP server + Use the tlsSettings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1679,7 +2966,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1807,7 +3094,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1943,7 +3230,7 @@ spec: address to the X-Forwarded-For (XFF) address and set the X-Envoy-External-Address header to the trusted client address before forwarding it to the upstream services in the cluster. - The default value of num_trusted_proxies is 0. + The default value of numTrustedProxies is 0. See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) header handling for more details. format: int32 @@ -2129,6 +3416,41 @@ spec: header. By default, `istio-envoy` will be used. type: string type: object + setCurrentClientCertDetails: + description: |- + This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET + and the client connection is mTLS. It specifies the fields in + the client certificate to be forwarded. Note that `Hash` is always set, and + `By` is always set when the client certificate presents the URI type Subject Alternative Name value. + properties: + cert: + description: |- + Whether to forward the entire client cert in URL encoded PEM format. This will appear in the + XFCC header comma separated from other values with the value Cert="PEM". + Defaults to false. + type: boolean + chain: + description: |- + Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM + format. This will appear in the XFCC header comma separated from other values with the value + Chain="PEM". + Defaults to false. + type: boolean + dns: + description: |- + Whether to forward the DNS type Subject Alternative Names of the client cert. + Defaults to true. + type: boolean + subject: + description: Whether to forward the subject of + the client cert. Defaults to true. + type: boolean + uri: + description: |- + Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to + true. + type: boolean + type: object type: object proxyMetadata: additionalProperties: @@ -2391,7 +3713,7 @@ spec: The amount of time allowed for connections to complete on proxy shutdown. On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, discouraging any new connections and allowing existing connections to complete. It then - sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes. + sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes. If not set, a default of `5s` will be applied. type: string tracing: @@ -2544,7 +3866,7 @@ spec: type: object tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the remote tracing service + Use the tlsSettings to specify the tls mode to use. If the remote tracing service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -2672,8 +3994,8 @@ spec: <= 1 defaultDestinationRuleExportTo: description: |- - The default value for the `DestinationRule.export_to` field. Has the same - syntax as `default_service_export_to`. + The default value for the `DestinationRule.exportTo` field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that destination rules are exported to all namespaces @@ -2749,7 +4071,7 @@ spec: type: object defaultServiceExportTo: description: |- - The default value for the ServiceEntry.export_to field and services + The default value for the ServiceEntry.exportTo field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are: @@ -2778,8 +4100,8 @@ spec: type: array defaultVirtualServiceExportTo: description: |- - The default value for the VirtualService.export_to field. Has the same - syntax as `default_service_export_to`. + The default value for the VirtualService.exportTo field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that virtual services are exported to all namespaces @@ -2962,7 +4284,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -2970,10 +4292,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -2981,7 +4303,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object port: @@ -3007,7 +4329,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3081,11 +4403,11 @@ spec: description: |- Set of additional fixed headers that should be included in the authorization request sent to the authorization service. Key is the header name and value is the header value. - Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden. + Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden. type: object includeHeadersInCheck: description: |- - DEPRECATED. Use include_request_headers_in_check instead. + DEPRECATED. Use includeRequestHeadersInCheck instead. Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. items: @@ -3098,7 +4420,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -3106,10 +4428,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -3117,7 +4439,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object includeRequestHeadersInCheck: @@ -3126,7 +4448,7 @@ spec: Note that in addition to the headers specified here following headers are included by default: 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization - request can include the buffered client request body (controlled by include_request_body_in_check setting), + request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. Exact, prefix and suffix matches are supported (similar to the @@ -3167,7 +4489,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3292,7 +4614,7 @@ spec: dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). Nested JSON is\nsupported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias - to `attributes` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: + to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```" type: object text: @@ -3300,7 +4622,7 @@ spec: Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information. - Alias to `body` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) + Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` type: string type: object @@ -3470,11 +4792,11 @@ spec: headers: - name: "Authorization" value: "Api-Token dt0c01." - resource_detectors: + resourceDetectors: dynatrace: {} - dynatrace_sampler: + dynatraceSampler: tenant: "{your-environment-id}" - cluster_id: 1234 + clusterId: 1234 properties: clusterId: description: |- @@ -3551,8 +4873,8 @@ spec: A default value of `1000` is used when: - - `root_spans_per_minute` is unset - - `root_spans_per_minute` is set to 0 + - `rootSpansPerMinute` is unset + - `rootSpansPerMinute` is set to 0 format: int32 type: integer tenant: @@ -3565,6 +4887,50 @@ spec: - clusterId - tenant type: object + grpc: + description: "Optional. Specifies the configuration + for exporting OTLP traces via GRPC.\nWhen empty, + traces will check whether HTTP is set.\nIf not, + traces will use default GRPC configurations.\n\nThe + following example shows how to configure the OpenTelemetry + ExtensionProvider to export via GRPC:\n\n1. Add/change + the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n + \ - name: opentelemetry\n opentelemetry:\n + \ port: 8090\n service: tracing.example.com\n + \ grpc:\n timeout: 10s\n initialMetadata:\n + \ - name: \"Authentication\"\n value: \"token-xxxxx\"\n\n```\n\n2. + Deploy a `ServiceEntry` for the observability + back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind: + ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t- + tracing.example.com\n\tports:\n\t- number: 8090\n\t + \ name: grpc-port\n\t protocol: GRPC\n\tresolution: + DNS\n\tlocation: MESH_EXTERNAL\n\n```" + properties: + initialMetadata: + description: |- + Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for + scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to + be injected. + items: + properties: + name: + description: REQUIRED. The HTTP header + name. + type: string + value: + description: REQUIRED. The HTTP header + value. + type: string + required: + - name + - value + type: object + type: array + timeout: + description: Optional. Specifies the timeout + for the GRPC request. + type: string + type: object http: description: "Optional. Specifies the configuration for exporting OTLP traces via HTTP.\nWhen empty, @@ -3643,7 +5009,7 @@ spec: opentelemetry: port: 443 service: my.olly-backend.com - resource_detectors: + resourceDetectors: environment: {} ``` @@ -3779,6 +5145,11 @@ spec: NOTE: currently only controls max length of the path tag. format: int32 type: integer + path: + description: |- + Optional. Specifies the endpoint of Zipkin API. + The default value is "/api/v2/spans". + type: string port: description: REQUIRED. Specifies the port of the service. @@ -3880,7 +5251,7 @@ spec: the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. By default, `ingressgateway` is used, which will select the default IngressGateway as it has the `istio: ingressgateway` labels. - It is recommended that this is the same value as ingress_service. + It is recommended that this is the same value as ingressService. type: string ingressService: description: |- @@ -4188,7 +5559,7 @@ spec: ```yaml serviceSettings: - settings: - cluster_local: true + clusterLocal: true hosts: - "*.foo.svc.cluster.local" - "bar.baz.svc.cluster.local" @@ -4257,7 +5628,7 @@ spec: tlsDefaults: description: |- Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. - Currently, this supports configuration of ecdh_curves and cipher_suites only. + Currently, this supports configuration of ecdhCurves and cipherSuites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. properties: cipherSuites: @@ -4304,7 +5675,7 @@ spec: type: string trustDomainAliases: description: |- - The trust domain aliases represent the aliases of `trust_domain`. + The trust domain aliases represent the aliases of `trustDomain`. For example, if we have ```yaml trustDomain: td1 @@ -4632,7 +6003,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4647,7 +6018,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4815,7 +6186,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4830,7 +6201,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4996,7 +6367,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5011,7 +6382,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5179,7 +6550,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5194,7 +6565,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5429,7 +6800,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5488,6 +6859,26 @@ spec: are PreferDualStack, RequireDualStack, and SingleStack. More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services type: string + istiodRemote: + description: Configuration for the istio-discovery chart when + istiod is running in a remote cluster (e.g. "remote control + plane"). + properties: + enabled: + description: Indicates if this cluster/install should + consume a "remote" istiod instance, + type: boolean + injectionCABundle: + description: injector ca bundle + type: string + injectionPath: + description: Path to use for the sidecar injector webhook + service. + type: string + injectionURL: + description: URL to use for sidecar injector webhook. + type: string + type: object jwksResolverExtraRootCA: description: |- Specifies an extra root certificate in PEM format. This certificate will be trusted @@ -5507,7 +6898,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5525,7 +6916,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podAnnotations: additionalProperties: @@ -5535,7 +6926,7 @@ spec: See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podLabels: additionalProperties: @@ -5549,7 +6940,7 @@ spec: description: |- Number of replicas in the Pilot Deployment. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. format: int32 type: integer resources: @@ -5558,7 +6949,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -5578,6 +6969,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -5617,7 +7014,7 @@ spec: description: |- K8s rolling update strategy - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true rollingMaxUnavailable: anyOf: @@ -5630,7 +7027,7 @@ spec: May be specified as a number of pods or as a percent of the total number of pods at the start of the update. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true seccompProfile: description: |- @@ -5693,7 +7090,7 @@ spec: scheduled to particular nodes with matching taints. More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -6047,6 +7444,7 @@ spec: the blob storage type: string fsType: + default: ext4 description: |- fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -6060,6 +7458,7 @@ spec: set). defaults to shared' type: string readOnly: + default: false description: |- readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. @@ -6669,7 +8068,7 @@ spec: set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). type: string volumeMode: description: |- @@ -6892,6 +8291,41 @@ spec: required: - path type: object + image: + description: |- + image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. + The volume is resolved at pod startup depending on which PullPolicy value is provided: + + - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + + The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. + A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. + The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. + The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. + The volume will be mounted read-only (ro) and non-executable files (noexec). + Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). + The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. + properties: + pullPolicy: + description: |- + Policy for pulling OCI objects. Possible values are: + Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + type: string + reference: + description: |- + Required: Image or artifact reference to be used. + Behaves in the same way as pod.spec.containers[*].image. + Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + type: object iscsi: description: |- iscsi represents an ISCSI Disk resource that is attached to a @@ -6923,6 +8357,7 @@ spec: description: iqn is the target iSCSI Qualified Name. type: string iscsiInterface: + default: default description: |- iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp). @@ -7074,10 +8509,13 @@ spec: format: int32 type: integer sources: - description: sources is the list of volume projections + description: |- + sources is the list of volume projections. Each entry in this list + handles one source. items: - description: Projection that may be projected - along with other supported volume types + description: |- + Projection that may be projected along with other supported volume types. + Exactly one of these fields must be set. properties: clusterTrustBundle: description: |- @@ -7462,6 +8900,7 @@ spec: More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string keyring: + default: /etc/ceph/keyring description: |- keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. @@ -7476,6 +8915,7 @@ spec: type: array x-kubernetes-list-type: atomic pool: + default: rbd description: |- pool is the rados pool name. Default is rbd. @@ -7506,6 +8946,7 @@ spec: type: object x-kubernetes-map-type: atomic user: + default: admin description: |- user is the rados user name. Default is admin. @@ -7520,6 +8961,7 @@ spec: volume attached and mounted on Kubernetes nodes. properties: fsType: + default: xfs description: |- fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -7560,6 +9002,7 @@ spec: communication with Gateway, default false type: boolean storageMode: + default: ThinProvisioned description: |- storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. @@ -7927,11 +9370,11 @@ spec: version: description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. enum: - - v1.23.0 - - v1.22.3 - - v1.21.5 + - v1.23.2 + - v1.22.5 + - v1.21.6 - latest type: string required: diff --git a/chart/crds/sailoperator.io_istios.yaml b/chart/crds/sailoperator.io_istios.yaml index b9a5f37fa..f1b6843b9 100644 --- a/chart/crds/sailoperator.io_istios.yaml +++ b/chart/crds/sailoperator.io_istios.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.0 + controller-gen.kubebuilder.io/version: v0.16.3 name: istios.sailoperator.io spec: group: sailoperator.io @@ -30,9 +30,13 @@ spec: jsonPath: .status.revisions.inUse name: In use type: string + - description: The name of the currently active revision. + jsonPath: .status.activeRevisionName + name: Active Revision + type: string - description: The current state of the active revision. jsonPath: .status.state - name: Active Revision + name: Status type: string - description: The version of the control plane installation. jsonPath: .spec.version @@ -76,7 +80,7 @@ spec: namespace: istio-system updateStrategy: type: InPlace - version: v1.23.0 + version: v1.23.2 description: IstioSpec defines the desired state of Istio properties: namespace: @@ -145,6 +149,11 @@ spec: base: description: Configuration for the base component. properties: + excludedCRDs: + description: CRDs to exclude. Requires `enableCRDTemplates` + items: + type: string + type: array validationCABundle: description: validation webhook CA bundle type: string @@ -173,7 +182,7 @@ spec: - Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior.\n\nDeprecated: - Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto." + Marked as deprecated in pkg/apis/values_types.proto." properties: amd64: description: Sets pod scheduling weight for amd64 arch @@ -225,13 +234,10 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object defaultPodDisruptionBudget: - description: |- - Specifies the default pod disruption budget configuration. - - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + description: Specifies the default pod disruption budget configuration. properties: enabled: description: Controls whether a PodDisruptionBudget with @@ -245,7 +251,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -265,6 +271,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -306,7 +318,7 @@ spec: Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -399,7 +411,7 @@ spec: Configure the policy for validating JWT. This is deprecated and has no effect. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string logAsJson: description: Specifies whether istio components should output @@ -466,7 +478,7 @@ spec: with the endpoint by\nadding the `ISTIO_META_NETWORK` environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta. By matching the registry name with one of the \"fromRegistry\"\n\tin - the mesh config. A \"from_registry\" can only be + the mesh config. A \"fromRegistry\" can only be assigned to a\n\tsingle network.\n\n\tb. By matching the IP against one of the CIDR ranges in a mesh\n\tconfig network. The CIDR ranges must not overlap and be @@ -621,7 +633,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string proxy: description: Specifies how proxies are configured within Istio. @@ -665,7 +677,7 @@ spec: Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean image: description: |- @@ -956,7 +968,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -977,6 +989,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1063,7 +1081,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -1084,6 +1102,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1130,7 +1154,7 @@ spec: instead of using K8S secrets to mount the certificates. properties: token: - description: 'Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.' + description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.' properties: aud: type: string @@ -1193,26 +1217,1056 @@ spec: format: int32 type: integer type: object - zipkin: - description: Configuration for the zipkin tracing service. - properties: - address: - description: |- - Address of zipkin instance in host:port format for reporting trace data. + zipkin: + description: Configuration for the zipkin tracing service. + properties: + address: + description: |- + Address of zipkin instance in host:port format for reporting trace data. + + Example: .:941 + type: string + type: object + type: object + variant: + description: The variant of the Istio container images to + use. Options are "debug" or "distroless". Unset will use + the default for the given version. + type: string + waypoint: + description: Specifies how waypoints are configured within + Istio. + properties: + affinity: + description: |- + K8s affinity settings for waypoint pods. + + See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in + the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same node, + zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + nodeSelector: + description: |- + K8s node labels settings. - Example: .:941 - type: string + See https://kubernetes.io/docs/user-guide/node-selection/ + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms type: object - type: object - variant: - description: The variant of the Istio container images to - use. Options are "debug" or "distroless". Unset will use - the default for the given version. - type: string - waypoint: - description: Specifies how waypoints are configured within - Istio. - properties: + x-kubernetes-map-type: atomic resources: description: |- K8s resource settings. @@ -1238,6 +2292,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1270,11 +2330,242 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object + toleration: + description: |- + K8s tolerations settings. + + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: |- + K8s topology spread constraints settings. + + See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + If this value is nil, the behavior is equivalent to the Honor policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + If this value is nil, the behavior is equivalent to the Ignore policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array type: object type: object istiodRemote: - description: Configuration for istiod-remote. + description: |- + Configuration for istiod-remote. + DEPRECATED - istiod-remote chart is removed and replaced with + `istio-discovery --set values.istiodRemote.enabled=true` + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: + enabled: + description: Indicates if this cluster/install should consume + a "remote" istiod instance, + type: boolean injectionCABundle: description: injector ca bundle type: string @@ -1322,7 +2613,7 @@ spec: type: string istiodSide: description: |- - Use istiod_side to specify CA Server integrate to Istiod side or Agent side + Use istiodSide to specify CA Server integrate to Istiod side or Agent side Default: true type: boolean requestTimeout: @@ -1332,8 +2623,8 @@ spec: type: string tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. - Regarding tls_settings: + Use the tlsSettings to specify the tls mode to use. + Regarding tlsSettings: - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. DISABLE MODE can also be used for testing - TLS MUTUAL MODE be on by default. If the CA certificates @@ -1459,12 +2750,12 @@ spec: Optional. Specify the list of trust domains to which this trustAnchor data belongs. If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain and its aliases. - Note that we can have multiple trustAnchor data for a same trust_domain. + Note that we can have multiple trustAnchor data for a same trustDomain. In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. - If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers. - If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers. - If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains. - If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains. + If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. + If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. + If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. + If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains. items: type: string type: array @@ -1536,7 +2827,7 @@ spec: type: array tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the MCP server + Use the tlsSettings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1734,7 +3025,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1862,7 +3153,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1998,7 +3289,7 @@ spec: address to the X-Forwarded-For (XFF) address and set the X-Envoy-External-Address header to the trusted client address before forwarding it to the upstream services in the cluster. - The default value of num_trusted_proxies is 0. + The default value of numTrustedProxies is 0. See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) header handling for more details. format: int32 @@ -2184,6 +3475,41 @@ spec: header. By default, `istio-envoy` will be used. type: string type: object + setCurrentClientCertDetails: + description: |- + This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET + and the client connection is mTLS. It specifies the fields in + the client certificate to be forwarded. Note that `Hash` is always set, and + `By` is always set when the client certificate presents the URI type Subject Alternative Name value. + properties: + cert: + description: |- + Whether to forward the entire client cert in URL encoded PEM format. This will appear in the + XFCC header comma separated from other values with the value Cert="PEM". + Defaults to false. + type: boolean + chain: + description: |- + Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM + format. This will appear in the XFCC header comma separated from other values with the value + Chain="PEM". + Defaults to false. + type: boolean + dns: + description: |- + Whether to forward the DNS type Subject Alternative Names of the client cert. + Defaults to true. + type: boolean + subject: + description: Whether to forward the subject of + the client cert. Defaults to true. + type: boolean + uri: + description: |- + Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to + true. + type: boolean + type: object type: object proxyMetadata: additionalProperties: @@ -2446,7 +3772,7 @@ spec: The amount of time allowed for connections to complete on proxy shutdown. On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, discouraging any new connections and allowing existing connections to complete. It then - sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes. + sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes. If not set, a default of `5s` will be applied. type: string tracing: @@ -2599,7 +3925,7 @@ spec: type: object tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the remote tracing service + Use the tlsSettings to specify the tls mode to use. If the remote tracing service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -2727,8 +4053,8 @@ spec: <= 1 defaultDestinationRuleExportTo: description: |- - The default value for the `DestinationRule.export_to` field. Has the same - syntax as `default_service_export_to`. + The default value for the `DestinationRule.exportTo` field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that destination rules are exported to all namespaces @@ -2804,7 +4130,7 @@ spec: type: object defaultServiceExportTo: description: |- - The default value for the ServiceEntry.export_to field and services + The default value for the ServiceEntry.exportTo field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are: @@ -2833,8 +4159,8 @@ spec: type: array defaultVirtualServiceExportTo: description: |- - The default value for the VirtualService.export_to field. Has the same - syntax as `default_service_export_to`. + The default value for the VirtualService.exportTo field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that virtual services are exported to all namespaces @@ -3017,7 +4343,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -3025,10 +4351,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -3036,7 +4362,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object port: @@ -3062,7 +4388,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3136,11 +4462,11 @@ spec: description: |- Set of additional fixed headers that should be included in the authorization request sent to the authorization service. Key is the header name and value is the header value. - Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden. + Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden. type: object includeHeadersInCheck: description: |- - DEPRECATED. Use include_request_headers_in_check instead. + DEPRECATED. Use includeRequestHeadersInCheck instead. Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. items: @@ -3153,7 +4479,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -3161,10 +4487,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -3172,7 +4498,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object includeRequestHeadersInCheck: @@ -3181,7 +4507,7 @@ spec: Note that in addition to the headers specified here following headers are included by default: 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization - request can include the buffered client request body (controlled by include_request_body_in_check setting), + request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. Exact, prefix and suffix matches are supported (similar to the @@ -3222,7 +4548,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3347,7 +4673,7 @@ spec: dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). Nested JSON is\nsupported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias - to `attributes` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: + to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```" type: object text: @@ -3355,7 +4681,7 @@ spec: Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information. - Alias to `body` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) + Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` type: string type: object @@ -3525,11 +4851,11 @@ spec: headers: - name: "Authorization" value: "Api-Token dt0c01." - resource_detectors: + resourceDetectors: dynatrace: {} - dynatrace_sampler: + dynatraceSampler: tenant: "{your-environment-id}" - cluster_id: 1234 + clusterId: 1234 properties: clusterId: description: |- @@ -3606,8 +4932,8 @@ spec: A default value of `1000` is used when: - - `root_spans_per_minute` is unset - - `root_spans_per_minute` is set to 0 + - `rootSpansPerMinute` is unset + - `rootSpansPerMinute` is set to 0 format: int32 type: integer tenant: @@ -3620,6 +4946,50 @@ spec: - clusterId - tenant type: object + grpc: + description: "Optional. Specifies the configuration + for exporting OTLP traces via GRPC.\nWhen empty, + traces will check whether HTTP is set.\nIf not, + traces will use default GRPC configurations.\n\nThe + following example shows how to configure the OpenTelemetry + ExtensionProvider to export via GRPC:\n\n1. Add/change + the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n + \ - name: opentelemetry\n opentelemetry:\n + \ port: 8090\n service: tracing.example.com\n + \ grpc:\n timeout: 10s\n initialMetadata:\n + \ - name: \"Authentication\"\n value: \"token-xxxxx\"\n\n```\n\n2. + Deploy a `ServiceEntry` for the observability + back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind: + ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t- + tracing.example.com\n\tports:\n\t- number: 8090\n\t + \ name: grpc-port\n\t protocol: GRPC\n\tresolution: + DNS\n\tlocation: MESH_EXTERNAL\n\n```" + properties: + initialMetadata: + description: |- + Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for + scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to + be injected. + items: + properties: + name: + description: REQUIRED. The HTTP header + name. + type: string + value: + description: REQUIRED. The HTTP header + value. + type: string + required: + - name + - value + type: object + type: array + timeout: + description: Optional. Specifies the timeout + for the GRPC request. + type: string + type: object http: description: "Optional. Specifies the configuration for exporting OTLP traces via HTTP.\nWhen empty, @@ -3698,7 +5068,7 @@ spec: opentelemetry: port: 443 service: my.olly-backend.com - resource_detectors: + resourceDetectors: environment: {} ``` @@ -3834,6 +5204,11 @@ spec: NOTE: currently only controls max length of the path tag. format: int32 type: integer + path: + description: |- + Optional. Specifies the endpoint of Zipkin API. + The default value is "/api/v2/spans". + type: string port: description: REQUIRED. Specifies the port of the service. @@ -3935,7 +5310,7 @@ spec: the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. By default, `ingressgateway` is used, which will select the default IngressGateway as it has the `istio: ingressgateway` labels. - It is recommended that this is the same value as ingress_service. + It is recommended that this is the same value as ingressService. type: string ingressService: description: |- @@ -4243,7 +5618,7 @@ spec: ```yaml serviceSettings: - settings: - cluster_local: true + clusterLocal: true hosts: - "*.foo.svc.cluster.local" - "bar.baz.svc.cluster.local" @@ -4312,7 +5687,7 @@ spec: tlsDefaults: description: |- Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. - Currently, this supports configuration of ecdh_curves and cipher_suites only. + Currently, this supports configuration of ecdhCurves and cipherSuites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. properties: cipherSuites: @@ -4359,7 +5734,7 @@ spec: type: string trustDomainAliases: description: |- - The trust domain aliases represent the aliases of `trust_domain`. + The trust domain aliases represent the aliases of `trustDomain`. For example, if we have ```yaml trustDomain: td1 @@ -4687,7 +6062,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4702,7 +6077,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4870,7 +6245,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4885,7 +6260,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5051,7 +6426,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5066,7 +6441,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5234,7 +6609,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5249,7 +6624,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5484,7 +6859,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5543,6 +6918,26 @@ spec: are PreferDualStack, RequireDualStack, and SingleStack. More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services type: string + istiodRemote: + description: Configuration for the istio-discovery chart when + istiod is running in a remote cluster (e.g. "remote control + plane"). + properties: + enabled: + description: Indicates if this cluster/install should + consume a "remote" istiod instance, + type: boolean + injectionCABundle: + description: injector ca bundle + type: string + injectionPath: + description: Path to use for the sidecar injector webhook + service. + type: string + injectionURL: + description: URL to use for sidecar injector webhook. + type: string + type: object jwksResolverExtraRootCA: description: |- Specifies an extra root certificate in PEM format. This certificate will be trusted @@ -5562,7 +6957,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5580,7 +6975,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podAnnotations: additionalProperties: @@ -5590,7 +6985,7 @@ spec: See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podLabels: additionalProperties: @@ -5604,7 +6999,7 @@ spec: description: |- Number of replicas in the Pilot Deployment. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. format: int32 type: integer resources: @@ -5613,7 +7008,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -5633,6 +7028,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -5672,7 +7073,7 @@ spec: description: |- K8s rolling update strategy - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true rollingMaxUnavailable: anyOf: @@ -5685,7 +7086,7 @@ spec: May be specified as a number of pods or as a percent of the total number of pods at the start of the update. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true seccompProfile: description: |- @@ -5748,7 +7149,7 @@ spec: scheduled to particular nodes with matching taints. More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -6102,6 +7503,7 @@ spec: the blob storage type: string fsType: + default: ext4 description: |- fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -6115,6 +7517,7 @@ spec: set). defaults to shared' type: string readOnly: + default: false description: |- readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. @@ -6724,7 +8127,7 @@ spec: set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). type: string volumeMode: description: |- @@ -6947,6 +8350,41 @@ spec: required: - path type: object + image: + description: |- + image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. + The volume is resolved at pod startup depending on which PullPolicy value is provided: + + - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + + The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. + A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. + The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. + The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. + The volume will be mounted read-only (ro) and non-executable files (noexec). + Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). + The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. + properties: + pullPolicy: + description: |- + Policy for pulling OCI objects. Possible values are: + Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + type: string + reference: + description: |- + Required: Image or artifact reference to be used. + Behaves in the same way as pod.spec.containers[*].image. + Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + type: object iscsi: description: |- iscsi represents an ISCSI Disk resource that is attached to a @@ -6978,6 +8416,7 @@ spec: description: iqn is the target iSCSI Qualified Name. type: string iscsiInterface: + default: default description: |- iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp). @@ -7129,10 +8568,13 @@ spec: format: int32 type: integer sources: - description: sources is the list of volume projections + description: |- + sources is the list of volume projections. Each entry in this list + handles one source. items: - description: Projection that may be projected - along with other supported volume types + description: |- + Projection that may be projected along with other supported volume types. + Exactly one of these fields must be set. properties: clusterTrustBundle: description: |- @@ -7517,6 +8959,7 @@ spec: More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string keyring: + default: /etc/ceph/keyring description: |- keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. @@ -7531,6 +8974,7 @@ spec: type: array x-kubernetes-list-type: atomic pool: + default: rbd description: |- pool is the rados pool name. Default is rbd. @@ -7561,6 +9005,7 @@ spec: type: object x-kubernetes-map-type: atomic user: + default: admin description: |- user is the rados user name. Default is admin. @@ -7575,6 +9020,7 @@ spec: volume attached and mounted on Kubernetes nodes. properties: fsType: + default: xfs description: |- fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -7615,6 +9061,7 @@ spec: communication with Gateway, default false type: boolean storageMode: + default: ThinProvisioned description: |- storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. @@ -7980,14 +9427,14 @@ spec: type: object type: object version: - default: v1.23.0 + default: v1.23.2 description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. enum: - - v1.23.0 - - v1.22.3 - - v1.21.5 + - v1.23.2 + - v1.22.5 + - v1.21.6 - latest type: string required: @@ -8001,6 +9448,9 @@ spec: status: description: IstioStatus defines the observed state of Istio properties: + activeRevisionName: + description: The name of the active revision. + type: string conditions: description: Represents the latest available observations of the object's current state. diff --git a/chart/crds/sailoperator.io_remoteistios.yaml b/chart/crds/sailoperator.io_remoteistios.yaml index 75f001835..bd7b8e570 100644 --- a/chart/crds/sailoperator.io_remoteistios.yaml +++ b/chart/crds/sailoperator.io_remoteistios.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.16.0 + controller-gen.kubebuilder.io/version: v0.16.3 name: remoteistios.sailoperator.io spec: group: sailoperator.io @@ -30,9 +30,13 @@ spec: jsonPath: .status.revisions.inUse name: In use type: string + - description: The name of the currently active revision. + jsonPath: .status.activeRevisionName + name: Active Revision + type: string - description: The current state of the active revision. jsonPath: .status.state - name: Active Revision + name: Status type: string - description: The version of the control plane installation. jsonPath: .spec.version @@ -71,7 +75,7 @@ spec: namespace: istio-system updateStrategy: type: InPlace - version: v1.23.0 + version: v1.23.2 description: RemoteIstioSpec defines the desired state of RemoteIstio properties: namespace: @@ -140,6 +144,11 @@ spec: base: description: Configuration for the base component. properties: + excludedCRDs: + description: CRDs to exclude. Requires `enableCRDTemplates` + items: + type: string + type: array validationCABundle: description: validation webhook CA bundle type: string @@ -168,7 +177,7 @@ spec: - Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior.\n\nDeprecated: - Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto." + Marked as deprecated in pkg/apis/values_types.proto." properties: amd64: description: Sets pod scheduling weight for amd64 arch @@ -220,13 +229,10 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object defaultPodDisruptionBudget: - description: |- - Specifies the default pod disruption budget configuration. - - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + description: Specifies the default pod disruption budget configuration. properties: enabled: description: Controls whether a PodDisruptionBudget with @@ -240,7 +246,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -260,6 +266,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -301,7 +313,7 @@ spec: Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -394,7 +406,7 @@ spec: Configure the policy for validating JWT. This is deprecated and has no effect. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string logAsJson: description: Specifies whether istio components should output @@ -461,7 +473,7 @@ spec: with the endpoint by\nadding the `ISTIO_META_NETWORK` environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta. By matching the registry name with one of the \"fromRegistry\"\n\tin - the mesh config. A \"from_registry\" can only be + the mesh config. A \"fromRegistry\" can only be assigned to a\n\tsingle network.\n\n\tb. By matching the IP against one of the CIDR ranges in a mesh\n\tconfig network. The CIDR ranges must not overlap and be @@ -616,7 +628,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: string proxy: description: Specifies how proxies are configured within Istio. @@ -660,7 +672,7 @@ spec: Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: boolean image: description: |- @@ -951,7 +963,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -972,6 +984,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1058,7 +1076,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -1079,6 +1097,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1125,7 +1149,7 @@ spec: instead of using K8S secrets to mount the certificates. properties: token: - description: 'Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.' + description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.' properties: aud: type: string @@ -1188,26 +1212,1056 @@ spec: format: int32 type: integer type: object - zipkin: - description: Configuration for the zipkin tracing service. - properties: - address: - description: |- - Address of zipkin instance in host:port format for reporting trace data. + zipkin: + description: Configuration for the zipkin tracing service. + properties: + address: + description: |- + Address of zipkin instance in host:port format for reporting trace data. + + Example: .:941 + type: string + type: object + type: object + variant: + description: The variant of the Istio container images to + use. Options are "debug" or "distroless". Unset will use + the default for the given version. + type: string + waypoint: + description: Specifies how waypoints are configured within + Istio. + properties: + affinity: + description: |- + K8s affinity settings for waypoint pods. + + See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in + the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same node, + zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + nodeSelector: + description: |- + K8s node labels settings. - Example: .:941 - type: string + See https://kubernetes.io/docs/user-guide/node-selection/ + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms type: object - type: object - variant: - description: The variant of the Istio container images to - use. Options are "debug" or "distroless". Unset will use - the default for the given version. - type: string - waypoint: - description: Specifies how waypoints are configured within - Istio. - properties: + x-kubernetes-map-type: atomic resources: description: |- K8s resource settings. @@ -1233,6 +2287,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -1265,11 +2325,242 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object + toleration: + description: |- + K8s tolerations settings. + + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: |- + K8s topology spread constraints settings. + + See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + If this value is nil, the behavior is equivalent to the Honor policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + If this value is nil, the behavior is equivalent to the Ignore policy. + This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array type: object type: object istiodRemote: - description: Configuration for istiod-remote. + description: |- + Configuration for istiod-remote. + DEPRECATED - istiod-remote chart is removed and replaced with + `istio-discovery --set values.istiodRemote.enabled=true` + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: + enabled: + description: Indicates if this cluster/install should consume + a "remote" istiod instance, + type: boolean injectionCABundle: description: injector ca bundle type: string @@ -1317,7 +2608,7 @@ spec: type: string istiodSide: description: |- - Use istiod_side to specify CA Server integrate to Istiod side or Agent side + Use istiodSide to specify CA Server integrate to Istiod side or Agent side Default: true type: boolean requestTimeout: @@ -1327,8 +2618,8 @@ spec: type: string tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. - Regarding tls_settings: + Use the tlsSettings to specify the tls mode to use. + Regarding tlsSettings: - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. DISABLE MODE can also be used for testing - TLS MUTUAL MODE be on by default. If the CA certificates @@ -1454,12 +2745,12 @@ spec: Optional. Specify the list of trust domains to which this trustAnchor data belongs. If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain and its aliases. - Note that we can have multiple trustAnchor data for a same trust_domain. + Note that we can have multiple trustAnchor data for a same trustDomain. In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. - If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers. - If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers. - If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains. - If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains. + If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. + If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. + If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. + If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains. items: type: string type: array @@ -1531,7 +2822,7 @@ spec: type: array tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the MCP server + Use the tlsSettings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1729,7 +3020,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1857,7 +3148,7 @@ spec: type: object tlsSettings: description: |- - Use the `tls_settings` to specify the tls mode to use. If the remote service + Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -1993,7 +3284,7 @@ spec: address to the X-Forwarded-For (XFF) address and set the X-Envoy-External-Address header to the trusted client address before forwarding it to the upstream services in the cluster. - The default value of num_trusted_proxies is 0. + The default value of numTrustedProxies is 0. See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) header handling for more details. format: int32 @@ -2179,6 +3470,41 @@ spec: header. By default, `istio-envoy` will be used. type: string type: object + setCurrentClientCertDetails: + description: |- + This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET + and the client connection is mTLS. It specifies the fields in + the client certificate to be forwarded. Note that `Hash` is always set, and + `By` is always set when the client certificate presents the URI type Subject Alternative Name value. + properties: + cert: + description: |- + Whether to forward the entire client cert in URL encoded PEM format. This will appear in the + XFCC header comma separated from other values with the value Cert="PEM". + Defaults to false. + type: boolean + chain: + description: |- + Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM + format. This will appear in the XFCC header comma separated from other values with the value + Chain="PEM". + Defaults to false. + type: boolean + dns: + description: |- + Whether to forward the DNS type Subject Alternative Names of the client cert. + Defaults to true. + type: boolean + subject: + description: Whether to forward the subject of + the client cert. Defaults to true. + type: boolean + uri: + description: |- + Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to + true. + type: boolean + type: object type: object proxyMetadata: additionalProperties: @@ -2441,7 +3767,7 @@ spec: The amount of time allowed for connections to complete on proxy shutdown. On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, discouraging any new connections and allowing existing connections to complete. It then - sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes. + sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes. If not set, a default of `5s` will be applied. type: string tracing: @@ -2594,7 +3920,7 @@ spec: type: object tlsSettings: description: |- - Use the tls_settings to specify the tls mode to use. If the remote tracing service + Use the tlsSettings to specify the tls mode to use. If the remote tracing service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. properties: @@ -2722,8 +4048,8 @@ spec: <= 1 defaultDestinationRuleExportTo: description: |- - The default value for the `DestinationRule.export_to` field. Has the same - syntax as `default_service_export_to`. + The default value for the `DestinationRule.exportTo` field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that destination rules are exported to all namespaces @@ -2799,7 +4125,7 @@ spec: type: object defaultServiceExportTo: description: |- - The default value for the ServiceEntry.export_to field and services + The default value for the ServiceEntry.exportTo field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are: @@ -2828,8 +4154,8 @@ spec: type: array defaultVirtualServiceExportTo: description: |- - The default value for the VirtualService.export_to field. Has the same - syntax as `default_service_export_to`. + The default value for the VirtualService.exportTo field. Has the same + syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that virtual services are exported to all namespaces @@ -3012,7 +4338,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -3020,10 +4346,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -3031,7 +4357,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object port: @@ -3057,7 +4383,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3131,11 +4457,11 @@ spec: description: |- Set of additional fixed headers that should be included in the authorization request sent to the authorization service. Key is the header name and value is the header value. - Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden. + Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden. type: object includeHeadersInCheck: description: |- - DEPRECATED. Use include_request_headers_in_check instead. + DEPRECATED. Use includeRequestHeadersInCheck instead. Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. items: @@ -3148,7 +4474,7 @@ spec: properties: allowPartialMessage: description: |- - When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message indicating if the body data is partial. @@ -3156,10 +4482,10 @@ spec: maxRequestBytes: description: |- Sets the maximum size of a message body that the ext-authz filter will hold in memory. - If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. - Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the - fail_open is set to true. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. format: int32 type: integer packAsBytes: @@ -3167,7 +4493,7 @@ spec: If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). - This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider. + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. type: boolean type: object includeRequestHeadersInCheck: @@ -3176,7 +4502,7 @@ spec: Note that in addition to the headers specified here following headers are included by default: 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization - request can include the buffered client request body (controlled by include_request_body_in_check setting), + request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. Exact, prefix and suffix matches are supported (similar to the @@ -3217,7 +4543,7 @@ spec: description: |- The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. - In this situation, the response sent back to the client will depend on the configured `fail_open` field. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. type: string required: - port @@ -3342,7 +4668,7 @@ spec: dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). Nested JSON is\nsupported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias - to `attributes` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: + to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```" type: object text: @@ -3350,7 +4676,7 @@ spec: Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) provides more information. - Alias to `body` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) + Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` type: string type: object @@ -3520,11 +4846,11 @@ spec: headers: - name: "Authorization" value: "Api-Token dt0c01." - resource_detectors: + resourceDetectors: dynatrace: {} - dynatrace_sampler: + dynatraceSampler: tenant: "{your-environment-id}" - cluster_id: 1234 + clusterId: 1234 properties: clusterId: description: |- @@ -3601,8 +4927,8 @@ spec: A default value of `1000` is used when: - - `root_spans_per_minute` is unset - - `root_spans_per_minute` is set to 0 + - `rootSpansPerMinute` is unset + - `rootSpansPerMinute` is set to 0 format: int32 type: integer tenant: @@ -3615,6 +4941,50 @@ spec: - clusterId - tenant type: object + grpc: + description: "Optional. Specifies the configuration + for exporting OTLP traces via GRPC.\nWhen empty, + traces will check whether HTTP is set.\nIf not, + traces will use default GRPC configurations.\n\nThe + following example shows how to configure the OpenTelemetry + ExtensionProvider to export via GRPC:\n\n1. Add/change + the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n + \ - name: opentelemetry\n opentelemetry:\n + \ port: 8090\n service: tracing.example.com\n + \ grpc:\n timeout: 10s\n initialMetadata:\n + \ - name: \"Authentication\"\n value: \"token-xxxxx\"\n\n```\n\n2. + Deploy a `ServiceEntry` for the observability + back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind: + ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t- + tracing.example.com\n\tports:\n\t- number: 8090\n\t + \ name: grpc-port\n\t protocol: GRPC\n\tresolution: + DNS\n\tlocation: MESH_EXTERNAL\n\n```" + properties: + initialMetadata: + description: |- + Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for + scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to + be injected. + items: + properties: + name: + description: REQUIRED. The HTTP header + name. + type: string + value: + description: REQUIRED. The HTTP header + value. + type: string + required: + - name + - value + type: object + type: array + timeout: + description: Optional. Specifies the timeout + for the GRPC request. + type: string + type: object http: description: "Optional. Specifies the configuration for exporting OTLP traces via HTTP.\nWhen empty, @@ -3693,7 +5063,7 @@ spec: opentelemetry: port: 443 service: my.olly-backend.com - resource_detectors: + resourceDetectors: environment: {} ``` @@ -3829,6 +5199,11 @@ spec: NOTE: currently only controls max length of the path tag. format: int32 type: integer + path: + description: |- + Optional. Specifies the endpoint of Zipkin API. + The default value is "/api/v2/spans". + type: string port: description: REQUIRED. Specifies the port of the service. @@ -3930,7 +5305,7 @@ spec: the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. By default, `ingressgateway` is used, which will select the default IngressGateway as it has the `istio: ingressgateway` labels. - It is recommended that this is the same value as ingress_service. + It is recommended that this is the same value as ingressService. type: string ingressService: description: |- @@ -4238,7 +5613,7 @@ spec: ```yaml serviceSettings: - settings: - cluster_local: true + clusterLocal: true hosts: - "*.foo.svc.cluster.local" - "bar.baz.svc.cluster.local" @@ -4307,7 +5682,7 @@ spec: tlsDefaults: description: |- Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. - Currently, this supports configuration of ecdh_curves and cipher_suites only. + Currently, this supports configuration of ecdhCurves and cipherSuites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. properties: cipherSuites: @@ -4354,7 +5729,7 @@ spec: type: string trustDomainAliases: description: |- - The trust domain aliases represent the aliases of `trust_domain`. + The trust domain aliases represent the aliases of `trustDomain`. For example, if we have ```yaml trustDomain: td1 @@ -4682,7 +6057,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4697,7 +6072,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4865,7 +6240,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -4880,7 +6255,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5046,7 +6421,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5061,7 +6436,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5229,7 +6604,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5244,7 +6619,7 @@ spec: pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. - This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default). items: type: string type: array @@ -5479,7 +6854,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5538,6 +6913,26 @@ spec: are PreferDualStack, RequireDualStack, and SingleStack. More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services type: string + istiodRemote: + description: Configuration for the istio-discovery chart when + istiod is running in a remote cluster (e.g. "remote control + plane"). + properties: + enabled: + description: Indicates if this cluster/install should + consume a "remote" istiod instance, + type: boolean + injectionCABundle: + description: injector ca bundle + type: string + injectionPath: + description: Path to use for the sidecar injector webhook + service. + type: string + injectionURL: + description: URL to use for sidecar injector webhook. + type: string + type: object jwksResolverExtraRootCA: description: |- Specifies an extra root certificate in PEM format. This certificate will be trusted @@ -5557,7 +6952,7 @@ spec: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: targetAverageUtilization: description: |- @@ -5575,7 +6970,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podAnnotations: additionalProperties: @@ -5585,7 +6980,7 @@ spec: See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. type: object podLabels: additionalProperties: @@ -5599,7 +6994,7 @@ spec: description: |- Number of replicas in the Pilot Deployment. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. format: int32 type: integer resources: @@ -5608,7 +7003,7 @@ spec: See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. properties: claims: description: |- @@ -5628,6 +7023,12 @@ spec: the Pod where this field is used. It makes that resource available inside a container. type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string required: - name type: object @@ -5667,7 +7068,7 @@ spec: description: |- K8s rolling update strategy - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true rollingMaxUnavailable: anyOf: @@ -5680,7 +7081,7 @@ spec: May be specified as a number of pods or as a percent of the total number of pods at the start of the update. - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. x-kubernetes-int-or-string: true seccompProfile: description: |- @@ -5743,7 +7144,7 @@ spec: scheduled to particular nodes with matching taints. More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling - Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. items: description: |- The pod this Toleration is attached to tolerates any taint that matches @@ -6097,6 +7498,7 @@ spec: the blob storage type: string fsType: + default: ext4 description: |- fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -6110,6 +7512,7 @@ spec: set). defaults to shared' type: string readOnly: + default: false description: |- readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. @@ -6719,7 +8122,7 @@ spec: set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists. More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ - (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled. + (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default). type: string volumeMode: description: |- @@ -6942,6 +8345,41 @@ spec: required: - path type: object + image: + description: |- + image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. + The volume is resolved at pod startup depending on which PullPolicy value is provided: + + - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + + The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. + A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. + The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. + The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. + The volume will be mounted read-only (ro) and non-executable files (noexec). + Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath). + The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. + properties: + pullPolicy: + description: |- + Policy for pulling OCI objects. Possible values are: + Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + type: string + reference: + description: |- + Required: Image or artifact reference to be used. + Behaves in the same way as pod.spec.containers[*].image. + Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + type: object iscsi: description: |- iscsi represents an ISCSI Disk resource that is attached to a @@ -6973,6 +8411,7 @@ spec: description: iqn is the target iSCSI Qualified Name. type: string iscsiInterface: + default: default description: |- iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp). @@ -7124,10 +8563,13 @@ spec: format: int32 type: integer sources: - description: sources is the list of volume projections + description: |- + sources is the list of volume projections. Each entry in this list + handles one source. items: - description: Projection that may be projected - along with other supported volume types + description: |- + Projection that may be projected along with other supported volume types. + Exactly one of these fields must be set. properties: clusterTrustBundle: description: |- @@ -7512,6 +8954,7 @@ spec: More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it type: string keyring: + default: /etc/ceph/keyring description: |- keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. @@ -7526,6 +8969,7 @@ spec: type: array x-kubernetes-list-type: atomic pool: + default: rbd description: |- pool is the rados pool name. Default is rbd. @@ -7556,6 +9000,7 @@ spec: type: object x-kubernetes-map-type: atomic user: + default: admin description: |- user is the rados user name. Default is admin. @@ -7570,6 +9015,7 @@ spec: volume attached and mounted on Kubernetes nodes. properties: fsType: + default: xfs description: |- fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. @@ -7610,6 +9056,7 @@ spec: communication with Gateway, default false type: boolean storageMode: + default: ThinProvisioned description: |- storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. @@ -7975,14 +9422,14 @@ spec: type: object type: object version: - default: v1.23.0 + default: v1.23.2 description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. enum: - - v1.23.0 - - v1.22.3 - - v1.21.5 + - v1.23.2 + - v1.22.5 + - v1.21.6 - latest type: string required: @@ -7996,6 +9443,9 @@ spec: status: description: RemoteIstioStatus defines the observed state of RemoteIstio properties: + activeRevisionName: + description: The name of the active revision. + type: string conditions: description: Represents the latest available observations of the object's current state. diff --git a/chart/crds/security.istio.io_authorizationpolicies.yaml b/chart/crds/security.istio.io_authorizationpolicies.yaml index 409adc3c4..0f72f71e1 100644 --- a/chart/crds/security.istio.io_authorizationpolicies.yaml +++ b/chart/crds/security.istio.io_authorizationpolicies.yaml @@ -295,8 +295,12 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: @@ -644,8 +648,12 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: diff --git a/chart/crds/security.istio.io_requestauthentications.yaml b/chart/crds/security.istio.io_requestauthentications.yaml index 17f28394c..53fe59d32 100644 --- a/chart/crds/security.istio.io_requestauthentications.yaml +++ b/chart/crds/security.istio.io_requestauthentications.yaml @@ -229,10 +229,11 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object x-kubernetes-validations: - - message: only one of targetRefs or workloadSelector can be set + - message: only one of targetRefs or selector can be set rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: @@ -515,10 +516,11 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object x-kubernetes-validations: - - message: only one of targetRefs or workloadSelector can be set + - message: only one of targetRefs or selector can be set rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: diff --git a/chart/crds/telemetry.istio.io_telemetries.yaml b/chart/crds/telemetry.istio.io_telemetries.yaml index 7b6e42a1e..c858b2995 100644 --- a/chart/crds/telemetry.istio.io_telemetries.yaml +++ b/chart/crds/telemetry.istio.io_telemetries.yaml @@ -281,6 +281,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array tracing: description: Optional. @@ -392,6 +393,9 @@ spec: type: object type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: @@ -725,6 +729,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array tracing: description: Optional. @@ -836,6 +841,9 @@ spec: type: object type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: diff --git a/chart/samples/istio-sample-kubernetes.yaml b/chart/samples/istio-sample-kubernetes.yaml index 8178db180..19cbe8862 100644 --- a/chart/samples/istio-sample-kubernetes.yaml +++ b/chart/samples/istio-sample-kubernetes.yaml @@ -3,7 +3,7 @@ kind: Istio metadata: name: default spec: - version: v1.23.0 + version: v1.23.2 namespace: istio-system updateStrategy: type: InPlace diff --git a/chart/samples/istio-sample-openshift.yaml b/chart/samples/istio-sample-openshift.yaml index 8119705fd..69044c36d 100644 --- a/chart/samples/istio-sample-openshift.yaml +++ b/chart/samples/istio-sample-openshift.yaml @@ -3,7 +3,7 @@ kind: Istio metadata: name: default spec: - version: v1.23.0 + version: v1.23.2 namespace: istio-system updateStrategy: type: InPlace diff --git a/chart/samples/istiocni-sample.yaml b/chart/samples/istiocni-sample.yaml index 32a57317c..61ace75cc 100644 --- a/chart/samples/istiocni-sample.yaml +++ b/chart/samples/istiocni-sample.yaml @@ -3,5 +3,5 @@ kind: IstioCNI metadata: name: default spec: - version: v1.23.0 + version: v1.23.2 namespace: istio-cni diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml index 0067d9eaa..bd8bb0d1e 100644 --- a/chart/templates/deployment.yaml +++ b/chart/templates/deployment.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: labels: - app.kubernetes.io/component: manager + app.kubernetes.io/component: sail-operator app.kubernetes.io/created-by: {{ .Values.name }} app.kubernetes.io/instance: {{ .Values.deployment.name }} app.kubernetes.io/managed-by: helm @@ -22,7 +22,7 @@ spec: template: metadata: annotations: - kubectl.kubernetes.io/default-container: manager + kubectl.kubernetes.io/default-container: sail-operator {{- range $key, $val := .Values.deployment.annotations }} {{ $key | quote }}: {{ $val | quote}} {{- end }} @@ -53,7 +53,10 @@ spec: - --upstream=http://127.0.0.1:8080/ - --logtostderr=true - --v=0 - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 + image: {{ .Values.proxy.image }} +{{- if .Values.proxy.imagePullPolicy }} + imagePullPolicy: {{ .Values.proxy.imagePullPolicy }} +{{- end }} name: kube-rbac-proxy ports: - containerPort: 8443 @@ -61,11 +64,11 @@ spec: protocol: TCP resources: limits: - cpu: 500m - memory: 128Mi + cpu: {{ .Values.proxy.resources.limits.cpu }} + memory: {{ .Values.proxy.resources.limits.memory }} requests: - cpu: 5m - memory: 64Mi + cpu: {{ .Values.proxy.resources.requests.cpu }} + memory: {{ .Values.proxy.resources.requests.memory }} securityContext: allowPrivilegeEscalation: false capabilities: @@ -78,16 +81,18 @@ spec: - --default-profile=openshift {{- end }} command: - - /manager + - /sail-operator image: {{ .Values.image }} +{{- if .Values.proxy.imagePullPolicy }} imagePullPolicy: {{ .Values.imagePullPolicy }} +{{- end }} livenessProbe: httpGet: path: /healthz port: 8081 initialDelaySeconds: 15 periodSeconds: 20 - name: manager + name: sail-operator readinessProbe: httpGet: path: /readyz @@ -96,11 +101,11 @@ spec: periodSeconds: 10 resources: limits: - cpu: 500m - memory: 512Mi + cpu: {{ .Values.operator.resources.limits.cpu }} + memory: {{ .Values.operator.resources.limits.memory }} requests: - cpu: 10m - memory: 64Mi + cpu: {{ .Values.operator.resources.requests.cpu }} + memory: {{ .Values.operator.resources.requests.memory }} securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/chart/templates/olm/scorecard.yaml b/chart/templates/olm/scorecard.yaml index 4bd164b92..feebc2ada 100644 --- a/chart/templates/olm/scorecard.yaml +++ b/chart/templates/olm/scorecard.yaml @@ -9,7 +9,7 @@ stages: - entrypoint: - scorecard-test - basic-check-spec - image: quay.io/operator-framework/scorecard-test:v1.36.1 + image: quay.io/operator-framework/scorecard-test:v1.37.0 labels: suite: basic test: basic-check-spec-test @@ -19,7 +19,7 @@ stages: - entrypoint: - scorecard-test - olm-bundle-validation - image: quay.io/operator-framework/scorecard-test:v1.36.1 + image: quay.io/operator-framework/scorecard-test:v1.37.0 labels: suite: olm test: olm-bundle-validation-test @@ -29,7 +29,7 @@ stages: - entrypoint: - scorecard-test - olm-crds-have-validation - image: quay.io/operator-framework/scorecard-test:v1.36.1 + image: quay.io/operator-framework/scorecard-test:v1.37.0 labels: suite: olm test: olm-crds-have-validation-test @@ -39,7 +39,7 @@ stages: - entrypoint: - scorecard-test - olm-spec-descriptors - image: quay.io/operator-framework/scorecard-test:v1.36.1 + image: quay.io/operator-framework/scorecard-test:v1.37.0 labels: suite: olm test: olm-spec-descriptors-test @@ -49,7 +49,7 @@ stages: - entrypoint: - scorecard-test - olm-status-descriptors - image: quay.io/operator-framework/scorecard-test:v1.36.1 + image: quay.io/operator-framework/scorecard-test:v1.37.0 labels: suite: olm test: olm-status-descriptors-test diff --git a/chart/values.yaml b/chart/values.yaml index 7c5c7056b..869e0e863 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -16,10 +16,10 @@ csv: This version of the operator supports the following Istio versions: - - v1.23.0 - - v1.22.3 - - v1.21.5 - - latest (b28bdd77) + - v1.23.2 + - v1.22.5 + - v1.21.6 + - latest (6f95f8c9) [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. support: Community based @@ -42,8 +42,28 @@ csv: features.operators.openshift.io/cnf: "false" features.operators.openshift.io/cni: "true" features.operators.openshift.io/csi: "false" -image: quay.io/maistra-dev/sail-operator:3.0-latest -imagePullPolicy: Always +image: quay.io/maistra-dev/sail-operator:0.2-latest +# We're commenting out the imagePullPolicy to use k8s defaults +# imagePullPolicy: Always +proxy: + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0 + # We're commenting out the imagePullPolicy to use k8s defaults + # imagePullPolicy: IfNotPresent + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi +operator: + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 10m + memory: 64Mi # setting this to true will add resources required to generate the bundle using operator-sdk bundleGeneration: false diff --git a/cmd/main.go b/cmd/main.go index 9f4452e8b..d4b48d789 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -120,7 +120,7 @@ func main() { // LeaderElectionReleaseOnCancel: true, }) if err != nil { - setupLog.Error(err, "unable to start manager") + setupLog.Error(err, "unable to start sail-operator manager") os.Exit(1) } @@ -171,9 +171,9 @@ func main() { os.Exit(1) } - setupLog.Info("starting manager") + setupLog.Info("starting sail-operator manager") if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil { - setupLog.Error(err, "problem running manager") + setupLog.Error(err, "problem running sail-operator manager") os.Exit(1) } } diff --git a/common/.commonfiles.sha b/common/.commonfiles.sha index a874dc931..902101baf 100644 --- a/common/.commonfiles.sha +++ b/common/.commonfiles.sha @@ -1 +1 @@ -cdaae915bb35ae5d50de458066ea6d86c1ab3b1c +430db67c8ca3604651633bcf49bb096193933ef8 diff --git a/common/scripts/kind_provisioner.sh b/common/scripts/kind_provisioner.sh index 9c372b9ca..9e9ea59cf 100644 --- a/common/scripts/kind_provisioner.sh +++ b/common/scripts/kind_provisioner.sh @@ -34,6 +34,9 @@ set -x # DEFAULT_KIND_IMAGE is used to set the Kubernetes version for KinD unless overridden in params to setup_kind_cluster(s) DEFAULT_KIND_IMAGE="gcr.io/istio-testing/kind-node:v1.28.4" +# the default kind cluster should be ipv4 if not otherwise specified +IP_FAMILY="${IP_FAMILY:-ipv4}" + # COMMON_SCRIPTS contains the directory this file is in. COMMON_SCRIPTS=$(dirname "${BASH_SOURCE:-$0}") @@ -174,11 +177,6 @@ function setup_kind_cluster() { CONFIG=${DEFAULT_CLUSTER_YAML} fi - # Configure the ipFamily of the cluster - if [ -n "${IP_FAMILY}" ]; then - yq eval ".networking.ipFamily = \"${IP_FAMILY}\"" -i "${CONFIG}" - fi - KIND_WAIT_FLAG="--wait=180s" KIND_DISABLE_CNI="false" if [[ -n "${KUBERNETES_CNI:-}" ]]; then @@ -187,7 +185,8 @@ function setup_kind_cluster() { fi # Create KinD cluster - if ! (yq eval "${CONFIG}" --expression ".networking.disableDefaultCNI = ${KIND_DISABLE_CNI}" | \ + if ! (yq eval "${CONFIG}" --expression ".networking.disableDefaultCNI = ${KIND_DISABLE_CNI}" \ + --expression ".networking.ipFamily = \"${IP_FAMILY}\"" | \ kind create cluster --name="${NAME}" -v4 --retain --image "${IMAGE}" ${KIND_WAIT_FLAG:+"$KIND_WAIT_FLAG"} --config -); then echo "Could not setup KinD environment. Something wrong with KinD setup. Exporting logs." return 9 diff --git a/common/scripts/run.sh b/common/scripts/run.sh index e9629a39c..9efe2ce03 100755 --- a/common/scripts/run.sh +++ b/common/scripts/run.sh @@ -36,7 +36,7 @@ MOUNT_DEST="${MOUNT_DEST:-/work}" read -ra DOCKER_RUN_OPTIONS <<< "${DOCKER_RUN_OPTIONS:-}" -[[ -t 1 ]] && DOCKER_RUN_OPTIONS+=("-it") +[[ -t 0 ]] && DOCKER_RUN_OPTIONS+=("-it") [[ ${UID} -ne 0 ]] && DOCKER_RUN_OPTIONS+=(-u "${UID}:${DOCKER_GID}") # $CONTAINER_OPTIONS becomes an empty arg when quoted, so SC2086 is disabled for the diff --git a/common/scripts/setup_env.sh b/common/scripts/setup_env.sh index ee932a946..9418434d8 100755 --- a/common/scripts/setup_env.sh +++ b/common/scripts/setup_env.sh @@ -75,7 +75,7 @@ fi TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io} PROJECT_ID=${PROJECT_ID:-istio-testing} if [[ "${IMAGE_VERSION:-}" == "" ]]; then - IMAGE_VERSION=master-0aa2afb4bac9a4fd1bfe50a929c077a643066b3a + IMAGE_VERSION=master-8463430ba963638b35745d773045701f6d02014d fi if [[ "${IMAGE_NAME:-}" == "" ]]; then IMAGE_NAME=build-tools diff --git a/controllers/istio/istio_controller.go b/controllers/istio/istio_controller.go index f7644e0d8..b46119796 100644 --- a/controllers/istio/istio_controller.go +++ b/controllers/istio/istio_controller.go @@ -207,6 +207,7 @@ func (r *Reconciler) determineStatus(ctx context.Context, istio *v1alpha1.Istio, }) status.State = v1alpha1.IstioReasonReconcileError } else { + status.ActiveRevisionName = getActiveRevisionName(istio) rev, err := r.getActiveRevision(ctx, istio) if apierrors.IsNotFound(err) { revisionNotFound := func(conditionType v1alpha1.IstioConditionType) v1alpha1.IstioCondition { diff --git a/controllers/istio/istio_controller_test.go b/controllers/istio/istio_controller_test.go index 020529823..fe8e199fb 100644 --- a/controllers/istio/istio_controller_test.go +++ b/controllers/istio/istio_controller_test.go @@ -367,6 +367,7 @@ func TestDetermineStatus(t *testing.T) { Message: "ready message", }, }, + ActiveRevisionName: istioKey.Name, Revisions: v1alpha1.RevisionSummary{ Total: 2, Ready: 1, @@ -378,7 +379,7 @@ func TestDetermineStatus(t *testing.T) { name: "shows correct revision counts", wantErr: false, revisions: []v1alpha1.IstioRevision{ - // owned by the Istio under test; 3 todal, 2 ready, 1 in use + // owned by the Istio under test; 3 total, 2 ready, 1 in use revision(istioKey.Name, ownedByIstio, true, true, true), revision(istioKey.Name+"-old1", ownedByIstio, true, true, false), revision(istioKey.Name+"-old2", ownedByIstio, true, false, false), @@ -398,6 +399,7 @@ func TestDetermineStatus(t *testing.T) { Status: metav1.ConditionTrue, }, }, + ActiveRevisionName: istioKey.Name, Revisions: v1alpha1.RevisionSummary{ Total: 3, Ready: 2, @@ -425,6 +427,7 @@ func TestDetermineStatus(t *testing.T) { Message: "active IstioRevision not found", }, }, + ActiveRevisionName: istioKey.Name, }, }, { @@ -455,7 +458,8 @@ func TestDetermineStatus(t *testing.T) { Message: "failed to get active IstioRevision: get failed: simulated error", }, }, - Revisions: v1alpha1.RevisionSummary{}, + ActiveRevisionName: istioKey.Name, + Revisions: v1alpha1.RevisionSummary{}, }, }, { @@ -486,6 +490,7 @@ func TestDetermineStatus(t *testing.T) { Message: "active IstioRevision not found", }, }, + ActiveRevisionName: istioKey.Name, Revisions: v1alpha1.RevisionSummary{ Total: -1, Ready: -1, @@ -587,6 +592,7 @@ func TestUpdateStatus(t *testing.T) { Message: "active IstioRevision not found", }, }, + ActiveRevisionName: istioKey.Name, Revisions: v1alpha1.RevisionSummary{ Total: -1, Ready: -1, @@ -625,6 +631,7 @@ func TestUpdateStatus(t *testing.T) { LastTransitionTime: *oneMinuteAgo, }, }, + ActiveRevisionName: istioKey.Name, }, }, revisions: []v1alpha1.IstioRevision{ @@ -673,6 +680,7 @@ func TestUpdateStatus(t *testing.T) { Message: "ready message", }, }, + ActiveRevisionName: istioKey.Name, }, disallowWrites: true, wantErr: false, diff --git a/controllers/remoteistio/remoteistio_controller.go b/controllers/remoteistio/remoteistio_controller.go index 32b2ac028..31c70a51c 100644 --- a/controllers/remoteistio/remoteistio_controller.go +++ b/controllers/remoteistio/remoteistio_controller.go @@ -206,6 +206,7 @@ func (r *Reconciler) determineStatus(ctx context.Context, istio *v1alpha1.Remote }) status.State = v1alpha1.RemoteIstioReasonReconcileError } else { + status.ActiveRevisionName = getActiveRevisionName(istio) rev, err := r.getActiveRevision(ctx, istio) if apierrors.IsNotFound(err) { revisionNotFound := func(conditionType v1alpha1.RemoteIstioConditionType) v1alpha1.RemoteIstioCondition { diff --git a/controllers/remoteistio/remoteistio_controller_test.go b/controllers/remoteistio/remoteistio_controller_test.go index 9e4f3732c..c9ff33f0a 100644 --- a/controllers/remoteistio/remoteistio_controller_test.go +++ b/controllers/remoteistio/remoteistio_controller_test.go @@ -367,6 +367,7 @@ func TestDetermineStatus(t *testing.T) { Message: "ready message", }, }, + ActiveRevisionName: istioKey.Name, Revisions: v1alpha1.RevisionSummary{ Total: 2, Ready: 1, @@ -398,6 +399,7 @@ func TestDetermineStatus(t *testing.T) { Status: metav1.ConditionTrue, }, }, + ActiveRevisionName: istioKey.Name, Revisions: v1alpha1.RevisionSummary{ Total: 3, Ready: 2, @@ -425,6 +427,7 @@ func TestDetermineStatus(t *testing.T) { Message: "active IstioRevision not found", }, }, + ActiveRevisionName: istioKey.Name, }, }, { @@ -455,7 +458,8 @@ func TestDetermineStatus(t *testing.T) { Message: "failed to get active IstioRevision: get failed: simulated error", }, }, - Revisions: v1alpha1.RevisionSummary{}, + ActiveRevisionName: istioKey.Name, + Revisions: v1alpha1.RevisionSummary{}, }, }, { @@ -486,6 +490,7 @@ func TestDetermineStatus(t *testing.T) { Message: "active IstioRevision not found", }, }, + ActiveRevisionName: istioKey.Name, Revisions: v1alpha1.RevisionSummary{ Total: -1, Ready: -1, @@ -587,6 +592,7 @@ func TestUpdateStatus(t *testing.T) { Message: "active IstioRevision not found", }, }, + ActiveRevisionName: istioKey.Name, Revisions: v1alpha1.RevisionSummary{ Total: -1, Ready: -1, @@ -625,6 +631,7 @@ func TestUpdateStatus(t *testing.T) { LastTransitionTime: *oneMinuteAgo, }, }, + ActiveRevisionName: istioKey.Name, }, }, revisions: []v1alpha1.IstioRevision{ @@ -673,6 +680,7 @@ func TestUpdateStatus(t *testing.T) { Message: "ready message", }, }, + ActiveRevisionName: istioKey.Name, }, disallowWrites: true, wantErr: false, diff --git a/docs/README.md b/docs/README.md index 64bdbefdd..e2c1572fd 100644 --- a/docs/README.md +++ b/docs/README.md @@ -22,6 +22,11 @@ - [RevisionBased](#revisionbased) - [Example using the RevisionBased strategy](#example-using-the-revisionbased-strategy) - [Multi-cluster](#multi-cluster) + - [Prerequisites](#prerequisites) + - [Common Setup](#common-setup) + - [Multi-Primary](#multi-primary---multi-network) + - [Primary-Remote](#primary-remote---multi-network) + - [External Control Plane](#external-controlplane) - [Addons](#addons) - [Deploy Prometheus and Jaeger addons](#deploy-prometheus-and-jaeger-addons) - [Deploy Kiali addon](#deploy-kiali-addon) @@ -260,7 +265,7 @@ When the `InPlace` strategy is used, the existing Istio control plane is replace Prerequisites: * Sail Operator is installed. -* `istioctl` is installed. +* `istioctl` is [installed](common/install-istioctl-tool.md). Steps: 1. Create the `istio-system` namespace. @@ -336,7 +341,7 @@ When the `RevisionBased` strategy is used, a new Istio control plane instance is Prerequisites: * Sail Operator is installed. -* `istioctl` is installed. +* `istioctl` is [installed](common/install-istioctl-tool.md). Steps: @@ -472,13 +477,12 @@ Steps: You can use the Sail Operator and the Sail CRDs to manage a multi-cluster Istio deployment. The following instructions are adapted from the [Istio multi-cluster documentation](https://istio.io/latest/docs/setup/install/multicluster/) to demonstrate how you can setup the various deployment models with Sail. Please familiarize yourself with the different [deployment models](https://istio.io/latest/docs/ops/deployment/deployment-models/) before starting. -*Prerequisites* - -Each deployment model requires you to install the Sail Operator and the Sail CRDs to every cluster that is part of the mesh. +### Prerequisites -- Install [istioctl](https://istio.io/latest/docs/setup/install/istioctl) and have it included in your `$PATH`. +- Install [istioctl](common/install-istioctl-tool.md). - Two kubernetes clusters with external lb support. (If using kind, `cloud-provider-kind` is running in the background) - kubeconfig file with a context for each cluster. +- Install the Sail Operator and the Sail CRDs to every cluster. ### Common Setup @@ -502,7 +506,7 @@ These steps are common to every multi-cluster deployment and should be completed kubectl get ns istio-system --context "${CTX_CLUSTER2}" || kubectl create namespace istio-system --context "${CTX_CLUSTER2}" ``` -2. Create shared trust and add intermediate CAs to each cluster. +3. Create shared trust and add intermediate CAs to each cluster. If you already have a [shared trust](https://istio.io/latest/docs/setup/install/multicluster/before-you-begin/#configure-trust) for each cluster you can skip this. Otherwise, you can use the instructions below to create a shared trust and push the intermediate CAs into your clusters. @@ -868,6 +872,284 @@ In this setup there is a Primary cluster (`cluster1`) and a Remote cluster (`clu kubectl delete ns sample --context="${CTX_CLUSTER2}" ``` +### External Control Plane + +These instructions install an [external control plane](https://istio.io/latest/docs/setup/install/external-controlplane/) Istio deployment using the Sail Operator and Sail CRDs. **Before you begin**, ensure you meet the requirements of the [common setup](#common-setup) and complete **only** the "Setup env vars" step. Unlike other Multi-Cluster deployments, you won't be creating a common CA in this setup. + +These installation instructions are adapted from [Istio's external control plane documentation](https://istio.io/latest/docs/setup/install/external-controlplane/) and are intended to be run in a development environment, such as `kind`, rather than in production. + +In this setup there is an external control plane cluster (`cluster1`) and a remote cluster (`cluster2`) which are on separate networks. + +1. Create an `Istio` resource on `cluster1` to manage the ingress gateways for the external control plane. + + ```sh + kubectl create namespace istio-system --context "${CTX_CLUSTER1}" + kubectl apply --context "${CTX_CLUSTER1}" -f - < /dev/null || \ + { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v1.1.0" | kubectl apply -f - --context="${CTX_CLUSTER2}"; } + ``` + + Expose `helloworld` through the ingress gateway. + ```sh + kubectl apply -f https://raw.githubusercontent.com/istio/istio/${ISTIO_VERSION}/samples/helloworld/gateway-api/helloworld-gateway.yaml -n sample --context="${CTX_CLUSTER2}" + kubectl -n sample --context="${CTX_CLUSTER2}" wait --for=condition=programmed gtw helloworld-gateway + ``` + + Confirm you can access the `helloworld` application through the ingress gateway created in the Remote cluster. + ```sh + curl -s "http://$(kubectl -n sample --context="${CTX_CLUSTER2}" get gtw helloworld-gateway -o jsonpath='{.status.addresses[0].value}'):80/hello" + ``` + You should see a response from the `helloworld` application: + ```sh + Hello version: v1, instance: helloworld-v1-6d65866976-jb6qc + ``` + +15. Cleanup + + ```sh + kubectl delete istios default --context="${CTX_CLUSTER1}" + kubectl delete ns istio-system --context="${CTX_CLUSTER1}" + kubectl delete istios external-istiod --context="${CTX_CLUSTER1}" + kubectl delete ns external-istiod --context="${CTX_CLUSTER1}" + kubectl delete remoteistios external-istiod --context="${CTX_CLUSTER2}" + kubectl delete ns external-istiod --context="${CTX_CLUSTER2}" + kubectl delete ns sample --context="${CTX_CLUSTER2}" + ``` + ## Addons Addons are managed separately from the Sail Operator. You can follow the [istio documentation](https://istio.io/latest/docs/ops/integrations/) for how to install addons. Below is an example of how to install some addons for Istio. diff --git a/docs/api-reference/sailoperator.io.md b/docs/api-reference/sailoperator.io.md index d8e479b79..d028681b5 100644 --- a/docs/api-reference/sailoperator.io.md +++ b/docs/api-reference/sailoperator.io.md @@ -74,6 +74,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | +| `excludedCRDs` _string array_ | CRDs to exclude. Requires `enableCRDTemplates` | | | | `validationURL` _string_ | URL to use for validating webhook. | | | | `validationCABundle` _string_ | validation webhook CA bundle | | | @@ -104,14 +105,14 @@ _Appears in:_ | `cniNetnsDir` _string_ | The directory path within the cluster node's filesystem where network namespaces are located. Defaults to '/var/run/netns', in minikube/docker/others can be '/var/run/docker/netns'. | | | | `excludeNamespaces` _string array_ | List of namespaces that should be ignored by the CNI plugin. | | | | `affinity` _[Affinity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#affinity-v1-core)_ | K8s affinity to set on the istio-cni Pods. Can be used to exclude istio-cni from being scheduled on specified nodes. | | | -| `podAnnotations` _object (keys:string, values:string)_ | Additional annotations to apply to the istio-cni Pods. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `podAnnotations` _object (keys:string, values:string)_ | Additional annotations to apply to the istio-cni Pods. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `psp_cluster_role` _string_ | PodSecurityPolicy cluster role. No longer used anywhere. | | | | `logging` _[GlobalLoggingConfig](#globalloggingconfig)_ | Same as `global.logging.level`, but will override it if set | | | | `repair` _[CNIRepairConfig](#cnirepairconfig)_ | Configuration for the CNI Repair controller. | | | | `chained` _boolean_ | Configure the plugin as a chained CNI plugin. When true, the configuration is added to the CNI chain; when false, the configuration is added as a standalone file in the CNI configuration directory. | | | | `resource_quotas` _[ResourceQuotas](#resourcequotas)_ | The resource quotas configration for the CNI DaemonSet. | | | | `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | The k8s resource requests and limits for the istio-cni Pods. | | | -| `privileged` _boolean_ | No longer used for CNI. See: https://github.com/istio/istio/issues/49004 Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `privileged` _boolean_ | No longer used for CNI. See: https://github.com/istio/istio/issues/49004 Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `seccompProfile` _[SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#seccompprofile-v1-core)_ | The Container seccompProfile See: https://kubernetes.io/docs/tutorials/security/seccomp/ | | | | `provider` _string_ | Specifies the CNI provider. Can be either "default" or "multus". When set to "multus", an additional NetworkAttachmentDefinition resource is deployed to the cluster to allow the istio-cni plugin to be invoked in a cluster using the Multus CNI plugin. | | | | `rollingMaxUnavailable` _[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#intorstring-intstr-util)_ | The number of pods that can be unavailable during a rolling update of the CNI DaemonSet (see `updateStrategy.rollingUpdate.maxUnavailable` here: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). May be specified as a number of pods or as a percent of the total number of pods at the start of the update. | | XIntOrString: \{\} | @@ -130,7 +131,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `defaultResources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `defaultResources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `hub` _string_ | Specifies the docker hub for Istio images. | | | | `imagePullPolicy` _[PullPolicy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#pullpolicy-v1-core)_ | Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | Enum: [Always Never IfNotPresent] | | `imagePullSecrets` _string array_ | ImagePullSecrets for the control plane ServiceAccount, list of secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. Must be set for any cluster configured with private docker registry. | | | @@ -159,7 +160,7 @@ _Appears in:_ | `image` _string_ | Image name to pull from. Image will be `Hub/Image:Tag-Variant`. If Image contains a "/", it will replace the entire `image` in the pod. | | | | `labelPods` _boolean_ | The Repair controller has 3 modes (labelPods, deletePods, and repairPods). Pick which one meets your use cases. Note only one may be used. The mode defines the action the controller will take when a pod is detected as broken. If labelPods is true, the controller will label all broken pods with =. This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. | | | | `repairPods` _boolean_ | The Repair controller has 3 modes (labelPods, deletePods, and repairPods). Pick which one meets your use cases. Note only one may be used. The mode defines the action the controller will take when a pod is detected as broken. If repairPods is true, the controller will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. This requires no RBAC privilege, but will require the CNI agent to run as a privileged pod. | | | -| `createEvents` _string_ | No longer used. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `createEvents` _string_ | No longer used. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `deletePods` _boolean_ | The Repair controller has 3 modes (labelPods, deletePods, and repairPods). Pick which one meets your use cases. Note only one may be used. The mode defines the action the controller will take when a pod is detected as broken. If deletePods is true, the controller will delete the broken pod. The pod will then be rescheduled, hopefully onto a node that is fully ready. Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. | | | | `brokenPodLabelKey` _string_ | The label key to apply to a broken pod when the controller is in labelPods mode. | | | | `brokenPodLabelValue` _string_ | The label value to apply to a broken pod when the controller is in labelPods mode. | | | @@ -292,7 +293,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | | `address` _string_ | Address of the server implementing the Istio Mesh Configuration protocol (MCP). Can be IP address or a fully qualified DNS name. Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or fs:/// to specify a file-based backend with absolute path to the directory. | | | -| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the tls_settings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. | | | +| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the tlsSettings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. | | | | `subscribedResources` _[Resource](#resource) array_ | Describes the source of configuration, if nothing is specified default is MCP | | Enum: [SERVICE_REGISTRY] | @@ -341,7 +342,7 @@ _Appears in:_ _Underlying type:_ _string_ ForwardClientCertDetails controls how the x-forwarded-client-cert (XFCC) -header is handled by the gateway proxy. +header is handled by a proxy. See [Envoy XFCC](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html#enum-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-forwardclientcertdetails) header handling for more details. @@ -355,10 +356,10 @@ _Appears in:_ | Field | Description | | --- | --- | | `UNDEFINED` | Field is not set | -| `SANITIZE` | Do not send the XFCC header to the next hop. This is the default value. | +| `SANITIZE` | Do not send the XFCC header to the next hop. | | `FORWARD_ONLY` | When the client connection is mTLS (Mutual TLS), forward the XFCC header in the request. | -| `APPEND_FORWARD` | When the client connection is mTLS, append the client certificate information to the request’s XFCC header and forward it. | -| `SANITIZE_SET` | When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop. | +| `APPEND_FORWARD` | When the client connection is mTLS, append the client certificate information to the request’s XFCC header and forward it. This is the default value for sidecar proxies. | +| `SANITIZE_SET` | When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop. This is the default value for gateway proxies. | | `ALWAYS_FORWARD_ONLY` | Always forward the XFCC header in the request, regardless of whether the client connection is mTLS. | @@ -375,13 +376,13 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `arch` _[ArchConfig](#archconfig)_ | Specifies pod scheduling arch(amd64, ppc64le, s390x, arm64) and weight as follows: 0 - Never scheduled 1 - Least preferred 2 - No preference 3 - Most preferred Deprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `arch` _[ArchConfig](#archconfig)_ | Specifies pod scheduling arch(amd64, ppc64le, s390x, arm64) and weight as follows: 0 - Never scheduled 1 - Least preferred 2 - No preference 3 - Most preferred Deprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `certSigners` _string array_ | List of certSigners to allow "approve" action in the ClusterRole | | | | `configValidation` _boolean_ | Controls whether the server-side validation is enabled. | | | -| `defaultNodeSelector` _object (keys:string, values:string)_ | Default k8s node selector for all the Istio control plane components See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | -| `defaultPodDisruptionBudget` _[DefaultPodDisruptionBudgetConfig](#defaultpoddisruptionbudgetconfig)_ | Specifies the default pod disruption budget configuration. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | -| `defaultResources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | Default k8s resources settings for all Istio control plane components. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | -| `defaultTolerations` _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#toleration-v1-core) array_ | Default node tolerations to be applied to all deployments so that all pods can be scheduled to nodes with matching taints. Each component can overwrite these default values by adding its tolerations block in the relevant section below and setting the desired values. Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `defaultNodeSelector` _object (keys:string, values:string)_ | Default k8s node selector for all the Istio control plane components See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | +| `defaultPodDisruptionBudget` _[DefaultPodDisruptionBudgetConfig](#defaultpoddisruptionbudgetconfig)_ | Specifies the default pod disruption budget configuration. | | | +| `defaultResources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | Default k8s resources settings for all Istio control plane components. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | +| `defaultTolerations` _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#toleration-v1-core) array_ | Default node tolerations to be applied to all deployments so that all pods can be scheduled to nodes with matching taints. Each component can overwrite these default values by adding its tolerations block in the relevant section below and setting the desired values. Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `hub` _string_ | Specifies the docker hub for Istio images. | | | | `imagePullPolicy` _[PullPolicy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#pullpolicy-v1-core)_ | Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | Enum: [Always Never IfNotPresent] | | `imagePullSecrets` _string array_ | ImagePullSecrets for the control plane ServiceAccount, list of secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. Must be set for any cluster configured with private docker registry. | | | @@ -395,7 +396,7 @@ _Appears in:_ | `podDNSSearchNamespaces` _string array_ | Custom DNS config for the pod to resolve names of services in other clusters. Use this to add additional search domains, and other settings. see https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config This does not apply to gateway pods as they typically need a different set of DNS settings than the normal application pods (e.g. in multicluster scenarios). | | | | `omitSidecarInjectorConfigMap` _boolean_ | Controls whether the creation of the sidecar injector ConfigMap should be skipped. Defaults to false. When set to true, the sidecar injector ConfigMap will not be created. | | | | `operatorManageWebhooks` _boolean_ | Controls whether the WebhookConfiguration resource(s) should be created. The current behavior of Istiod is to manage its own webhook configurations. When this option is set to true, Istio Operator, instead of webhooks, manages the webhook configurations. When this option is set as false, webhooks manage their own webhook configurations. | | | -| `priorityClassName` _string_ | Specifies the k8s priorityClassName for the istio control plane components. See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `priorityClassName` _string_ | Specifies the k8s priorityClassName for the istio control plane components. See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `proxy` _[ProxyConfig](#proxyconfig)_ | Specifies how proxies are configured within Istio. | | | | `proxy_init` _[ProxyInitConfig](#proxyinitconfig)_ | Specifies the Configuration for proxy_init container which sets the pods' networking to intercept the inbound/outbound traffic. | | | | `sds` _[SDSConfig](#sdsconfig)_ | Specifies the Configuration for the SecretDiscoveryService instead of using K8S secrets to mount the certificates. | | | @@ -405,7 +406,7 @@ _Appears in:_ | `remotePilotAddress` _string_ | Specifies the Istio control plane’s pilot Pod IP address or remote cluster DNS resolvable hostname. | | | | `istiod` _[IstiodConfig](#istiodconfig)_ | Specifies the configution of istiod | | | | `pilotCertProvider` _string_ | Configure the Pilot certificate provider. Currently, four providers are supported: "kubernetes", "istiod", "custom" and "none". | | | -| `jwtPolicy` _string_ | Configure the policy for validating JWT. This is deprecated and has no effect. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `jwtPolicy` _string_ | Configure the policy for validating JWT. This is deprecated and has no effect. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `sts` _[STSConfig](#stsconfig)_ | Specifies the configuration for Security Token Service. | | | | `revision` _string_ | Configures the revision this control plane is a part of | | | | `mountMtlsCerts` _boolean_ | Controls whether the in-cluster MTLS key and certs are loaded from the secret volume mounts. | | | @@ -506,7 +507,7 @@ _Appears in:_ | `kind` _string_ | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | | | | `apiVersion` _string_ | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources | | | | `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | | -| `spec` _[IstioSpec](#istiospec)_ | | \{ namespace:istio-system updateStrategy:map[type:InPlace] version:v1.23.0 \} | | +| `spec` _[IstioSpec](#istiospec)_ | | \{ namespace:istio-system updateStrategy:map[type:InPlace] version:v1.23.2 \} | | | `status` _[IstioStatus](#istiostatus)_ | | | | @@ -528,7 +529,7 @@ _Appears in:_ | `kind` _string_ | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | | | | `apiVersion` _string_ | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources | | | | `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | | -| `spec` _[IstioCNISpec](#istiocnispec)_ | | \{ namespace:istio-cni version:v1.23.0 \} | | +| `spec` _[IstioCNISpec](#istiocnispec)_ | | \{ namespace:istio-cni version:v1.23.2 \} | | | `status` _[IstioCNIStatus](#istiocnistatus)_ | | | | @@ -624,7 +625,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. | v1.23.0 | Enum: [v1.23.0 v1.22.3 v1.21.5 latest] | +| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. | v1.23.2 | Enum: [v1.23.2 v1.22.5 v1.21.6 latest] | | `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. | | Enum: [ambient default demo empty external openshift-ambient openshift preview stable] | | `namespace` _string_ | Namespace to which the Istio CNI component should be installed. | istio-cni | | | `values` _[CNIValues](#cnivalues)_ | Defines the values to be passed to the Helm charts when installing Istio CNI. | | | @@ -852,7 +853,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | | `type` _[IstioRevisionType](#istiorevisiontype)_ | Type indicates whether this revision represents a local or a remote control plane installation. | Local | | -| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. | | Enum: [v1.23.0 v1.22.3 v1.21.5 latest] | +| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. | | Enum: [v1.23.2 v1.22.5 v1.21.6 latest] | | `namespace` _string_ | Namespace to which the Istio components should be installed. | | | | `values` _[Values](#values)_ | Defines the values to be passed to the Helm charts when installing Istio. | | | @@ -905,7 +906,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. | v1.23.0 | Enum: [v1.23.0 v1.22.3 v1.21.5 latest] | +| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. | v1.23.2 | Enum: [v1.23.2 v1.22.5 v1.21.6 latest] | | `updateStrategy` _[IstioUpdateStrategy](#istioupdatestrategy)_ | Defines the update strategy to use when the version in the Istio CR is updated. | \{ type:InPlace \} | | | `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. | | Enum: [ambient default demo empty external openshift-ambient openshift preview stable] | | `namespace` _string_ | Namespace to which the Istio components should be installed. | istio-system | | @@ -928,6 +929,7 @@ _Appears in:_ | `observedGeneration` _integer_ | ObservedGeneration is the most recent generation observed for this Istio object. It corresponds to the object's generation, which is updated on mutation by the API Server. The information in the status pertains to this particular generation of the object. | | | | `conditions` _[IstioCondition](#istiocondition) array_ | Represents the latest available observations of the object's current state. | | | | `state` _[IstioConditionReason](#istioconditionreason)_ | Reports the current state of the object. | | | +| `activeRevisionName` _string_ | The name of the active revision. | | | | `revisions` _[RevisionSummary](#revisionsummary)_ | Reports information about the underlying IstioRevisions. | | | @@ -976,6 +978,7 @@ _Appears in:_ _Appears in:_ +- [PilotConfig](#pilotconfig) - [Values](#values) | Field | Description | Default | Validation | @@ -983,6 +986,7 @@ _Appears in:_ | `injectionURL` _string_ | URL to use for sidecar injector webhook. | | | | `injectionPath` _string_ | Path to use for the sidecar injector webhook service. | | | | `injectionCABundle` _string_ | injector ca bundle | | | +| `enabled` _boolean_ | Indicates if this cluster/install should consume a "remote" istiod instance, | | | #### LocalityLoadBalancerSetting @@ -1128,7 +1132,7 @@ _Appears in:_ | `ingressClass` _string_ | Class of ingress resources to be processed by Istio ingress controller. This corresponds to the value of `kubernetes.io/ingress.class` annotation. | | | | `ingressService` _string_ | Name of the Kubernetes service used for the istio ingress controller. If no ingress controller is specified, the default value `istio-ingressgateway` is used. | | | | `ingressControllerMode` _[MeshConfigIngressControllerMode](#meshconfigingresscontrollermode)_ | Defines whether to use Istio ingress controller for annotated or all ingress resources. Default mode is `STRICT`. | | Enum: [UNSPECIFIED OFF DEFAULT STRICT] | -| `ingressSelector` _string_ | Defines which gateway deployment to use as the Ingress controller. This field corresponds to the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. By default, `ingressgateway` is used, which will select the default IngressGateway as it has the `istio: ingressgateway` labels. It is recommended that this is the same value as ingress_service. | | | +| `ingressSelector` _string_ | Defines which gateway deployment to use as the Ingress controller. This field corresponds to the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. By default, `ingressgateway` is used, which will select the default IngressGateway as it has the `istio: ingressgateway` labels. It is recommended that this is the same value as ingressService. | | | | `enableTracing` _boolean_ | Flag to control generation of trace spans and request IDs. Requires a trace span collector defined in the proxy configuration. | | | | `accessLogFile` _string_ | File address for the proxy access log (e.g. /dev/stdout). Empty value disables access logging. | | | | `accessLogFormat` _string_ | Format for the proxy access log Empty value results in proxy's default access log format | | | @@ -1141,11 +1145,11 @@ _Appears in:_ | `configSources` _[ConfigSource](#configsource) array_ | ConfigSource describes a source of configuration data for networking rules, and other Istio configuration artifacts. Multiple data sources can be configured for a single control plane. | | | | `enableAutoMtls` _boolean_ | This flag is used to enable mutual `TLS` automatically for service to service communication within the mesh, default true. If set to true, and a given service does not have a corresponding `DestinationRule` configured, or its `DestinationRule` does not have ClientTLSSettings specified, Istio configures client side TLS configuration appropriately. More specifically, If the upstream authentication policy is in `STRICT` mode, use Istio provisioned certificate for mutual `TLS` to connect to upstream. If upstream service is in plain text mode, use plain text. If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use mutual `TLS` when server sides are capable of accepting mutual `TLS` traffic. If service `DestinationRule` exists and has `ClientTLSSettings` specified, that is always used instead. | | | | `trustDomain` _string_ | The trust domain corresponds to the trust root of a system. Refer to [SPIFFE-ID](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain) | | | -| `trustDomainAliases` _string array_ | The trust domain aliases represent the aliases of `trust_domain`. For example, if we have ```yaml trustDomain: td1 trustDomainAliases: ["td2", "td3"] ``` Any service with the identity `td1/ns/foo/sa/a-service-account`, `td2/ns/foo/sa/a-service-account`, or `td3/ns/foo/sa/a-service-account` will be treated the same in the Istio mesh. | | | +| `trustDomainAliases` _string array_ | The trust domain aliases represent the aliases of `trustDomain`. For example, if we have ```yaml trustDomain: td1 trustDomainAliases: ["td2", "td3"] ``` Any service with the identity `td1/ns/foo/sa/a-service-account`, `td2/ns/foo/sa/a-service-account`, or `td3/ns/foo/sa/a-service-account` will be treated the same in the Istio mesh. | | | | `caCertificates` _[MeshConfigCertificateData](#meshconfigcertificatedata) array_ | The extra root certificates for workload-to-workload communication. The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret) are automatically added by Istiod. The CA certificate that signs the workload certificates is automatically added by Istio Agent. | | | -| `defaultServiceExportTo` _string array_ | The default value for the ServiceEntry.export_to field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are: ``` * - All Namespaces . - Current Namespace ~ - No Namespace ``` If not set the system will use "*" as the default value which implies that services are exported to all namespaces. `All namespaces` is a reasonable default for implementations that don't need to restrict access or visibility of services across namespace boundaries. If that requirement is present it is generally good practice to make the default `Current namespace` so that services are only visible within their own namespaces by default. Operators can then expand the visibility of services to other namespaces as needed. Use of `No Namespace` is expected to be rare but can have utility for deployments where dependency management needs to be precise even within the scope of a single namespace. For further discussion see the reference documentation for `ServiceEntry`, `Sidecar`, and `Gateway`. | | | -| `defaultVirtualServiceExportTo` _string array_ | The default value for the VirtualService.export_to field. Has the same syntax as `default_service_export_to`. If not set the system will use "*" as the default value which implies that virtual services are exported to all namespaces | | | -| `defaultDestinationRuleExportTo` _string array_ | The default value for the `DestinationRule.export_to` field. Has the same syntax as `default_service_export_to`. If not set the system will use "*" as the default value which implies that destination rules are exported to all namespaces | | | +| `defaultServiceExportTo` _string array_ | The default value for the ServiceEntry.exportTo field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are: ``` * - All Namespaces . - Current Namespace ~ - No Namespace ``` If not set the system will use "*" as the default value which implies that services are exported to all namespaces. `All namespaces` is a reasonable default for implementations that don't need to restrict access or visibility of services across namespace boundaries. If that requirement is present it is generally good practice to make the default `Current namespace` so that services are only visible within their own namespaces by default. Operators can then expand the visibility of services to other namespaces as needed. Use of `No Namespace` is expected to be rare but can have utility for deployments where dependency management needs to be precise even within the scope of a single namespace. For further discussion see the reference documentation for `ServiceEntry`, `Sidecar`, and `Gateway`. | | | +| `defaultVirtualServiceExportTo` _string array_ | The default value for the VirtualService.exportTo field. Has the same syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that virtual services are exported to all namespaces | | | +| `defaultDestinationRuleExportTo` _string array_ | The default value for the `DestinationRule.exportTo` field. Has the same syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that destination rules are exported to all namespaces | | | | `rootNamespace` _string_ | The namespace to treat as the administrative root namespace for Istio configuration. When processing a leaf namespace Istio will search for declarations in that namespace first and if none are found it will search in the root namespace. Any matching declaration found in the root namespace is processed as if it were declared in the leaf namespace. The precise semantics of this processing are documented on each resource type. | | | | `localityLbSetting` _[LocalityLoadBalancerSetting](#localityloadbalancersetting)_ | Locality based load balancing distribution or failover settings. If unspecified, locality based load balancing will be enabled by default. However, this requires outlierDetection to actually take effect for a particular service, see https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/failover/ | | | | `dnsRefreshRate` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | Configures DNS refresh rate for Envoy clusters of type `STRICT_DNS` Default refresh rate is `60s`. | | | @@ -1159,7 +1163,7 @@ _Appears in:_ | `pathNormalization` _[MeshConfigProxyPathNormalization](#meshconfigproxypathnormalization)_ | ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are normalized by the sidecars and gateways. The normalized paths will be used in all aspects through the requests' lifetime on the sidecars and gateways, which includes routing decisions in outbound direction (client proxy), authorization policy match and enforcement in inbound direction (server proxy), and the URL path proxied to the upstream service. If not set, the NormalizationType.DEFAULT configuration will be used. | | | | `defaultHttpRetryPolicy` _[HTTPRetry](#httpretry)_ | Configure the default HTTP retry policy. The default number of retry attempts is set at 2 for these errors: "connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes". Setting the number of attempts to 0 disables retry policy globally. This setting can be overridden on a per-host basis using the Virtual Service API. All settings in the retry policy except `perTryTimeout` can currently be configured globally via this field. | | | | `meshMTLS` _[MeshConfigTLSConfig](#meshconfigtlsconfig)_ | The below configuration parameters can be used to specify TLSConfig for mesh traffic. For example, a user could enable min TLS version for ISTIO_MUTUAL traffic and specify a curve for non ISTIO_MUTUAL traffic like below: ```yaml meshConfig: meshMTLS: minProtocolVersion: TLSV1_3 tlsDefaults: Note: applicable only for non ISTIO_MUTUAL scenarios ecdhCurves: - P-256 - P-512 ``` Configuration of mTLS for traffic between workloads with ISTIO_MUTUAL TLS traffic. Note: Mesh mTLS does not respect ECDH curves. | | | -| `tlsDefaults` _[MeshConfigTLSConfig](#meshconfigtlsconfig)_ | Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. Currently, this supports configuration of ecdh_curves and cipher_suites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. | | | +| `tlsDefaults` _[MeshConfigTLSConfig](#meshconfigtlsconfig)_ | Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. Currently, this supports configuration of ecdhCurves and cipherSuites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. | | | #### MeshConfigAccessLogEncoding @@ -1196,9 +1200,9 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | | `address` _string_ | REQUIRED. Address of the CA server implementing the Istio CA gRPC API. Can be IP address or a fully qualified DNS name with port Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000 | | Required: \{\} | -| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the tls_settings to specify the tls mode to use. Regarding tls_settings: - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. DISABLE MODE can also be used for testing - TLS MUTUAL MODE be on by default. If the CA certificates (cert bundle to verify the CA server's certificate) is omitted, Istiod will use the system root certs to verify the CA server's certificate. | | | +| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the tlsSettings to specify the tls mode to use. Regarding tlsSettings: - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. DISABLE MODE can also be used for testing - TLS MUTUAL MODE be on by default. If the CA certificates (cert bundle to verify the CA server's certificate) is omitted, Istiod will use the system root certs to verify the CA server's certificate. | | | | `requestTimeout` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | timeout for forward CSR requests from Istiod to External CA Default: 10s | | | -| `istiodSide` _boolean_ | Use istiod_side to specify CA Server integrate to Istiod side or Agent side Default: true | | | +| `istiodSide` _boolean_ | Use istiodSide to specify CA Server integrate to Istiod side or Agent side Default: true | | | #### MeshConfigCertificateData @@ -1217,7 +1221,7 @@ _Appears in:_ | `pem` _string_ | The PEM data of the certificate. | | | | `spiffeBundleUrl` _string_ | The SPIFFE bundle endpoint URL that complies to: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle The endpoint should support authentication based on Web PKI: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki The certificate is retrieved from the endpoint. | | | | `certSigners` _string array_ | when Istiod is acting as RA(registration authority) If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers. | | | -| `trustDomains` _string array_ | Optional. Specify the list of trust domains to which this trustAnchor data belongs. If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain and its aliases. Note that we can have multiple trustAnchor data for a same trust_domain. In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers. If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers. If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains. If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains. | | | +| `trustDomains` _string array_ | Optional. Specify the list of trust domains to which this trustAnchor data belongs. If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain and its aliases. Note that we can have multiple trustAnchor data for a same trustDomain. In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains. | | | #### MeshConfigDefaultProviders @@ -1228,7 +1232,7 @@ Holds the name references to the providers that will be used by default in other Istio configuration resources if the provider is not specified. -These names must match a provider defined in `extension_providers` that is +These names must match a provider defined in `extensionProviders` that is one of the supported tracing providers. @@ -1304,7 +1308,7 @@ _Appears in:_ | --- | --- | --- | --- | | `service` _string_ | REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service. The format is `[/]`. The specification of `` is required only when it is insufficient to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry. Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com". | | Required: \{\} | | `port` _integer_ | REQUIRED. Specifies the port of the service. | | Required: \{\} | -| `timeout` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. In this situation, the response sent back to the client will depend on the configured `fail_open` field. | | | +| `timeout` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. In this situation, the response sent back to the client will depend on the configured `failOpen` field. | | | | `failOpen` _boolean_ | If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, or if the authorization service has returned a HTTP 5xx error. Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately. | | | | `statusOnError` _string_ | Sets the HTTP status that is returned to the client when there is a network error to the authorization service. The default status is "403" (HTTP Forbidden). | | | | `includeRequestBodyInCheck` _[MeshConfigExtensionProviderEnvoyExternalAuthorizationRequestBody](#meshconfigextensionproviderenvoyexternalauthorizationrequestbody)_ | If set, the client request body will be included in the authorization request sent to the authorization service. | | | @@ -1325,13 +1329,13 @@ _Appears in:_ | --- | --- | --- | --- | | `service` _string_ | REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service. The format is `[/]`. The specification of `` is required only when it is insufficient to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry. Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com". | | Required: \{\} | | `port` _integer_ | REQUIRED. Specifies the port of the service. | | Required: \{\} | -| `timeout` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. In this situation, the response sent back to the client will depend on the configured `fail_open` field. | | | +| `timeout` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. In this situation, the response sent back to the client will depend on the configured `failOpen` field. | | | | `pathPrefix` _string_ | Sets a prefix to the value of authorization request header *Path*. For example, setting this to "/check" for an original user request at path "/admin" will cause the authorization check request to be sent to the authorization service at the path "/check/admin" instead of "/admin". | | | | `failOpen` _boolean_ | If true, the user request will be allowed even if the communication with the authorization service has failed, or if the authorization service has returned a HTTP 5xx error. Default is false and the request will be rejected with "Forbidden" response. | | | | `statusOnError` _string_ | Sets the HTTP status that is returned to the client when there is a network error to the authorization service. The default status is "403" (HTTP Forbidden). | | | -| `includeHeadersInCheck` _string array_ | DEPRECATED. Use include_request_headers_in_check instead. Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. | | | -| `includeRequestHeadersInCheck` _string array_ | List of client request headers that should be included in the authorization request sent to the authorization service. Note that in addition to the headers specified here following headers are included by default: 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization request can include the buffered client request body (controlled by include_request_body_in_check setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. Exact, prefix and suffix matches are supported (similar to the [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) except the presence match): - Exact match: "abc" will match on value "abc". - Prefix match: "abc*" will match on value "abc" and "abcd". - Suffix match: "*abc" will match on value "abc" and "xabc". | | | -| `includeAdditionalHeadersInCheck` _object (keys:string, values:string)_ | Set of additional fixed headers that should be included in the authorization request sent to the authorization service. Key is the header name and value is the header value. Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden. | | | +| `includeHeadersInCheck` _string array_ | DEPRECATED. Use includeRequestHeadersInCheck instead. Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. | | | +| `includeRequestHeadersInCheck` _string array_ | List of client request headers that should be included in the authorization request sent to the authorization service. Note that in addition to the headers specified here following headers are included by default: 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. Exact, prefix and suffix matches are supported (similar to the [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) except the presence match): - Exact match: "abc" will match on value "abc". - Prefix match: "abc*" will match on value "abc" and "abcd". - Suffix match: "*abc" will match on value "abc" and "xabc". | | | +| `includeAdditionalHeadersInCheck` _object (keys:string, values:string)_ | Set of additional fixed headers that should be included in the authorization request sent to the authorization service. Key is the header name and value is the header value. Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden. | | | | `includeRequestBodyInCheck` _[MeshConfigExtensionProviderEnvoyExternalAuthorizationRequestBody](#meshconfigextensionproviderenvoyexternalauthorizationrequestbody)_ | If set, the client request body will be included in the authorization request sent to the authorization service. | | | | `headersToUpstreamOnAllow` _string array_ | List of headers from the authorization service that should be added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code 200). If not specified, the original request will not be modified and forwarded to backend as-is. Note, any existing headers will be overridden. Exact, prefix and suffix matches are supported (similar to the [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) except the presence match): - Exact match: "abc" will match on value "abc". - Prefix match: "abc*" will match on value "abc" and "abcd". - Suffix match: "*abc" will match on value "abc" and "xabc". | | | | `headersToDownstreamOnDeny` _string array_ | List of headers from the authorization service that should be forwarded to downstream when the authorization check result is not allowed (HTTP code other than 200). If not specified, all the authorization response headers, except *Authority (Host)* will be in the response to the downstream. When a header is included in this list, *Path*, *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are automatically added. Note, the body from the authorization service is always included in the response to downstream. Exact, prefix and suffix matches are supported (similar to the [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) except the presence match): - Exact match: "abc" will match on value "abc". - Prefix match: "abc*" will match on value "abc" and "abcd". - Suffix match: "*abc" will match on value "abc" and "xabc". | | | @@ -1424,6 +1428,8 @@ _Appears in:_ | `filterStateObjectsToLog` _string array_ | Optional. Additional filter state objects to log. | | | + + #### MeshConfigExtensionProviderHttpHeader @@ -1433,6 +1439,7 @@ _Appears in:_ _Appears in:_ +- [MeshConfigExtensionProviderGrpcService](#meshconfigextensionprovidergrpcservice) - [MeshConfigExtensionProviderHttpService](#meshconfigextensionproviderhttpservice) | Field | Description | Default | Validation | @@ -1513,8 +1520,9 @@ _Appears in:_ | `port` _integer_ | REQUIRED. Specifies the port of the service. | | Required: \{\} | | `maxTagLength` _integer_ | Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag. | | | | `http` _[MeshConfigExtensionProviderHttpService](#meshconfigextensionproviderhttpservice)_ | Optional. Specifies the configuration for exporting OTLP traces via HTTP. When empty, traces will be exported via gRPC. The following example shows how to configure the OpenTelemetry ExtensionProvider to export via HTTP: 1. Add/change the OpenTelemetry extension provider in `MeshConfig` ```yaml - name: otel-tracing opentelemetry: port: 443 service: my.olly-backend.com http: path: "/api/otlp/traces" timeout: 10s headers: - name: "my-custom-header" value: "some value" ``` 2. Deploy a `ServiceEntry` for the observability back-end ```yaml apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: my-olly-backend spec: hosts: - my.olly-backend.com ports: - number: 443 name: https-port protocol: HTTPS resolution: DNS location: MESH_EXTERNAL --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: my-olly-backend spec: host: my.olly-backend.com trafficPolicy: portLevelSettings: - port: number: 443 tls: mode: SIMPLE ``` | | | -| `resourceDetectors` _[MeshConfigExtensionProviderResourceDetectors](#meshconfigextensionproviderresourcedetectors)_ | Optional. Specifies [Resource Detectors](https://opentelemetry.io/docs/specs/otel/resource/sdk/) to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged according to the OpenTelemetry [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#merge). The following example shows how to configure the Environment Resource Detector, that will read the attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES`: ```yaml - name: otel-tracing opentelemetry: port: 443 service: my.olly-backend.com resource_detectors: environment: \{\} ``` | | | -| `dynatraceSampler` _[MeshConfigExtensionProviderOpenTelemetryTracingProviderDynatraceSampler](#meshconfigextensionprovideropentelemetrytracingproviderdynatracesampler)_ | The Dynatrace adaptive traffic management (ATM) sampler. Example configuration: ```yaml - name: otel-tracing opentelemetry: port: 443 service: "\{your-environment-id\}.live.dynatrace.com" http: path: "/api/v2/otlp/v1/traces" timeout: 10s headers: - name: "Authorization" value: "Api-Token dt0c01." resource_detectors: dynatrace: \{\} dynatrace_sampler: tenant: "\{your-environment-id\}" cluster_id: 1234 | | | +| `grpc` _[MeshConfigExtensionProviderGrpcService](#meshconfigextensionprovidergrpcservice)_ | Optional. Specifies the configuration for exporting OTLP traces via GRPC. When empty, traces will check whether HTTP is set. If not, traces will use default GRPC configurations. The following example shows how to configure the OpenTelemetry ExtensionProvider to export via GRPC: 1. Add/change the OpenTelemetry extension provider in `MeshConfig` ```yaml - name: opentelemetry opentelemetry: port: 8090 service: tracing.example.com grpc: timeout: 10s initialMetadata: - name: "Authentication" value: "token-xxxxx" ``` 2. Deploy a `ServiceEntry` for the observability back-end ```yaml apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: tracing-grpc spec: hosts: - tracing.example.com ports: - number: 8090 name: grpc-port protocol: GRPC resolution: DNS location: MESH_EXTERNAL ``` | | | +| `resourceDetectors` _[MeshConfigExtensionProviderResourceDetectors](#meshconfigextensionproviderresourcedetectors)_ | Optional. Specifies [Resource Detectors](https://opentelemetry.io/docs/specs/otel/resource/sdk/) to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged according to the OpenTelemetry [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#merge). The following example shows how to configure the Environment Resource Detector, that will read the attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES`: ```yaml - name: otel-tracing opentelemetry: port: 443 service: my.olly-backend.com resourceDetectors: environment: \{\} ``` | | | +| `dynatraceSampler` _[MeshConfigExtensionProviderOpenTelemetryTracingProviderDynatraceSampler](#meshconfigextensionprovideropentelemetrytracingproviderdynatracesampler)_ | The Dynatrace adaptive traffic management (ATM) sampler. Example configuration: ```yaml - name: otel-tracing opentelemetry: port: 443 service: "\{your-environment-id\}.live.dynatrace.com" http: path: "/api/v2/otlp/v1/traces" timeout: 10s headers: - name: "Authorization" value: "Api-Token dt0c01." resourceDetectors: dynatrace: \{\} dynatraceSampler: tenant: "\{your-environment-id\}" clusterId: 1234 | | | @@ -1647,6 +1655,7 @@ _Appears in:_ | `port` _integer_ | REQUIRED. Specifies the port of the service. | | Required: \{\} | | `maxTagLength` _integer_ | Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag. | | | | `enable64bitTraceId` _boolean_ | Optional. A 128 bit trace id will be used in Istio. If true, will result in a 64 bit trace id being used. | | | +| `path` _string_ | Optional. Specifies the endpoint of Zipkin API. The default value is "/api/v2/spans". | | | #### MeshConfigH2UpgradePolicy @@ -1717,8 +1726,8 @@ _Appears in:_ | --- | --- | | `UNSPECIFIED` | Unspecified Istio ingress controller. | | `OFF` | Disables Istio ingress controller. | -| `DEFAULT` | Istio ingress controller will act on ingress resources that do not contain any annotation or whose annotations match the value specified in the ingress_class parameter described earlier. Use this mode if Istio ingress controller will be the default ingress controller for the entire Kubernetes cluster. | -| `STRICT` | Istio ingress controller will only act on ingress resources whose annotations match the value specified in the ingress_class parameter described earlier. Use this mode if Istio ingress controller will be a secondary ingress controller (e.g., in addition to a cloud-provided ingress controller). | +| `DEFAULT` | Istio ingress controller will act on ingress resources that do not contain any annotation or whose annotations match the value specified in the ingressClass parameter described earlier. Use this mode if Istio ingress controller will be the default ingress controller for the entire Kubernetes cluster. | +| `STRICT` | Istio ingress controller will only act on ingress resources whose annotations match the value specified in the ingressClass parameter described earlier. Use this mode if Istio ingress controller will be a secondary ingress controller (e.g., in addition to a cloud-provided ingress controller). | #### MeshConfigOutboundTrafficPolicy @@ -1820,7 +1829,7 @@ _Appears in:_ | `statusPort` _integer_ | Port on which the agent should listen for administrative commands such as readiness probe. Default is set to port `15020`. | | | | `extraStatTags` _string array_ | An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be added by configuring the telemetry extension. Each additional tag needs to be present in this list. Extra tags emitted by the telemetry extensions must be listed here so that they can be processed and exposed as Prometheus metrics. Deprecated: `istio.stats` is a native filter now, this field is no longer needed. | | | | `gatewayTopology` _[Topology](#topology)_ | Topology encapsulates the configuration which describes where the proxy is located i.e. behind a (or N) trusted proxy (proxies) or directly exposed to the internet. This configuration only effects gateways and is applied to all the gateways in the cluster unless overridden via annotations of the gateway workloads. | | | -| `terminationDrainDuration` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | The amount of time allowed for connections to complete on proxy shutdown. On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, discouraging any new connections and allowing existing connections to complete. It then sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes. If not set, a default of `5s` will be applied. | | | +| `terminationDrainDuration` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | The amount of time allowed for connections to complete on proxy shutdown. On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, discouraging any new connections and allowing existing connections to complete. It then sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes. If not set, a default of `5s` will be applied. | | | | `meshId` _string_ | The unique identifier for the [service mesh](https://istio.io/docs/reference/glossary/#service-mesh) All control planes running in the same service mesh should specify the same mesh ID. Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together. | | | | `readinessProbe` _[Probe](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#probe-v1-core)_ | VM Health Checking readiness probe. This health check config exactly mirrors the kubernetes readiness probe configuration both in schema and logic. Only one health check method of 3 can be set at a time. | | | | `proxyStatsMatcher` _[ProxyConfigProxyStatsMatcher](#proxyconfigproxystatsmatcher)_ | Proxy stats matcher defines configuration for reporting custom Envoy stats. To reduce memory and CPU overhead from Envoy stats system, Istio proxies by default create and expose only a subset of Envoy stats. This option is to control creation of additional Envoy stats with prefix, suffix, and regex expressions match on the name of the stats. This replaces the stats inclusion annotations (`sidecar.istio.io/statsInclusionPrefixes`, `sidecar.istio.io/statsInclusionRegexps`, and `sidecar.istio.io/statsInclusionSuffixes`). For example, to enable stats for circuit breakers, request retries, upstream connections, and request timeouts, you can specify stats matcher as follows: ```yaml proxyStatsMatcher: inclusionRegexps: - .*outlier_detection.* - .*upstream_rq_retry.* - .*upstream_cx_.* inclusionSuffixes: - upstream_rq_timeout ``` Note including more Envoy stats might increase number of time series collected by prometheus significantly. Care needs to be taken on Prometheus resource provision and configuration to reduce cardinality. | | | @@ -2006,7 +2015,7 @@ adding the `ISTIO_META_NETWORK` environment variable to the sidecar. a. By matching the registry name with one of the "fromRegistry" - in the mesh config. A "from_registry" can only be assigned to a + in the mesh config. A "fromRegistry" can only be assigned to a single network. @@ -2066,22 +2075,22 @@ _Appears in:_ | `autoscaleMin` _integer_ | Minimum number of replicas in the HorizontalPodAutoscaler for Pilot. | | | | `autoscaleMax` _integer_ | Maximum number of replicas in the HorizontalPodAutoscaler for Pilot. | | | | `autoscaleBehavior` _[HorizontalPodAutoscalerBehavior](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#horizontalpodautoscalerbehavior-v2-autoscaling)_ | See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior | | | -| `replicaCount` _integer_ | Number of replicas in the Pilot Deployment. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `replicaCount` _integer_ | Number of replicas in the Pilot Deployment. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `image` _string_ | Image name used for Pilot. This can be set either to image name if hub is also set, or can be set to the full hub:name string. Examples: custom-pilot, docker.io/someuser:custom-pilot | | | | `traceSampling` _float_ | Trace sampling fraction. Used to set the fraction of time that traces are sampled. Higher values are more accurate but add CPU overhead. Allowed values: 0.0 to 1.0 | | | -| `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | K8s resources settings. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | -| `cpu` _[TargetUtilizationConfig](#targetutilizationconfig)_ | Target CPU utilization used in HorizontalPodAutoscaler. See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | -| `nodeSelector` _object (keys:string, values:string)_ | K8s node selector. See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | K8s resources settings. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | +| `cpu` _[TargetUtilizationConfig](#targetutilizationconfig)_ | Target CPU utilization used in HorizontalPodAutoscaler. See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | +| `nodeSelector` _object (keys:string, values:string)_ | K8s node selector. See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `keepaliveMaxServerConnectionAge` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | Maximum duration that a sidecar can be connected to a pilot. This setting balances out load across pilot instances, but adds some resource overhead. Examples: 300s, 30m, 1h | | | | `deploymentLabels` _object (keys:string, values:string)_ | Labels that are added to Pilot deployment. See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ | | | | `podLabels` _object (keys:string, values:string)_ | Labels that are added to Pilot pods. See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ | | | | `configMap` _boolean_ | Configuration settings passed to Pilot as a ConfigMap. This controls whether the mesh config map, generated from values.yaml is generated. If false, pilot wil use default values or user-supplied values, in that order of preference. | | | | `env` _object (keys:string, values:string)_ | Environment variables passed to the Pilot container. Examples: env: ENV_VAR_1: value1 ENV_VAR_2: value2 | | | | `affinity` _[Affinity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#affinity-v1-core)_ | K8s affinity to set on the Pilot Pods. | | | -| `rollingMaxSurge` _[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#intorstring-intstr-util)_ | K8s rolling update strategy Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | XIntOrString: \{\} | -| `rollingMaxUnavailable` _[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#intorstring-intstr-util)_ | The number of pods that can be unavailable during a rolling update (see `strategy.rollingUpdate.maxUnavailable` here: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/deployment-v1/#DeploymentSpec). May be specified as a number of pods or as a percent of the total number of pods at the start of the update. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | XIntOrString: \{\} | -| `tolerations` _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#toleration-v1-core) array_ | The node tolerations to be applied to the Pilot deployment so that it can be scheduled to particular nodes with matching taints. More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | -| `podAnnotations` _object (keys:string, values:string)_ | K8s annotations for pods. See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `rollingMaxSurge` _[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#intorstring-intstr-util)_ | K8s rolling update strategy Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | XIntOrString: \{\} | +| `rollingMaxUnavailable` _[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#intorstring-intstr-util)_ | The number of pods that can be unavailable during a rolling update (see `strategy.rollingUpdate.maxUnavailable` here: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/deployment-v1/#DeploymentSpec). May be specified as a number of pods or as a percent of the total number of pods at the start of the update. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | XIntOrString: \{\} | +| `tolerations` _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#toleration-v1-core) array_ | The node tolerations to be applied to the Pilot deployment so that it can be scheduled to particular nodes with matching taints. More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | +| `podAnnotations` _object (keys:string, values:string)_ | K8s annotations for pods. See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `serviceAnnotations` _object (keys:string, values:string)_ | K8s annotations for the Service. See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | | | | `serviceAccountAnnotations` _object (keys:string, values:string)_ | K8s annotations for the service account | | | | `jwksResolverExtraRootCA` _string_ | Specifies an extra root certificate in PEM format. This certificate will be trusted by pilot when resolving JWKS URIs. | | | @@ -2095,10 +2104,11 @@ _Appears in:_ | `volumes` _[Volume](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#volume-v1-core) array_ | Additional volumes to add to the Pilot Pod. | | | | `ipFamilies` _string array_ | Defines which IP family to use for single stack or the order of IP families for dual-stack. Valid list items are "IPv4", "IPv6". More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | | | | `ipFamilyPolicy` _string_ | Controls whether Services are configured to use IPv4, IPv6, or both. Valid options are PreferDualStack, RequireDualStack, and SingleStack. More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | | | -| `memory` _[TargetUtilizationConfig](#targetutilizationconfig)_ | Target memory utilization used in HorizontalPodAutoscaler. See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `memory` _[TargetUtilizationConfig](#targetutilizationconfig)_ | Target memory utilization used in HorizontalPodAutoscaler. See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `cni` _[CNIUsageConfig](#cniusageconfig)_ | Configures whether to use an existing CNI installation for workloads | | | | `taint` _[PilotTaintControllerConfig](#pilottaintcontrollerconfig)_ | | | | | `trustedZtunnelNamespace` _string_ | If set, `istiod` will allow connections from trusted node proxy ztunnels in the provided namespace. | | | +| `istiodRemote` _[IstiodRemoteConfig](#istiodremoteconfig)_ | Configuration for the istio-discovery chart when istiod is running in a remote cluster (e.g. "remote control plane"). | | | @@ -2199,11 +2209,11 @@ _Appears in:_ | `readinessFailureThreshold` _integer_ | Sets the number of successive failed probes before indicating readiness failure. | | | | `startupProbe` _[StartupProbe](#startupprobe)_ | Configures the startup probe for the istio-proxy container. | | | | `statusPort` _integer_ | Default port used for the Pilot agent's health checks. | | | -| `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | K8s resources settings. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | K8s resources settings. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `tracer` _[Tracer](#tracer)_ | Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. | | Enum: [zipkin lightstep datadog stackdriver openCensusAgent none] | | `excludeOutboundPorts` _string_ | A comma separated list of outbound ports to be excluded from redirection to Envoy. | | | | `lifecycle` _[Lifecycle](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#lifecycle-v1-core)_ | The k8s lifecycle hooks definition (pod.spec.containers.lifecycle) for the proxy container. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks | | | -| `holdApplicationUntilProxyStarts` _boolean_ | Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `holdApplicationUntilProxyStarts` _boolean_ | Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `includeInboundPorts` _string_ | A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character '*' can be used to configure redirection for all ports. | | | | `includeOutboundPorts` _string_ | A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP. | | | @@ -2243,6 +2253,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | | `forwardedClientCert` _[ForwardClientCertDetails](#forwardclientcertdetails)_ | Controls the `X-Forwarded-Client-Cert` header for inbound sidecar requests. To set this on gateways, use the `Topology` setting. To disable the header, configure either `SANITIZE` (to always remove the header, if present) or `FORWARD_ONLY` (to leave the header as-is). By default, `APPEND_FORWARD` will be used. | | Enum: [UNDEFINED SANITIZE FORWARD_ONLY APPEND_FORWARD SANITIZE_SET ALWAYS_FORWARD_ONLY] | +| `setCurrentClientCertDetails` _[ProxyConfigProxyHeadersSetCurrentClientCertDetails](#proxyconfigproxyheaderssetcurrentclientcertdetails)_ | This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET and the client connection is mTLS. It specifies the fields in the client certificate to be forwarded. Note that `Hash` is always set, and `By` is always set when the client certificate presents the URI type Subject Alternative Name value. | | | | `requestId` _[ProxyConfigProxyHeadersRequestId](#proxyconfigproxyheadersrequestid)_ | Controls the `X-Request-Id` header. If enabled, a request ID is generated for each request if one is not already set. This applies to all types of traffic (inbound, outbound, and gateways). If disabled, no request ID will be generate for the request. If it is already present, it will be preserved. Warning: request IDs are a critical component to mesh tracing and logging, so disabling this is not recommended. This header is enabled by default if not configured. | | | | `server` _[ProxyConfigProxyHeadersServer](#proxyconfigproxyheadersserver)_ | Controls the `server` header. If enabled, the `Server: istio-envoy` header is set in response headers for inbound traffic (including gateways). If disabled, the `Server` header is not modified. If it is already present, it will be preserved. | | | | `attemptCount` _[ProxyConfigProxyHeadersAttemptCount](#proxyconfigproxyheadersattemptcount)_ | Controls the `X-Envoy-Attempt-Count` header. If enabled, this header will be added on outbound request headers (including gateways) that have retries configured. If disabled, this header will not be set. If it is already present, it will be preserved. This header is enabled by default if not configured. | | | @@ -2312,6 +2323,19 @@ _Underlying type:_ _[struct{Disabled *bool "json:\"disabled,omitempty\""; Value +_Appears in:_ +- [ProxyConfigProxyHeaders](#proxyconfigproxyheaders) + + + +#### ProxyConfigProxyHeadersSetCurrentClientCertDetails + +_Underlying type:_ _[struct{Subject *bool "json:\"subject,omitempty\""; Cert bool "json:\"cert,omitempty\""; Chain bool "json:\"chain,omitempty\""; Dns *bool "json:\"dns,omitempty\""; Uri *bool "json:\"uri,omitempty\""}](#struct{subject-*bool-"json:\"subject,omitempty\"";-cert-bool-"json:\"cert,omitempty\"";-chain-bool-"json:\"chain,omitempty\"";-dns-*bool-"json:\"dns,omitempty\"";-uri-*bool-"json:\"uri,omitempty\""})_ + + + + + _Appears in:_ - [ProxyConfigProxyHeaders](#proxyconfigproxyheaders) @@ -2341,7 +2365,7 @@ _Appears in:_ _Underlying type:_ _string_ Allows specification of various Istio-supported naming schemes for the -Envoy `service_cluster` value. The `servce_cluster` value is primarily used +Envoy `service_cluster` value. The `service_cluster` value is primarily used by Envoys to provide service names for tracing spans. _Validation:_ @@ -2390,7 +2414,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | | `image` _string_ | Specifies the image for the proxy_init container. | | | -| `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | K8s resources settings. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | K8s resources settings. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | #### RemoteIstio @@ -2412,7 +2436,7 @@ _Appears in:_ | `kind` _string_ | Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds | | | | `apiVersion` _string_ | APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources | | | | `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | | -| `spec` _[RemoteIstioSpec](#remoteistiospec)_ | | \{ namespace:istio-system updateStrategy:map[type:InPlace] version:v1.23.0 \} | | +| `spec` _[RemoteIstioSpec](#remoteistiospec)_ | | \{ namespace:istio-system updateStrategy:map[type:InPlace] version:v1.23.2 \} | | | `status` _[RemoteIstioStatus](#remoteistiostatus)_ | | | | @@ -2510,7 +2534,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. | v1.23.0 | Enum: [v1.23.0 v1.22.3 v1.21.5 latest] | +| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.2, v1.22.5, v1.21.6, latest. | v1.23.2 | Enum: [v1.23.2 v1.22.5 v1.21.6 latest] | | `updateStrategy` _[IstioUpdateStrategy](#istioupdatestrategy)_ | Defines the update strategy to use when the version in the RemoteIstio CR is updated. | \{ type:InPlace \} | | | `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. | | Enum: [ambient default demo empty external openshift-ambient openshift preview stable] | | `namespace` _string_ | Namespace to which the Istio components should be installed. | istio-system | | @@ -2533,6 +2557,7 @@ _Appears in:_ | `observedGeneration` _integer_ | ObservedGeneration is the most recent generation observed for this RemoteIstio object. It corresponds to the object's generation, which is updated on mutation by the API Server. The information in the status pertains to this particular generation of the object. | | | | `conditions` _[RemoteIstioCondition](#remoteistiocondition) array_ | Represents the latest available observations of the object's current state. | | | | `state` _[RemoteIstioConditionReason](#remoteistioconditionreason)_ | Reports the current state of the object. | | | +| `activeRevisionName` _string_ | The name of the active revision. | | | | `revisions` _[RevisionSummary](#revisionsummary)_ | Reports information about the underlying IstioRevisions. | | | @@ -2550,7 +2575,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | | `address` _string_ | Address of a remove service used for various purposes (access log receiver, metrics receiver, etc.). Can be IP address or a fully qualified DNS name. | | | -| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the `tls_settings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. | | | +| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. | | | | `tcpKeepalive` _[ConnectionPoolSettingsTCPSettingsTcpKeepalive](#connectionpoolsettingstcpsettingstcpkeepalive)_ | If set then set `SO_KEEPALIVE` on the socket to enable TCP Keepalives. | | | @@ -2624,7 +2649,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `token` _[SDSConfigToken](#sdsconfigtoken)_ | Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | | +| `token` _[SDSConfigToken](#sdsconfigtoken)_ | Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | #### SDSConfigToken @@ -2804,7 +2829,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `numTrustedProxies` _integer_ | Number of trusted proxies deployed in front of the Istio gateway proxy. When this option is set to value N greater than zero, the trusted client address is assumed to be the Nth address from the right end of the X-Forwarded-For (XFF) header from the incoming request. If the X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the gateway proxy falls back to using the immediate downstream connection's source address as the trusted client address. Note that the gateway proxy will append the downstream connection's source address to the X-Forwarded-For (XFF) address and set the X-Envoy-External-Address header to the trusted client address before forwarding it to the upstream services in the cluster. The default value of num_trusted_proxies is 0. See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) header handling for more details. | | | +| `numTrustedProxies` _integer_ | Number of trusted proxies deployed in front of the Istio gateway proxy. When this option is set to value N greater than zero, the trusted client address is assumed to be the Nth address from the right end of the X-Forwarded-For (XFF) header from the incoming request. If the X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the gateway proxy falls back to using the immediate downstream connection's source address as the trusted client address. Note that the gateway proxy will append the downstream connection's source address to the X-Forwarded-For (XFF) address and set the X-Envoy-External-Address header to the trusted client address before forwarding it to the upstream services in the cluster. The default value of numTrustedProxies is 0. See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) header handling for more details. | | | | `forwardClientCertDetails` _[ForwardClientCertDetails](#forwardclientcertdetails)_ | Configures how the gateway proxy handles x-forwarded-client-cert (XFCC) header in the incoming request. | | Enum: [UNDEFINED SANITIZE FORWARD_ONLY APPEND_FORWARD SANITIZE_SET ALWAYS_FORWARD_ONLY] | | `proxyProtocol` _[TopologyProxyProtocolConfiguration](#topologyproxyprotocolconfiguration)_ | Enables [PROXY protocol](http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt) for downstream connections on a gateway. | | | @@ -2949,7 +2974,7 @@ _Appears in:_ | `stackdriver` _[TracingStackdriver](#tracingstackdriver)_ | Use a Stackdriver tracer. | | | | `openCensusAgent` _[TracingOpenCensusAgent](#tracingopencensusagent)_ | Use an OpenCensus tracer exporting to an OpenCensus agent. | | | | `sampling` _float_ | The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, if not requested by the client or not forced. Default is 1.0. | | | -| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the tls_settings to specify the tls mode to use. If the remote tracing service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. | | | +| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the tlsSettings to specify the tls mode to use. If the remote tracing service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. | | | @@ -3063,7 +3088,7 @@ _Appears in:_ | `revision` _string_ | Identifies the revision this installation is associated with. | | | | `meshConfig` _[MeshConfig](#meshconfig)_ | Defines runtime configuration of components, including Istiod and istio-agent behavior. See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options. TODO can this import the real mesh config API? | | | | `base` _[BaseConfig](#baseconfig)_ | Configuration for the base component. | | | -| `istiodRemote` _[IstiodRemoteConfig](#istiodremoteconfig)_ | Configuration for istiod-remote. | | | +| `istiodRemote` _[IstiodRemoteConfig](#istiodremoteconfig)_ | Configuration for istiod-remote. DEPRECATED - istiod-remote chart is removed and replaced with `istio-discovery --set values.istiodRemote.enabled=true` Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | | | `revisionTags` _string array_ | Specifies the aliases for the Istio control plane revision. A MutatingWebhookConfiguration is created for each alias. | | | | `defaultRevision` _string_ | The name of the default revision in the cluster. | | | | `profile` _string_ | Specifies which installation configuration profile to apply. | | | @@ -3085,6 +3110,10 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | | `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | K8s resource settings. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container | | | +| `affinity` _[Affinity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#affinity-v1-core)_ | K8s affinity settings for waypoint pods. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity | | | +| `topologySpreadConstraints` _[TopologySpreadConstraint](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#topologyspreadconstraint-v1-core) array_ | K8s topology spread constraints settings. See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ | | | +| `nodeSelector` _[NodeSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#nodeselector-v1-core)_ | K8s node labels settings. See https://kubernetes.io/docs/user-guide/node-selection/ | | | +| `toleration` _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#toleration-v1-core) array_ | K8s tolerations settings. See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ | | | diff --git a/docs/common/create-and-configure-gateways.md b/docs/common/create-and-configure-gateways.md new file mode 100644 index 000000000..29e35bd75 --- /dev/null +++ b/docs/common/create-and-configure-gateways.md @@ -0,0 +1,84 @@ +## Creating and Configuring Gateways + +The Sail Operator does not deploy Ingress or Egress Gateways. Gateways are not +part of the control plane. As a security best-practice, Ingress and Egress +Gateways should be deployed in a different namespace than the namespace that +contains the control plane. + +You can deploy gateways using either the Gateway API or Gateway Injection methods. + + +### Option 1: Istio Gateway Injection + +Gateway Injection uses the same mechanisms as Istio sidecar injection to create +a gateway from a `Deployment` resource that is paired with a `Service` resource +that can be made accessible from outside the cluster. For more information, see +[Installing Gateways](https://preliminary.istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway). + +To configure gateway injection with the `bookinfo` application, we have provided +a [sample gateway configuration](../../chart/samples/ingress-gateway.yaml?raw=1) that should be applied in the namespace +where the application is installed: + +1. Create the `istio-ingressgateway` deployment and service: + + ```sh + $ oc apply -f -n ingress-gateway.yaml + ``` + +2. Configure the `bookinfo` application with the new gateway: + + ```sh + $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/networking/bookinfo-gateway.yaml + ``` + +3. On OpenShift, you can use a [Route](https://docs.openshift.com/container-platform/4.13/networking/routes/route-configuration.html) to expose the gateway externally: + + ```sh + $ oc expose service istio-ingressgateway + ``` + +4. Finally, obtain the gateway host name and the URL of the product page: + + ```sh + $ HOST=$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}') + $ echo http://$HOST/productpage + ``` + +Verify that the `productpage` is accessible from a web browser. + + +### Option 2: Kubernetes Gateway API + +Istio includes support for Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) and intends to make it +the default API for [traffic management in the future](https://istio.io/latest/blog/2022/gateway-api-beta/). For more +information, see Istio's [Kubernetes Gateway API](https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/) page. + +As of Kubernetes 1.28 and OpenShift 4.14, the Kubernetes Gateway API CRDs are +not available by default and must be enabled to be used. This can be done with +the command: + +```sh +$ oc get crd gateways.gateway.networking.k8s.io &> /dev/null || { oc kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v1.0.0" | oc apply -f -; } +``` + +To configure `bookinfo` with a gateway using `Gateway API`: + +1. Create and configure a gateway using a `Gateway` and `HTTPRoute` resource: + + ```sh + $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/gateway-api/bookinfo-gateway.yaml + ``` + +2. Retrieve the host, port and gateway URL: + + ```sh + $ export INGRESS_HOST=$(oc get gtw bookinfo-gateway -o jsonpath='{.status.addresses[0].value}') + $ export INGRESS_PORT=$(oc get gtw bookinfo-gateway -o jsonpath='{.spec.listeners[?(@.name=="http")].port}') + $ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT + ``` + +3. Obtain the `productpage` URL and check that you can visit it from a browser: + + ```sh + $ echo "http://${GATEWAY_URL}/productpage" + ``` diff --git a/docs/common/install-bookinfo-app.md b/docs/common/install-bookinfo-app.md new file mode 100644 index 000000000..0026b4d8e --- /dev/null +++ b/docs/common/install-bookinfo-app.md @@ -0,0 +1,30 @@ +## Installing the Bookinfo Application + +You can use the `bookinfo` example application to explore service mesh features. +Using the `bookinfo` application, you can easily confirm that requests from a +web browser pass through the mesh and reach the application. + +The `bookinfo` application displays information about a book, similar to a +single catalog entry of an online book store. The application displays a page +that describes the book, lists book details (ISBN, number of pages, and other +information), and book reviews. + +The `bookinfo` application is exposed through the mesh, and the mesh configuration +determines how the microservices comprising the application are used to serve +requests. The review information comes from one of three services: `reviews-v1`, +`reviews-v2` or `reviews-v3`. If you deploy the `bookinfo` application without +defining the `reviews` virtual service, then the mesh uses a round-robin rule to +route requests to a service. + +By deploying the `reviews` virtual service, you can specify a different behavior. +For example, you can specify that if a user logs into the `bookinfo` application, +then the mesh routes requests to the `reviews-v2` service, and the application +displays reviews with black stars. If a user does not log into the `bookinfo` +application, then the mesh routes requests to the `reviews-v3` service, and the +application displays reviews with red stars. + +For more information, see [Bookinfo Application](https://istio.io/latest/docs/examples/bookinfo/) in the upstream Istio documentation. + +After following the instructions for [Deploying the application](https://istio.io/latest/docs/examples/bookinfo/#start-the-application-services), **you +will need to create and configure a gateway** for the `bookinfo` application to +be accessible outside the cluster. diff --git a/docs/common/install-istioctl-tool.md b/docs/common/install-istioctl-tool.md new file mode 100644 index 000000000..68fa0dcf3 --- /dev/null +++ b/docs/common/install-istioctl-tool.md @@ -0,0 +1,51 @@ +## Installing the istioctl tool + +The `istioctl` tool is a configuration command line utility that allows service +operators to debug and diagnose Istio service mesh deployments. + + +### Prerequisites + +Use an `istioctl` version that is the same version as the Istio control plane +for the Service Mesh deployment. See [Istio Releases](https://github.com/istio/istio/releases) for a list of valid +releases, including Beta releases. + +### Procedure + +1. Confirm if you have `istioctl` installed, and if so which version, by running +the following command at the terminal: + + ```sh + $ istioctl version + ``` + +2. Confirm the version of Istio you are using by running the following command +at the terminal: + + ```sh + $ oc get istio + ``` + +3. Install `istioctl` by running the following command at the terminal: + + ```sh + $ curl -sL https://istio.io/downloadIstioctl | ISTIO_VERSION= sh - + ``` + Replace `` with the version of Istio you are using. + +4. Put the `istioctl` directory on path by running the following command at the terminal: + + ```sh + $ export PATH=$HOME/.istioctl/bin:$PATH + ``` + +5. Confirm that the `istioctl` client version and the Istio control plane +version now match (or are within one version) by running the following command +at the terminal: + + ```sh + $ istioctl version + ``` +For more information on usage, see the [Istioctl documentation](https://istio.io/latest/docs/ops/diagnostic-tools/istioctl/). + +*Note*: `istioctl install` is not supported. The Sail Operator installs Istio. diff --git a/docs/common/istio-addons-integrations.md b/docs/common/istio-addons-integrations.md new file mode 100644 index 000000000..36f0ee1da --- /dev/null +++ b/docs/common/istio-addons-integrations.md @@ -0,0 +1,119 @@ +## Istio Addons Integrations + +Istio can be integrated with other software to provide additional functionality +(More information can be found in: https://istio.io/latest/docs/ops/integrations/). +The following addons are for demonstration or development purposes only and +should not be used in production environments: + + +### Prometheus + +`Prometheus` is an open-source systems monitoring and alerting toolkit. You can +use `Prometheus` with the Sail Operator to keep an eye on how healthy Istio and +the apps in the service mesh are, for more information, see [Prometheus](https://istio.io/latest/docs/ops/integrations/prometheus/). + +To install Prometheus, perform the following steps: + +1. Deploy `Prometheus`: + + ```sh + $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/prometheus.yaml + ``` +2. Access to `Prometheus`console: + + * Expose the `Prometheus` service externally: + + ```sh + $ oc expose service prometheus -n istio-system + ``` + * Get the route of the service and open the URL in the web browser + + ```sh + $ oc get route prometheus -o jsonpath='{.spec.host}' -n istio-system + ``` + + +### Grafana + +`Grafana` is an open-source platform for monitoring and observability. You can +use `Grafana` with the Sail Operator to configure dashboards for istio, see +[Grafana](https://istio.io/latest/docs/ops/integrations/grafana/) for more information. + +To install Grafana, perform the following steps: + +1. Deploy `Grafana`: + + ```sh + $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/grafana.yaml + ``` + +2. Access to `Grafana`console: + + * Expose the `Grafana` service externally + + ```sh + $ oc expose service grafana -n istio-system + ``` + * Get the route of the service and open the URL in the web browser + + ```sh + $ oc get route grafana -o jsonpath='{.spec.host}' -n istio-system + ``` + + +### Jaeger + +`Jaeger` is an open-source end-to-end distributed tracing system. You can use +`Jaeger` with the Sail Operator to monitor and troubleshoot transactions in +complex distributed systems, see [Jaeger](https://istio.io/latest/docs/ops/integrations/jaeger/) for more information. + +To install Jaeger, perform the following steps: + +1. Deploy `Jaeger`: + + ```sh + $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/jaeger.yaml + ``` +2. Access to `Jaeger` console: + + * Expose the `Jaeger` service externally: + + ```sh + $ oc expose svc/tracing -n istio-system + ``` + + * Get the route of the service and open the URL in the web browser + + ```sh + $ oc get route tracing -o jsonpath='{.spec.host}' -n istio-system + ``` +*Note*: if you want to see some traces you can refresh several times the product +page of bookinfo app to start generating traces. + + +### Kiali + +`Kiali` is an open-source project that provides a graphical user interface to +visualize the service mesh topology, see [Kiali](https://istio.io/latest/docs/ops/integrations/kiali/) for more information. + +To install Kiali, perform the following steps: + +1. Deploy `Kiali`: + + ```sh + $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/kiali.yaml + ``` + +2. Access to `Kiali` console: + + * Expose the `Kiali` service externally: + + ```sh + $ oc expose service kiali -n istio-system + ``` + + * Get the route of the service and open the URL in the web browser + + ```sh + $ oc get route kiali -o jsonpath='{.spec.host}' -n istio-system + ``` diff --git a/docs/multicluster/controlplane-gateway.yaml b/docs/multicluster/controlplane-gateway.yaml new file mode 100644 index 000000000..33689f854 --- /dev/null +++ b/docs/multicluster/controlplane-gateway.yaml @@ -0,0 +1,355 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown + istio: ingressgateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway-service-account + namespace: istio-system + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown + istio: ingressgateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway + namespace: istio-system +spec: + selector: + matchLabels: + app: istio-ingressgateway + istio: ingressgateway + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + template: + metadata: + annotations: + istio.io/rev: default + prometheus.io/path: /stats/prometheus + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + labels: + app: istio-ingressgateway + chart: gateways + heritage: Tiller + install.operator.istio.io/owning-resource: unknown + istio: ingressgateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + service.istio.io/canonical-name: istio-ingressgateway + service.istio.io/canonical-revision: latest + sidecar.istio.io/inject: "false" + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: null + requiredDuringSchedulingIgnoredDuringExecution: null + containers: + - args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --proxyLogLevel=warning + - --proxyComponentLogLevel=misc:error + - --log_output_level=default:info + env: + - name: PILOT_CERT_PROVIDER + value: istiod + - name: CA_ADDR + value: istiod.istio-system.svc:15012 + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_WORKLOAD_NAME + value: istio-ingressgateway + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway + - name: ISTIO_META_MESH_ID + value: cluster.local + - name: TRUST_DOMAIN + value: cluster.local + - name: ISTIO_META_UNPRIVILEGED_POD + value: "true" + - name: ISTIO_META_CLUSTER_ID + value: Kubernetes + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: docker.io/istio/proxyv2:1.22.1 + name: istio-proxy + ports: + - containerPort: 15021 + protocol: TCP + - containerPort: 15012 + protocol: TCP + - containerPort: 15017 + protocol: TCP + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/credential-uds + name: credential-socket + - mountPath: /var/run/secrets/workload-spiffe-credentials + name: workload-certs + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/istio/config + name: config-volume + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + readOnly: true + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/pod + name: podinfo + - mountPath: /etc/istio/ingressgateway-certs + name: ingressgateway-certs + readOnly: true + - mountPath: /etc/istio/ingressgateway-ca-certs + name: ingressgateway-ca-certs + readOnly: true + securityContext: + runAsGroup: 1337 + runAsNonRoot: true + runAsUser: 1337 + serviceAccountName: istio-ingressgateway-service-account + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + - emptyDir: {} + name: workload-certs + - configMap: + name: istio-ca-root-cert + name: istiod-ca-cert + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: podinfo + - emptyDir: {} + name: istio-envoy + - emptyDir: {} + name: istio-data + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - configMap: + name: istio + optional: true + name: config-volume + - name: ingressgateway-certs + secret: + optional: true + secretName: istio-ingressgateway-certs + - name: ingressgateway-ca-certs + secret: + optional: true + secretName: istio-ingressgateway-ca-certs + +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + labels: + app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown + istio: ingressgateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway + namespace: istio-system +spec: + minAvailable: 1 + selector: + matchLabels: + app: istio-ingressgateway + istio: ingressgateway + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + install.operator.istio.io/owning-resource: unknown + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway-sds + namespace: istio-system +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - watch + - list + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + install.operator.istio.io/owning-resource: unknown + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway-sds + namespace: istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istio-ingressgateway-sds +subjects: +- kind: ServiceAccount + name: istio-ingressgateway-service-account + +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + labels: + app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown + istio: ingressgateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway + namespace: istio-system +spec: + maxReplicas: 5 + metrics: + - resource: + name: cpu + target: + averageUtilization: 80 + type: Utilization + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-ingressgateway + +--- +apiVersion: v1 +kind: Service +metadata: + annotations: null + labels: + app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown + istio: ingressgateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway + namespace: istio-system +spec: + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: tls-xds + port: 15012 + protocol: TCP + targetPort: 15012 + - name: tls-webhook + port: 15017 + protocol: TCP + targetPort: 15017 + selector: + app: istio-ingressgateway + istio: ingressgateway + type: LoadBalancer + +--- diff --git a/docs/multicluster/setup-multi-primary.sh b/docs/multicluster/setup-multi-primary.sh index 4463c3719..53589089f 100755 --- a/docs/multicluster/setup-multi-primary.sh +++ b/docs/multicluster/setup-multi-primary.sh @@ -25,6 +25,7 @@ while [ $# -gt 0 ]; do exit 0 ;; esac + shift done set -euo pipefail @@ -96,7 +97,7 @@ kubectl get secret -n istio-system --context "${CTX_CLUSTER2}" cacerts || kubect # 4. Create Sail CR on east kubectl apply --context "${CTX_CLUSTER1}" -f - < github.com/imdario/mergo v0.3.5 require ( + github.com/Masterminds/semver/v3 v3.3.0 github.com/elastic/crd-ref-docs v0.1.0 github.com/go-logr/logr v1.4.2 github.com/google/go-cmp v0.6.0 github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.4.0 github.com/magiconair/properties v1.8.7 - github.com/onsi/ginkgo/v2 v2.17.3 - github.com/onsi/gomega v1.33.1 - github.com/prometheus/common v0.55.0 - golang.org/x/mod v0.19.0 - golang.org/x/text v0.16.0 - golang.org/x/tools v0.23.0 + github.com/onsi/ginkgo/v2 v2.20.1 + github.com/onsi/gomega v1.34.2 + github.com/prometheus/common v0.60.0 + github.com/stretchr/testify v1.9.0 + golang.org/x/mod v0.20.0 + golang.org/x/text v0.18.0 + golang.org/x/tools v0.24.0 gomodules.xyz/jsonpatch/v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 - helm.sh/helm/v3 v3.15.1 - istio.io/client-go v1.23.0-alpha.0.0.20240809192551-f32a7326ae19 - istio.io/istio v0.0.0-20240813230019-b191b039631b - k8s.io/api v0.30.3 - k8s.io/apiextensions-apiserver v0.30.3 - k8s.io/apimachinery v0.30.3 - k8s.io/cli-runtime v0.30.3 - k8s.io/client-go v0.30.3 - sigs.k8s.io/controller-runtime v0.18.3 + helm.sh/helm/v3 v3.16.1 + istio.io/client-go v1.23.0-alpha.0.0.20241005034300-2c4a3cee6f7d + istio.io/istio v0.0.0-20241006152922-6f95f8c912c4 + k8s.io/api v0.31.1 + k8s.io/apiextensions-apiserver v0.31.1 + k8s.io/apimachinery v0.31.1 + k8s.io/cli-runtime v0.31.1 + k8s.io/client-go v0.31.1 + sigs.k8s.io/controller-runtime v0.19.0 ) require ( + dario.cat/mergo v1.0.1 // indirect github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect github.com/BurntSushi/toml v1.3.2 // indirect github.com/MakeNowJust/heredoc v1.0.0 // indirect github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/semver v1.5.0 // indirect - github.com/Masterminds/semver/v3 v3.2.1 // indirect github.com/Masterminds/sprig v2.22.0+incompatible // indirect - github.com/Masterminds/sprig/v3 v3.2.3 // indirect + github.com/Masterminds/sprig/v3 v3.3.0 // indirect github.com/Masterminds/squirrel v1.5.4 // indirect github.com/Microsoft/hcsshim v0.11.4 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/beorn7/perks v1.0.1 // indirect + github.com/blang/semver/v4 v4.0.0 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/chai2010/gettext-go v1.0.2 // indirect github.com/containerd/containerd v1.7.12 // indirect github.com/containerd/log v0.1.0 // indirect - github.com/cyphar/filepath-securejoin v0.2.4 // indirect + github.com/cyphar/filepath-securejoin v0.3.1 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/distribution/reference v0.5.0 // indirect - github.com/docker/cli v27.1.1+incompatible // indirect + github.com/docker/cli v27.3.1+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect github.com/docker/docker v26.0.2+incompatible // indirect - github.com/docker/docker-credential-helpers v0.8.1 // indirect + github.com/docker/docker-credential-helpers v0.8.2 // indirect github.com/docker/go-connections v0.5.0 // indirect github.com/docker/go-metrics v0.0.1 // indirect github.com/emicklei/go-restful/v3 v3.12.0 // indirect @@ -65,6 +68,7 @@ require ( github.com/fatih/color v1.17.0 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/fxamacker/cbor/v2 v2.7.0 // indirect github.com/go-errors/errors v1.5.1 // indirect github.com/go-gorp/gorp/v3 v3.1.0 // indirect github.com/go-logr/stdr v1.2.2 // indirect @@ -82,11 +86,11 @@ require ( github.com/google/btree v1.1.2 // indirect github.com/google/gnostic-models v0.6.8 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 // indirect + github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 // indirect github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect github.com/google/uuid v1.6.0 // indirect github.com/gorilla/mux v1.8.1 // indirect - github.com/gorilla/websocket v1.5.1 // indirect + github.com/gorilla/websocket v1.5.3 // indirect github.com/gosuri/uitable v0.0.4 // indirect github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect @@ -94,10 +98,10 @@ require ( github.com/huandu/xstrings v1.5.0 // indirect github.com/imdario/mergo v1.0.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect - github.com/jmoiron/sqlx v1.3.5 // indirect + github.com/jmoiron/sqlx v1.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect - github.com/klauspost/compress v1.17.8 // indirect + github.com/klauspost/compress v1.17.9 // indirect github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect github.com/lib/pq v1.10.9 // indirect @@ -110,7 +114,7 @@ require ( github.com/mitchellh/go-wordwrap v1.0.1 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/moby/locker v1.0.1 // indirect - github.com/moby/spdystream v0.2.0 // indirect + github.com/moby/spdystream v0.4.0 // indirect github.com/moby/term v0.5.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect @@ -118,59 +122,62 @@ require ( github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.1.0-rc6 // indirect + github.com/opencontainers/image-spec v1.1.0 // indirect github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/prometheus/client_golang v1.19.1 // indirect + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect + github.com/prometheus/client_golang v1.20.4 // indirect github.com/prometheus/client_model v0.6.1 // indirect github.com/prometheus/procfs v0.15.1 // indirect github.com/rivo/uniseg v0.4.6 // indirect - github.com/rubenv/sql-migrate v1.5.2 // indirect + github.com/rubenv/sql-migrate v1.7.0 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect - github.com/shopspring/decimal v1.3.1 // indirect + github.com/shopspring/decimal v1.4.0 // indirect github.com/sirupsen/logrus v1.9.3 // indirect - github.com/spf13/cast v1.6.0 // indirect + github.com/spf13/cast v1.7.0 // indirect github.com/spf13/cobra v1.8.1 // indirect github.com/spf13/pflag v1.0.5 // indirect + github.com/x448/float16 v0.8.4 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 // indirect github.com/xlab/treeprint v1.2.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0 // indirect - go.opentelemetry.io/otel v1.28.0 // indirect - go.opentelemetry.io/otel/metric v1.28.0 // indirect - go.opentelemetry.io/otel/trace v1.28.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect + go.opentelemetry.io/otel v1.30.0 // indirect + go.opentelemetry.io/otel/metric v1.30.0 // indirect + go.opentelemetry.io/otel/trace v1.30.0 // indirect go.starlark.net v0.0.0-20231121155337-90ade8b19d09 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/crypto v0.25.0 // indirect - golang.org/x/exp v0.0.0-20240716175740-e3f259677ff7 // indirect - golang.org/x/net v0.27.0 // indirect - golang.org/x/oauth2 v0.21.0 // indirect - golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.22.0 // indirect - golang.org/x/term v0.22.0 // indirect - golang.org/x/time v0.5.0 // indirect + golang.org/x/crypto v0.27.0 // indirect + golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect + golang.org/x/net v0.29.0 // indirect + golang.org/x/oauth2 v0.23.0 // indirect + golang.org/x/sync v0.8.0 // indirect + golang.org/x/sys v0.25.0 // indirect + golang.org/x/term v0.24.0 // indirect + golang.org/x/time v0.6.0 // indirect golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240711142825-46eb208f015d // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240711142825-46eb208f015d // indirect - google.golang.org/grpc v1.65.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f // indirect + google.golang.org/grpc v1.67.1 // indirect google.golang.org/protobuf v1.34.2 // indirect + gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gotest.tools/v3 v3.5.1 // indirect - istio.io/api v1.23.0-alpha.0.0.20240809192158-5302fff8a801 // indirect - k8s.io/apiserver v0.30.3 // indirect - k8s.io/component-base v0.30.3 // indirect + istio.io/api v1.23.0-alpha.0.0.20241005033901-9723aca52e22 // indirect + k8s.io/apiserver v0.31.1 // indirect + k8s.io/component-base v0.31.1 // indirect k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108 // indirect - k8s.io/kubectl v0.30.3 // indirect - k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect + k8s.io/kubectl v0.31.1 // indirect + k8s.io/utils v0.0.0-20240921022957-49e7df575cb6 // indirect oras.land/oras-go v1.2.5 // indirect sigs.k8s.io/controller-tools v0.15.0 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect - sigs.k8s.io/kustomize/kyaml v0.16.0 // indirect + sigs.k8s.io/kustomize/api v0.17.2 // indirect + sigs.k8s.io/kustomize/kyaml v0.17.1 // indirect sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect sigs.k8s.io/yaml v1.4.0 // indirect ) diff --git a/go.sum b/go.sum index 21e138aac..0cdb5dc87 100644 --- a/go.sum +++ b/go.sum @@ -1,3 +1,7 @@ +dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s= +dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= +filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= +filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk= github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= @@ -12,13 +16,12 @@ github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJ github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww= github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= -github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= -github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0= -github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= +github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0= +github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= github.com/Masterminds/sprig v2.22.0+incompatible h1:z4yfnGrZ7netVz+0EDJ0Wi+5VZCSYp4Z0m2dk6cEM60= github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= -github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA= -github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM= +github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs= +github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0= github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8afzqM= github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10= github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= @@ -37,6 +40,8 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= +github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/bshuster-repo/logrus-logstash-hook v1.0.0 h1:e+C0SB5R1pu//O4MQ3f9cFuPGoOVeF2fE4Og9otCc70= github.com/bshuster-repo/logrus-logstash-hook v1.0.0/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk= github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd h1:rFt+Y/IK1aEZkEHchZRSq9OQbsSzIT/OrI8YFFmRIng= @@ -60,8 +65,8 @@ github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= -github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= -github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= +github.com/cyphar/filepath-securejoin v0.3.1 h1:1V7cHiaW+C+39wEfpH6XlLBQo3j/PciWFrgfCLS8XrE= +github.com/cyphar/filepath-securejoin v0.3.1/go.mod h1:F7i41x/9cBF7lzCrVsYs9fuzwRZm4NQsGTBdpp6mETc= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= @@ -70,14 +75,14 @@ github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2 h1:aB github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2/go.mod h1:WHNsWjnIn2V1LYOrME7e8KxSeKunYHsxEm4am0BUtcI= github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0= github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE= -github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v27.3.1+incompatible h1:qEGdFBF3Xu6SCvCYhc7CzaQTlBmqDuzxPDpigSyeKQQ= +github.com/docker/cli v27.3.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v26.0.2+incompatible h1:yGVmKUFGgcxA6PXWAokO0sQL22BrQ67cgVjko8tGdXE= github.com/docker/docker v26.0.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker-credential-helpers v0.8.1 h1:j/eKUktUltBtMzKqmfLB0PAgqYyMHOp5vfsD1807oKo= -github.com/docker/docker-credential-helpers v0.8.1/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= +github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo= +github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc= github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8= @@ -100,12 +105,14 @@ github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4= github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= -github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI= -github.com/foxcpp/go-mockdns v1.0.0/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4= +github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI= +github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= +github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E= +github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk= github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs= @@ -132,19 +139,13 @@ github.com/go-playground/universal-translator v0.17.0 h1:icxd5fm+REJzpZx7ZfpaD87 github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA= github.com/go-playground/validator/v10 v10.4.1 h1:pH2c5ADXtd66mxoE0Zm9SUhxE20r7aM3F26W0hOn+GE= github.com/go-playground/validator/v10 v10.4.1/go.mod h1:nlOn6nFhuKACm19sB/8EGNn9GlaMV7XkbRSipzJ0Ii4= -github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE= -github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= +github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y= +github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/gobuffalo/flect v1.0.2 h1:eqjPGSo2WmjgY2XlpGwo2NXgL3RucAKo4k4qQMNA5sA= github.com/gobuffalo/flect v1.0.2/go.mod h1:A5msMlrHtLqh9umBSnvabjsMrCcCpAyzglnDvkbYKHs= -github.com/gobuffalo/logger v1.0.6 h1:nnZNpxYo0zx+Aj9RfMPBm+x9zAU2OayFh/xrAWi34HU= -github.com/gobuffalo/logger v1.0.6/go.mod h1:J31TBEHR1QLV2683OXTAItYIg8pv2JMHnF/quuAbMjs= -github.com/gobuffalo/packd v1.0.1 h1:U2wXfRr4E9DH8IdsDLlRFwTZTK7hLfq9qT/QHXGVe/0= -github.com/gobuffalo/packd v1.0.1/go.mod h1:PP2POP3p3RXGz7Jh6eYEf93S7vA2za6xM7QT85L4+VY= -github.com/gobuffalo/packr/v2 v2.8.3 h1:xE1yzvnO56cUC0sTpKR3DIbxZgB54AftTFMhB2XEWlY= -github.com/gobuffalo/packr/v2 v2.8.3/go.mod h1:0SahksCVcx4IMnigTjiFuyldmTrdTctXsOdiU5KwbKc= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/goccy/go-yaml v1.12.0 h1:/1WHjnMsI1dlIBQutrvSMGZRQufVO3asrHfTwfACoPM= @@ -172,20 +173,18 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg= -github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= +github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 h1:5iH8iuqE5apketRbSFBy+X1V0o+l+8NF1avt4HWl7cA= +github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= -github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4= github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= -github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= -github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY= -github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY= +github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg= +github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo= github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= @@ -197,15 +196,14 @@ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+l github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= -github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI= github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q= github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/jmoiron/sqlx v1.3.5 h1:vFFPA71p1o5gAeqtEAwLU4dnX2napprKtHr7PYIcN3g= -github.com/jmoiron/sqlx v1.3.5/go.mod h1:nRVWtLre0KfCLJvgxzCsLVMogSvQ1zNJtpYr2Ccp0mQ= +github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o= +github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= @@ -215,25 +213,24 @@ github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHm github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.4.0 h1:VzM3TYHDgqPkettiP6I6q2jOeQFL4nrJM+UcAc4f6Fs= github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.4.0/go.mod h1:nqCI7aelBJU61wiBeeZWJ6oi4bJy5nrjkM6lWIMA4j0= -github.com/karrick/godirwalk v1.16.1 h1:DynhcF+bztK8gooS0+NDJFrdNZjJ3gzVzC545UNA9iw= -github.com/karrick/godirwalk v1.16.1/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0NAMnU= -github.com/klauspost/compress v1.17.8/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= +github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= +github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 h1:SOEGU9fKiNWd/HOJuq6+3iTQz8KNCLtVX6idSoTLdUw= github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtBTC4WfIxhKZfyBF/HBFgRZSWwZ9g/He9o= github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 h1:P6pPBnrTSX3DEVR4fDembhRWSsG5rVo6hYhAB/ADZrk= github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0/go.mod h1:vmVJ0l/dxyfGW6FmdpVm2joNMFikkuWg0EoCKLGUMNw= github.com/leodido/go-urn v1.2.0 h1:hpXL4XnriNwQ/ABnpepYM/1vCLWNDfUNts8dX3xTG6Y= github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII= -github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= @@ -242,12 +239,6 @@ github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0V github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/markbates/errx v1.1.0 h1:QDFeR+UP95dO12JgW+tgi2UVfo0V8YBHiUIOaeBPiEI= -github.com/markbates/errx v1.1.0/go.mod h1:PLa46Oex9KNbVDZhKel8v1OT7hD5JZ2eI7AHhA0wswc= -github.com/markbates/oncer v1.0.0 h1:E83IaVAHygyndzPimgUYJjbshhDTALZyXxvk9FOlQRY= -github.com/markbates/oncer v1.0.0/go.mod h1:Z59JA581E9GP6w96jai+TGqafHPW+cPfRxz2aSZ0mcI= -github.com/markbates/safe v1.0.1 h1:yjZkbvRM6IzKj9tlu/zMJLS0n/V351OZWRnF3QfaUxI= -github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= @@ -255,24 +246,21 @@ github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWE github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U= github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= -github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU= -github.com/mattn/go-sqlite3 v1.14.15 h1:vfoHhTN1af61xCRSWzFIWzx2YskyMTwHLrExkBOjvxI= -github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg= +github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU= +github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/miekg/dns v1.1.59 h1:C9EXc/UToRwKLhK5wKU/I4QVsBUc8kE6MkHBkeypWZs= -github.com/miekg/dns v1.1.59/go.mod h1:nZpewl5p6IvctfgrckopVx2OlSEHPRO/U4SYkRklrEk= -github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= +github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ= +github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ= github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= -github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= -github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8= -github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= +github.com/moby/spdystream v0.4.0 h1:Vy79D6mHeJJjiPdFEL2yku1kl0chZpJfZcPpb16BRl8= +github.com/moby/spdystream v0.4.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI= github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vygl78= github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI= github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= @@ -295,14 +283,14 @@ github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.17.3 h1:oJcvKpIb7/8uLpDDtnQuf18xVnwKp8DTD7DQ6gTd/MU= -github.com/onsi/ginkgo/v2 v2.17.3/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc= -github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= -github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= +github.com/onsi/ginkgo/v2 v2.20.1 h1:YlVIbqct+ZmnEph770q9Q7NVAz4wwIiVNahee6JyUzo= +github.com/onsi/ginkgo/v2 v2.20.1/go.mod h1:lG9ey2Z29hR41WMVthyJBGUBcBhGOtoPF2VFMvBXFCI= +github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8= +github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= -github.com/opencontainers/image-spec v1.1.0-rc6 h1:XDqvyKsJEbRtATzkgItUqBA7QHk58yxX1Ov9HERHNqU= -github.com/opencontainers/image-spec v1.1.0-rc6/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= +github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= +github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM= github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI= @@ -318,16 +306,16 @@ github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjz github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g= -github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE= -github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho= +github.com/prometheus/client_golang v1.20.4 h1:Tgh3Yr67PaOv/uTqloMsCEdeuFTatm5zIq5+qNN23vI= +github.com/prometheus/client_golang v1.20.4/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E= github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY= github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc= -github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc= -github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8= +github.com/prometheus/common v0.60.0 h1:+V9PAREWNvJMAuJ1x1BaWl9dewMW4YrHZQbx0sJNllA= +github.com/prometheus/common v0.60.0/go.mod h1:h0LYf1R1deLSKtD4Vdg8gy4RuOvENW2J/h19V5NADQw= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= @@ -336,23 +324,21 @@ github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoG github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= github.com/rivo/uniseg v0.4.6 h1:Sovz9sDSwbOz9tgUy8JpT+KgCkPYJEN/oYzlJiYTNLg= github.com/rivo/uniseg v0.4.6/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= -github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= -github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= -github.com/rubenv/sql-migrate v1.5.2 h1:bMDqOnrJVV/6JQgQ/MxOpU+AdO8uzYYA/TxFUBzFtS0= -github.com/rubenv/sql-migrate v1.5.2/go.mod h1:H38GW8Vqf8F0Su5XignRyaRcbXbJunSWxs+kmzlg0Is= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= +github.com/rubenv/sql-migrate v1.7.0 h1:HtQq1xyTN2ISmQDggnh0c9U3JlP8apWh8YO2jzlXpTI= +github.com/rubenv/sql-migrate v1.7.0/go.mod h1:S4wtDEG1CKn+0ShpTtzWhFpHHI5PvCUtiGI+C+Z2THE= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= -github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= -github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= -github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8= -github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= +github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ= +github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= +github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k= +github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= -github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0= -github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= +github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w= +github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= @@ -365,7 +351,6 @@ github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= @@ -373,6 +358,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= +github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= @@ -384,7 +371,6 @@ github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 h1:+lm10QQTNSBd8DVTNGHx7o/IKu9HYDvLMffDhbyLccI= github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs= github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50 h1:hlE8//ciYMztlGpl/VA+Zm1AcTPHYkHJPbHqE6WJUXE= @@ -393,14 +379,14 @@ github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f h1 github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0 h1:cEPbyTSEHlQR89XVlyo78gqluF8Y3oMeBkXGWzQsfXY= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0/go.mod h1:DKdbWcT4GH1D0Y3Sqt/PFXt2naRKDWtU+eE6oLdFNA8= -go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo= -go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4= -go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q= -go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s= -go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g= -go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= +go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= +go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc= +go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w= +go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ= +go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc= +go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o= go.starlark.net v0.0.0-20231121155337-90ade8b19d09 h1:hzy3LFnSN8kuQK8h9tHl4ndF6UruMj47OqwqsS+/Ai4= go.starlark.net v0.0.0-20231121155337-90ade8b19d09/go.mod h1:LcLNIzVOMp4oV+uusnpk+VU+SzXaJakUuBjoCSWH5dM= go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= @@ -415,75 +401,57 @@ golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnf golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= -golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= -golang.org/x/exp v0.0.0-20240716175740-e3f259677ff7 h1:wDLEX9a7YQoKdKNQt88rtydkqDxeGaBUTnIYc3iG/mA= -golang.org/x/exp v0.0.0-20240716175740-e3f259677ff7/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= +golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A= +golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8= -golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0= +golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= -golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys= -golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= -golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs= -golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= +golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= +golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs= +golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= -golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= +golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI= -golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= -golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk= -golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= +golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34= +golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM= +golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= -golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= -golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= -golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224= +golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= +golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U= +golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg= -golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI= +golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24= +golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -492,24 +460,25 @@ golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 h1:LLhsEBxRTBLuKlQxFBYUO golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90= gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw= gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= -google.golang.org/genproto/googleapis/api v0.0.0-20240711142825-46eb208f015d h1:kHjw/5UfflP/L5EbledDrcG4C2597RtymmGRZvHiCuY= -google.golang.org/genproto/googleapis/api v0.0.0-20240711142825-46eb208f015d/go.mod h1:mw8MG/Qz5wfgYr6VqVCiZcHe/GJEfI+oGGDCohaVgB0= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240711142825-46eb208f015d h1:JU0iKnSg02Gmb5ZdV8nYsKEKsP6o/FGVWTrw4i1DA9A= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240711142825-46eb208f015d/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= -google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= -google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= +google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f h1:jTm13A2itBi3La6yTGqn8bVSrc3ZZ1r8ENHlIXBfnRA= +google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f/go.mod h1:CLGoBuH1VHxAUXVPP8FfPwPEVJB6lz3URE5mY2SuayE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f h1:cUMEy+8oS78BWIH9OWazBkzbr090Od9tWBNtZHkOhf0= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU= +google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E= +google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA= google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= +gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= @@ -518,48 +487,48 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= -helm.sh/helm/v3 v3.15.1 h1:22ztacHz4gMqhXNqCQ9NAg6BFWoRUryNLvnkz6OVyw0= -helm.sh/helm/v3 v3.15.1/go.mod h1:fvfoRcB8UKRUV5jrIfOTaN/pG1TPhuqSb56fjYdTKXg= -istio.io/api v1.23.0-alpha.0.0.20240809192158-5302fff8a801 h1:7cxaHipka0v7rK9/kcthjmIucVnV3jHEROUBHONYeCo= -istio.io/api v1.23.0-alpha.0.0.20240809192158-5302fff8a801/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I= -istio.io/client-go v1.23.0-alpha.0.0.20240809192551-f32a7326ae19 h1:NwuYY0d6HZLNLHBrgtfZ6Q/dw+DwGYTFPtqoP7XNx7g= -istio.io/client-go v1.23.0-alpha.0.0.20240809192551-f32a7326ae19/go.mod h1:VarGlJP6p95t2P7KKKAPKpnG5XA4fv/y8V6EfgcYRcw= -istio.io/istio v0.0.0-20240813230019-b191b039631b h1:1EWcxrdpcuaNKqOf93hcxS42+n23bfMRJWQHc7MtTOw= -istio.io/istio v0.0.0-20240813230019-b191b039631b/go.mod h1:4YypioCIdszSllDb9Vo+U79ThLw6ilpnsmlJxvVaJ9c= -k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ= -k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04= -k8s.io/apiextensions-apiserver v0.30.3 h1:oChu5li2vsZHx2IvnGP3ah8Nj3KyqG3kRSaKmijhB9U= -k8s.io/apiextensions-apiserver v0.30.3/go.mod h1:uhXxYDkMAvl6CJw4lrDN4CPbONkF3+XL9cacCT44kV4= -k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc= -k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc= -k8s.io/apiserver v0.30.3 h1:QZJndA9k2MjFqpnyYv/PH+9PE0SHhx3hBho4X0vE65g= -k8s.io/apiserver v0.30.3/go.mod h1:6Oa88y1CZqnzetd2JdepO0UXzQX4ZnOekx2/PtEjrOg= -k8s.io/cli-runtime v0.30.3 h1:aG69oRzJuP2Q4o8dm+f5WJIX4ZBEwrvdID0+MXyUY6k= -k8s.io/cli-runtime v0.30.3/go.mod h1:hwrrRdd9P84CXSKzhHxrOivAR9BRnkMt0OeP5mj7X30= -k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k= -k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U= -k8s.io/component-base v0.30.3 h1:Ci0UqKWf4oiwy8hr1+E3dsnliKnkMLZMVbWzeorlk7s= -k8s.io/component-base v0.30.3/go.mod h1:C1SshT3rGPCuNtBs14RmVD2xW0EhRSeLvBh7AGk1quA= +helm.sh/helm/v3 v3.16.1 h1:cER6tI/8PgUAsaJaQCVBUg3VI9KN4oVaZJgY60RIc0c= +helm.sh/helm/v3 v3.16.1/go.mod h1:r+xBHHP20qJeEqtvBXMf7W35QDJnzY/eiEBzt+TfHps= +istio.io/api v1.23.0-alpha.0.0.20241005033901-9723aca52e22 h1:zJhF3wFCBR6aYymRVqO9/lSX2D/sk/qklQrRF7lbIj8= +istio.io/api v1.23.0-alpha.0.0.20241005033901-9723aca52e22/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I= +istio.io/client-go v1.23.0-alpha.0.0.20241005034300-2c4a3cee6f7d h1:rlMkdB4mK+b8TKSuxVOOZYh4mpDkDgYvVQj75wwLYKA= +istio.io/client-go v1.23.0-alpha.0.0.20241005034300-2c4a3cee6f7d/go.mod h1:K/KtGTGAA72MC0oPUIFE1ux9aQUqepNP2e4YCz2YleE= +istio.io/istio v0.0.0-20241006152922-6f95f8c912c4 h1:njSM52+zyIPtmLYNr4jEFb7n4NBnudB95llLRzicBNs= +istio.io/istio v0.0.0-20241006152922-6f95f8c912c4/go.mod h1:///kOEmTI1EXlYBf1zS1l63r/Otcx0S1EG/95ZJ0LOo= +k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU= +k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI= +k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40= +k8s.io/apiextensions-apiserver v0.31.1/go.mod h1:tWMPR3sgW+jsl2xm9v7lAyRF1rYEK71i9G5dRtkknoQ= +k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U= +k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo= +k8s.io/apiserver v0.31.1 h1:Sars5ejQDCRBY5f7R3QFHdqN3s61nhkpaX8/k1iEw1c= +k8s.io/apiserver v0.31.1/go.mod h1:lzDhpeToamVZJmmFlaLwdYZwd7zB+WYRYIboqA1kGxM= +k8s.io/cli-runtime v0.31.1 h1:/ZmKhmZ6hNqDM+yf9s3Y4KEYakNXUn5sod2LWGGwCuk= +k8s.io/cli-runtime v0.31.1/go.mod h1:pKv1cDIaq7ehWGuXQ+A//1OIF+7DI+xudXtExMCbe9U= +k8s.io/client-go v0.31.1 h1:f0ugtWSbWpxHR7sjVpQwuvw9a3ZKLXX0u0itkFXufb0= +k8s.io/client-go v0.31.1/go.mod h1:sKI8871MJN2OyeqRlmA4W4KM9KBdBUpDLu/43eGemCg= +k8s.io/component-base v0.31.1 h1:UpOepcrX3rQ3ab5NB6g5iP0tvsgJWzxTyAo20sgYSy8= +k8s.io/component-base v0.31.1/go.mod h1:WGeaw7t/kTsqpVTaCoVEtillbqAhF2/JgvO0LDOMa0w= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108 h1:Q8Z7VlGhcJgBHJHYugJ/K/7iB8a2eSxCyxdVjJp+lLY= k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98= -k8s.io/kubectl v0.30.3 h1:YIBBvMdTW0xcDpmrOBzcpUVsn+zOgjMYIu7kAq+yqiI= -k8s.io/kubectl v0.30.3/go.mod h1:IcR0I9RN2+zzTRUa1BzZCm4oM0NLOawE6RzlDvd1Fpo= -k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= -k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/kubectl v0.31.1 h1:ih4JQJHxsEggFqDJEHSOdJ69ZxZftgeZvYo7M/cpp24= +k8s.io/kubectl v0.31.1/go.mod h1:aNuQoR43W6MLAtXQ/Bu4GDmoHlbhHKuyD49lmTC8eJM= +k8s.io/utils v0.0.0-20240921022957-49e7df575cb6 h1:MDF6h2H/h4tbzmtIKTuctcwZmY0tY9mD9fNT47QO6HI= +k8s.io/utils v0.0.0-20240921022957-49e7df575cb6/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= oras.land/oras-go v1.2.5 h1:XpYuAwAb0DfQsunIyMfeET92emK8km3W4yEzZvUbsTo= oras.land/oras-go v1.2.5/go.mod h1:PuAwRShRZCsZb7g8Ar3jKKQR/2A/qN+pkYxIOd/FAoo= -sigs.k8s.io/controller-runtime v0.18.3 h1:B5Wmmo8WMWK7izei+2LlXLVDGzMwAHBNLX68lwtlSR4= -sigs.k8s.io/controller-runtime v0.18.3/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg= +sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= +sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/controller-tools v0.15.0 h1:4dxdABXGDhIa68Fiwaif0vcu32xfwmgQ+w8p+5CxoAI= sigs.k8s.io/controller-tools v0.15.0/go.mod h1:8zUSS2T8Hx0APCNRhJWbS3CAQEbIxLa07khzh7pZmXM= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 h1:XX3Ajgzov2RKUdc5jW3t5jwY7Bo7dcRm+tFxT+NfgY0= -sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3/go.mod h1:9n16EZKMhXBNSiUC5kSdFQJkdH3zbxS/JoO619G1VAY= -sigs.k8s.io/kustomize/kyaml v0.16.0 h1:6J33uKSoATlKZH16unr2XOhDI+otoe2sR3M8PDzW3K0= -sigs.k8s.io/kustomize/kyaml v0.16.0/go.mod h1:xOK/7i+vmE14N2FdFyugIshB8eF6ALpy7jI87Q2nRh4= +sigs.k8s.io/kustomize/api v0.17.2 h1:E7/Fjk7V5fboiuijoZHgs4aHuexi5Y2loXlVOAVAG5g= +sigs.k8s.io/kustomize/api v0.17.2/go.mod h1:UWTz9Ct+MvoeQsHcJ5e+vziRRkwimm3HytpZgIYqye0= +sigs.k8s.io/kustomize/kyaml v0.17.1 h1:TnxYQxFXzbmNG6gOINgGWQt09GghzgTP6mIurOgrLCQ= +sigs.k8s.io/kustomize/kyaml v0.17.1/go.mod h1:9V0mCjIEYjlXuCdYsSXvyoy2BTsLESH7TlGV81S282U= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= diff --git a/hack/api_transformer/transform.yaml b/hack/api_transformer/transform.yaml index 4c5ed04bd..5a9a0c95a 100644 --- a/hack/api_transformer/transform.yaml +++ b/hack/api_transformer/transform.yaml @@ -42,8 +42,10 @@ globalTransformations: inputFiles: - module: istio.io/istio - path: /operator/pkg/apis/istio/v1alpha1/values_types.pb.go + path: /operator/pkg/apis/values_types.pb.go transformations: + renameImports: + v1: k8sv1 removeTypes: - EgressGatewayConfig - IngressGatewayConfig diff --git a/hack/extract-istio-crds.sh b/hack/extract-istio-crds.sh index d693be103..6045c8a57 100755 --- a/hack/extract-istio-crds.sh +++ b/hack/extract-istio-crds.sh @@ -16,7 +16,11 @@ set -euo pipefail -INPUT_FILE="$(go list -m -f '{{.Dir}}' istio.io/istio)/manifests/charts/base/crds/crd-all.gen.yaml" +INPUT_FILE="$(go list -m -f '{{.Dir}}' istio.io/istio)/manifests/charts/base/files/crd-all.gen.yaml" +# check if the file exists and adjust the file path if necessary (this is needed because older Istio versions have the CRDs in a different location) +if [ ! -f "${INPUT_FILE}" ]; then + INPUT_FILE="$(go list -m -f '{{.Dir}}' istio.io/istio)/manifests/charts/base/crds/crd-all.gen.yaml" +fi SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) REPO_ROOT=$(dirname "${SCRIPT_DIR}") diff --git a/hack/helm-artifacts.sh b/hack/helm-artifacts.sh new file mode 100755 index 000000000..248d81c40 --- /dev/null +++ b/hack/helm-artifacts.sh @@ -0,0 +1,123 @@ +#!/bin/bash +# shellcheck disable=SC1091 + +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -euo pipefail + +CUR_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +source "${CUR_DIR}"/validate_semver.sh + +GITHUB_TOKEN="${GITHUB_TOKEN:-}" + +GIT_CONFIG_USER_NAME="${GIT_CONFIG_USER_NAME:-}" +GIT_CONFIG_USER_EMAIL="${GIT_CONFIG_USER_EMAIL:-}" + +UPSTREAM_OPERATOR_NAME="${UPSTREAM_OPERATOR_NAME:-"sail-operator"}" +OWNER="${OWNER:-"istio-ecosystem"}" +HUB_REPO_URL="${HUB_REPO_URL:-github.com/${OWNER}/${UPSTREAM_OPERATOR_NAME}}" +HUB_HELM_BRANCH="${HUB_HIVE_BRANCH:-"gh-pages"}" +HUB_HELM_ARTIFACT_URL="https://${HUB_REPO_URL}/releases/download/${OPERATOR_VERSION}"/ + +: "${OPERATOR_VERSION:?"Missing OPERATOR_VERSION variable"}" + +show_help() { + cat < /dev/null; then + die "Helm command is missing" + fi + + TMP_DIR=$(mktemp -d) + trap 'rm -rf "${TMP_DIR}"' EXIT + + git clone --single-branch --depth=1 --branch "${HUB_HELM_BRANCH}" "https://${GIT_USER}:${GITHUB_TOKEN}@${HUB_REPO_URL}" "${TMP_DIR}/${UPSTREAM_OPERATOR_NAME}" + cd "${TMP_DIR}/${UPSTREAM_OPERATOR_NAME}" + + if ! git config user.name; then + git config user.name "${GIT_CONFIG_USER_NAME}" + fi + + if ! git config user.email; then + git config user.email "${GIT_CONFIG_USER_EMAIL}" + fi +} + +function fetch_released_artifact() { + echo "Fetch released helm artifact" + + wget "${HUB_HELM_ARTIFACT_URL}/${UPSTREAM_OPERATOR_NAME}-${OPERATOR_VERSION}.tgz" +} + +function update_helm_repo_index() { + echo "Update index of Helm repo" + local helm_branch="update_helm_artifact_${OPERATOR_VERSION}" + + git checkout -b "$helm_branch" + helm repo index --merge index.yaml . --url "${HUB_HELM_ARTIFACT_URL}" + git add index.yaml + git commit -m "Add new sail-operator chart release - ${OPERATOR_VERSION}" + git push origin "$helm_branch" + + PAYLOAD="${TMP_DIR}/PAYLOAD" + + jq -c -n \ + --arg msg "Add new sail-operator chart release - ${OPERATOR_VERSION}" \ + --arg head "${OWNER}:${helm_branch}" \ + --arg base "${HUB_HELM_BRANCH}" \ + --arg title "Helm artifact ${OPERATOR_VERSION}" \ + '{head: $head, base: $base, title: $title, body: $msg }' > "${PAYLOAD}" + + curl --fail-with-body -X POST \ + -H "Authorization: token ${GITHUB_TOKEN}" \ + -H "Accept: application/vnd.github.v3+json" \ + https://api.github.com/repos/"${OWNER}/${UPSTREAM_OPERATOR_NAME}"/pulls \ + --data-binary "@${PAYLOAD}" +} + +while test $# -gt 0; do + case "$1" in + -h|--help) + show_help + exit 0 + ;; + *) + echo "Unknown param $1" + exit 1 + ;; + esac +done + +prepare_repo +fetch_released_artifact +update_helm_repo_index diff --git a/hack/operatorhub/publish-bundle.sh b/hack/operatorhub/publish-bundle.sh index 59fbe2785..e72e12858 100755 --- a/hack/operatorhub/publish-bundle.sh +++ b/hack/operatorhub/publish-bundle.sh @@ -23,6 +23,9 @@ source "${CUR_DIR}"/../validate_semver.sh GITHUB_TOKEN="${GITHUB_TOKEN:-}" GIT_USER="${GIT_USER:-}" +GIT_CONFIG_USER_NAME="${GIT_CONFIG_USER_NAME:-}" +GIT_CONFIG_USER_EMAIL="${GIT_CONFIG_USER_EMAIL:-}" + # The OPERATOR_NAME is defined in Makefile : "${OPERATOR_NAME:?"Missing OPERATOR_NAME variable"}" : "${OPERATOR_VERSION:?"Missing OPERATOR_VERSION variable"}" @@ -96,6 +99,14 @@ BUNDLE_DIR="${CUR_DIR}"/../../bundle mkdir -p "${OPERATORS_DIR}" cp -a "${BUNDLE_DIR}"/. "${OPERATORS_DIR}" +if ! git config --global user.name; then + skipInDryRun git config --global user.name "${GIT_CONFIG_USER_NAME}" +fi + +if ! git config --global user.email; then + skipInDryRun git config --global user.email "${GIT_CONFIG_USER_EMAIL}" +fi + TITLE="operator ${OPERATOR_NAME} (${OPERATOR_VERSION})" skipInDryRun git add . skipInDryRun git commit -s -m"${TITLE}" diff --git a/hack/patch-csv.sh b/hack/patch-csv.sh index 10225cac5..a5f5cfbd2 100755 --- a/hack/patch-csv.sh +++ b/hack/patch-csv.sh @@ -52,28 +52,42 @@ function get_field() { component_dir="istiod" fi - # Set if non null order from the component most specific to the most generic + # The following code tries to find the field in several places: + # 1) .defaults.. + field="$(${YQ} ".defaults.${COMPONENTS[$component_name]}.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")" # 2) .defaults.global.. + if is_empty_or_null "${field}"; then + field="$(${YQ} ".defaults.global.${COMPONENTS[$component_name]}.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")" + fi # 3) .defaults. + if is_empty_or_null "${field}"; then + field="$(${YQ} ".defaults.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")" + fi # 4) .defaults.global. - # Example: - # .defaults.istiod.hub == null - # .defaults.global.istiod.hub == null - # .defaults.hub == null - # .defaults.global.hub == "gcr.io/istio-testing" - - field="$(${YQ} ".defaults.${COMPONENTS[$component_name]}.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" if is_empty_or_null "${field}"; then - field="$(${YQ} ".defaults.global.${COMPONENTS[$component_name]}.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" - if is_empty_or_null "${field}"; then - field="$(${YQ} ".defaults.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" - if is_empty_or_null "${field}"; then - field="$(${YQ} ".defaults.global.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)" - fi - fi + field="$(${YQ} ".defaults.global.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")" + fi + # 5) ._internal_defaults_do_not_set.. + if is_empty_or_null "${field}"; then + field="$(${YQ} "._internal_defaults_do_not_set.${COMPONENTS[$component_name]}.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")" + fi + # 6) ._internal_defaults_do_not_set.global.. + if is_empty_or_null "${field}"; then + field="$(${YQ} "._internal_defaults_do_not_set.global.${COMPONENTS[$component_name]}.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")" + fi + # 7) ._internal_defaults_do_not_set. + if is_empty_or_null "${field}"; then + field="$(${YQ} "._internal_defaults_do_not_set.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")" + fi + # 8) ._internal_defaults_do_not_set.global. + if is_empty_or_null "${field}"; then + field="$(${YQ} "._internal_defaults_do_not_set.global.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")" fi + if is_empty_or_null "${field}"; then + field="" + fi echo "${field}" } @@ -94,6 +108,11 @@ for version in ${versions}; do image=$(get_field "${version}" "image" "${component_name}") tag=$(get_field "${version}" "tag" "${component_name}") + if [ -z "${hub}" ] || [ -z "${image}" ] || [ -z "${tag}" ]; then + echo "Missing hub, image or tag for version ${version}, component ${component_name}" + exit 1 + fi + # Add .spec.install.spec.deployments[0].spec.template.metadata.annotations with olm.relatedImage ${YQ} -i '.spec.install.spec.deployments[0].spec.template.metadata.annotations |= (. + {"images.'"${name}"'": "'"${hub}"'/'"${image}"':'"${tag}"'"})' "${clusterserviceversion_file_path}" diff --git a/hack/update-istio.sh b/hack/update-istio.sh index 80f76cf1c..b85508e7e 100755 --- a/hack/update-istio.sh +++ b/hack/update-istio.sh @@ -110,22 +110,18 @@ function update_latest() { done echo - FULL_VERSION=$(curl -sSfL "${URL}") - echo Full version: "${FULL_VERSION}" - - PARTIAL_VERSION="${FULL_VERSION%.*}" - echo Partial version: "${PARTIAL_VERSION}" + VERSION=$(curl -sSfL "${URL}") + echo Version: "${VERSION}" yq -i ' - (.versions[] | select(.name == "latest") | .version) = "'"${PARTIAL_VERSION}"'" | + (.versions[] | select(.name == "latest") | .version) = "'"${VERSION}"'" | (.versions[] | select(.name == "latest") | .commit) = "'"${COMMIT}"'" | (.versions[] | select(.name == "latest") | .charts) = [ - "https://storage.googleapis.com/istio-build/dev/'"${FULL_VERSION}"'/helm/base-'"${FULL_VERSION}"'.tgz", - "https://storage.googleapis.com/istio-build/dev/'"${FULL_VERSION}"'/helm/cni-'"${FULL_VERSION}"'.tgz", - "https://storage.googleapis.com/istio-build/dev/'"${FULL_VERSION}"'/helm/gateway-'"${FULL_VERSION}"'.tgz", - "https://storage.googleapis.com/istio-build/dev/'"${FULL_VERSION}"'/helm/istiod-'"${FULL_VERSION}"'.tgz", - "https://storage.googleapis.com/istio-build/dev/'"${FULL_VERSION}"'/helm/istiod-remote-'"${FULL_VERSION}"'.tgz", - "https://storage.googleapis.com/istio-build/dev/'"${FULL_VERSION}"'/helm/ztunnel-'"${FULL_VERSION}"'.tgz" + "https://storage.googleapis.com/istio-build/dev/'"${VERSION}"'/helm/base-'"${VERSION}"'.tgz", + "https://storage.googleapis.com/istio-build/dev/'"${VERSION}"'/helm/cni-'"${VERSION}"'.tgz", + "https://storage.googleapis.com/istio-build/dev/'"${VERSION}"'/helm/gateway-'"${VERSION}"'.tgz", + "https://storage.googleapis.com/istio-build/dev/'"${VERSION}"'/helm/istiod-'"${VERSION}"'.tgz", + "https://storage.googleapis.com/istio-build/dev/'"${VERSION}"'/helm/ztunnel-'"${VERSION}"'.tgz" ]' "${VERSIONS_YAML_FILE}" } diff --git a/pkg/enqueuelogger/queue.go b/pkg/enqueuelogger/queue.go index f0f3b4b55..b8c76d522 100644 --- a/pkg/enqueuelogger/queue.go +++ b/pkg/enqueuelogger/queue.go @@ -18,22 +18,19 @@ import ( "time" "k8s.io/client-go/util/workqueue" + "sigs.k8s.io/controller-runtime/pkg/reconcile" ) // AdditionNotifierQueue is a queue that calls an onAdd function whenever an item is added to the queue. // It is meant to be used in conjunction with EnqueueEventLogger to log items enqueued by a handler. type AdditionNotifierQueue struct { - delegate workqueue.RateLimitingInterface - onAdd func(item any) + delegate workqueue.TypedRateLimitingInterface[reconcile.Request] + onAdd func(item reconcile.Request) } -var _ workqueue.RateLimitingInterface = &AdditionNotifierQueue{} +var _ workqueue.TypedRateLimitingInterface[reconcile.Request] = &AdditionNotifierQueue{} -func NewAdditionNotifierQueue(delegate workqueue.RateLimitingInterface, onAddFunc func(item any)) *AdditionNotifierQueue { - return &AdditionNotifierQueue{delegate: delegate} -} - -func (q *AdditionNotifierQueue) Add(item interface{}) { +func (q *AdditionNotifierQueue) Add(item reconcile.Request) { q.delegate.Add(item) q.onAdd(item) } @@ -42,11 +39,11 @@ func (q *AdditionNotifierQueue) Len() int { return q.delegate.Len() } -func (q *AdditionNotifierQueue) Get() (item interface{}, shutdown bool) { +func (q *AdditionNotifierQueue) Get() (item reconcile.Request, shutdown bool) { return q.delegate.Get() } -func (q *AdditionNotifierQueue) Done(item interface{}) { +func (q *AdditionNotifierQueue) Done(item reconcile.Request) { q.delegate.Done(item) } @@ -62,20 +59,20 @@ func (q *AdditionNotifierQueue) ShuttingDown() bool { return q.delegate.ShuttingDown() } -func (q *AdditionNotifierQueue) AddAfter(item interface{}, duration time.Duration) { +func (q *AdditionNotifierQueue) AddAfter(item reconcile.Request, duration time.Duration) { q.delegate.AddAfter(item, duration) q.onAdd(item) } -func (q *AdditionNotifierQueue) AddRateLimited(item interface{}) { +func (q *AdditionNotifierQueue) AddRateLimited(item reconcile.Request) { q.delegate.AddRateLimited(item) q.onAdd(item) } -func (q *AdditionNotifierQueue) Forget(item interface{}) { +func (q *AdditionNotifierQueue) Forget(item reconcile.Request) { q.delegate.Forget(item) } -func (q *AdditionNotifierQueue) NumRequeues(item interface{}) int { +func (q *AdditionNotifierQueue) NumRequeues(item reconcile.Request) int { return q.delegate.NumRequeues(item) } diff --git a/pkg/enqueuelogger/wrapper.go b/pkg/enqueuelogger/wrapper.go index 6aae8122e..f7c20472d 100644 --- a/pkg/enqueuelogger/wrapper.go +++ b/pkg/enqueuelogger/wrapper.go @@ -40,27 +40,28 @@ type EnqueueEventLogger struct { var _ handler.EventHandler = &EnqueueEventLogger{} -func (h *EnqueueEventLogger) Create(ctx context.Context, e event.TypedCreateEvent[client.Object], q workqueue.RateLimitingInterface) { +func (h *EnqueueEventLogger) Create(ctx context.Context, e event.TypedCreateEvent[client.Object], q workqueue.TypedRateLimitingInterface[reconcile.Request]) { h.delegate.Create(ctx, e, h.wrapQueue(q, "Create", e.Object)) } -func (h *EnqueueEventLogger) Update(ctx context.Context, e event.TypedUpdateEvent[client.Object], q workqueue.RateLimitingInterface) { +func (h *EnqueueEventLogger) Update(ctx context.Context, e event.TypedUpdateEvent[client.Object], q workqueue.TypedRateLimitingInterface[reconcile.Request]) { h.delegate.Update(ctx, e, h.wrapQueue(q, "Update", e.ObjectNew)) } -func (h *EnqueueEventLogger) Delete(ctx context.Context, e event.TypedDeleteEvent[client.Object], q workqueue.RateLimitingInterface) { +func (h *EnqueueEventLogger) Delete(ctx context.Context, e event.TypedDeleteEvent[client.Object], q workqueue.TypedRateLimitingInterface[reconcile.Request]) { h.delegate.Delete(ctx, e, h.wrapQueue(q, "Delete", e.Object)) } -func (h *EnqueueEventLogger) Generic(ctx context.Context, e event.TypedGenericEvent[client.Object], q workqueue.RateLimitingInterface) { +func (h *EnqueueEventLogger) Generic(ctx context.Context, e event.TypedGenericEvent[client.Object], q workqueue.TypedRateLimitingInterface[reconcile.Request]) { h.delegate.Generic(ctx, e, h.wrapQueue(q, "Generic", e.Object)) } -func (h *EnqueueEventLogger) wrapQueue(q workqueue.RateLimitingInterface, eventType string, obj client.Object) workqueue.RateLimitingInterface { +func (h *EnqueueEventLogger) wrapQueue( + q workqueue.TypedRateLimitingInterface[reconcile.Request], eventType string, obj client.Object, +) workqueue.TypedRateLimitingInterface[reconcile.Request] { return &AdditionNotifierQueue{ delegate: q, - onAdd: func(item any) { - request := item.(reconcile.Request) + onAdd: func(request reconcile.Request) { requestSummary := ObjectSummary{ Kind: h.kind, Namespace: request.Namespace, diff --git a/pkg/kube/key.go b/pkg/kube/key.go index 116359fd3..98e3f1946 100644 --- a/pkg/kube/key.go +++ b/pkg/kube/key.go @@ -16,7 +16,7 @@ package kube import "sigs.k8s.io/controller-runtime/pkg/client" -// key returns the client.ObjectKey for the given name and namespace. If no namespace is provided, it returns a key cluster scoped +// Key returns the client.ObjectKey for the given name and namespace. If no namespace is provided, it returns a key cluster scoped func Key(name string, namespace ...string) client.ObjectKey { if len(namespace) > 1 { panic("you can only provide one namespace") diff --git a/pkg/reconciler/reconciler.go b/pkg/reconciler/reconciler.go index 1502f5f0c..d61cf03e7 100644 --- a/pkg/reconciler/reconciler.go +++ b/pkg/reconciler/reconciler.go @@ -32,7 +32,7 @@ type ReconcileFunc[T client.Object] func(ctx context.Context, obj T) (ctrl.Resul // FinalizeFunc is a function that finalizes an object. It does not remove the finalizer. type FinalizeFunc[T client.Object] func(ctx context.Context, obj T) error -// StandardRecociler encapsulates common reconciler behavior, allowing you to +// StandardReconciler encapsulates common reconciler behavior, allowing you to // implement a reconciler simply by providing a ReconcileFunc and an optional // FinalizeFunc. These functions are invoked at the appropriate time and are // passed the object being reconciled. diff --git a/pkg/test/util/supportedversion/supportedversion.go b/pkg/test/util/supportedversion/supportedversion.go index 59cd44e56..86a89013e 100644 --- a/pkg/test/util/supportedversion/supportedversion.go +++ b/pkg/test/util/supportedversion/supportedversion.go @@ -18,12 +18,14 @@ import ( "os" "path/filepath" + "github.com/Masterminds/semver/v3" "github.com/istio-ecosystem/sail-operator/pkg/test/project" "gopkg.in/yaml.v3" ) var ( List []VersionInfo + Map map[string]VersionInfo Default string Old string New string @@ -41,18 +43,28 @@ func init() { panic(err) } + List, Default, Old, New = mustParseVersionsYaml(versionsBytes) + + Map = make(map[string]VersionInfo) + for _, v := range List { + Map[v.Name] = v + } +} + +func mustParseVersionsYaml(yamlBytes []byte) (list []VersionInfo, defaultVersion string, oldVersion string, newVersion string) { versions := Versions{} - err = yaml.Unmarshal(versionsBytes, &versions) + err := yaml.Unmarshal(yamlBytes, &versions) if err != nil { panic(err) } - List = versions.Versions - Default = List[0].Name - if len(List) > 1 { - Old = List[1].Name + list = versions.Versions + defaultVersion = list[0].Name + if len(list) > 1 { + oldVersion = list[1].Name } - New = List[0].Name + newVersion = list[0].Name + return list, defaultVersion, oldVersion, newVersion } type Versions struct { @@ -60,10 +72,10 @@ type Versions struct { } type VersionInfo struct { - Name string `json:"name"` - Version string `json:"version"` - Repo string `json:"repo"` - Branch string `json:"branch,omitempty"` - Commit string `json:"commit"` - Charts []string `json:"charts,omitempty"` + Name string `json:"name"` + Version *semver.Version `json:"version"` + Repo string `json:"repo"` + Branch string `json:"branch,omitempty"` + Commit string `json:"commit"` + Charts []string `json:"charts,omitempty"` } diff --git a/pkg/test/util/supportedversion/supportedversion_test.go b/pkg/test/util/supportedversion/supportedversion_test.go new file mode 100644 index 000000000..a850ebbae --- /dev/null +++ b/pkg/test/util/supportedversion/supportedversion_test.go @@ -0,0 +1,78 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package supportedversion + +import ( + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestInit(t *testing.T) { + // no need to call init(), since it's called automatically + assert.True(t, len(List) > 0, "List should not be empty") + assert.True(t, len(Map) > 0, "M should not be empty") + assert.True(t, Default != "", "Default should not be empty") + assert.True(t, Old != "", "Default should not be empty") + assert.True(t, New != "", "Default should not be empty") + + assert.Equal(t, len(List), len(Map), "Map should be same size as List") + for _, vi := range List { + assert.Equal(t, vi, Map[vi.Name]) + } +} + +func TestParseVersionsYaml_ValidYaml(t *testing.T) { + yamlBytes := []byte(` +versions: + - name: "1.0.0" + repo: "repo1" + commit: "commit1" + - name: "2.0.0" + repo: "repo2" + commit: "commit2" +`) + + list, defaultVersion, oldVersion, newVersion := mustParseVersionsYaml(yamlBytes) + + assert.Len(t, list, 2) + assert.Equal(t, "1.0.0", defaultVersion) + assert.Equal(t, "2.0.0", oldVersion) + assert.Equal(t, "1.0.0", newVersion) +} + +func TestParseVersionsYaml_SingleVersion(t *testing.T) { + yamlBytes := []byte(` +versions: + - name: "1.0.0" + repo: "repo1" + commit: "commit1" +`) + + list, defaultVersion, oldVersion, newVersion := mustParseVersionsYaml(yamlBytes) + + assert.Len(t, list, 1) + assert.Equal(t, "1.0.0", defaultVersion) + assert.Equal(t, "", oldVersion) + assert.Equal(t, "1.0.0", newVersion) +} + +func TestParseVersionsYaml_InvalidYaml(t *testing.T) { + yamlBytes := []byte(`invalid yaml`) + + assert.Panics(t, func() { + mustParseVersionsYaml(yamlBytes) + }) +} diff --git a/resources/latest/charts/base/Chart.yaml b/resources/latest/charts/base/Chart.yaml index 7d589bb9e..90d7c8743 100644 --- a/resources/latest/charts/base/Chart.yaml +++ b/resources/latest/charts/base/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 +appVersion: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 description: Helm chart for deploying Istio cluster resources and CRDs icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,4 +7,4 @@ keywords: name: base sources: - https://github.com/istio/istio -version: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 +version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 diff --git a/resources/latest/charts/base/crds/crd-all.gen.yaml b/resources/latest/charts/base/files/crd-all.gen.yaml similarity index 98% rename from resources/latest/charts/base/crds/crd-all.gen.yaml rename to resources/latest/charts/base/files/crd-all.gen.yaml index 675d42a84..bb6080eff 100644 --- a/resources/latest/charts/base/crds/crd-all.gen.yaml +++ b/resources/latest/charts/base/files/crd-all.gen.yaml @@ -217,6 +217,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: description: |- @@ -282,6 +283,9 @@ spec: required: - url type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: @@ -6140,6 +6144,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array workloadSelector: description: Criteria used to select the specific set of pods/VMs @@ -6147,12 +6152,20 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object + x-kubernetes-validations: + - message: only one of targetRefs or workloadSelector can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: @@ -7149,7 +7162,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -7224,6 +7239,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -7240,14 +7260,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -7255,11 +7280,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -7282,14 +7317,32 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) + && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))' + - message: NONE mode cannot set endpoints + rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) + : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' status: properties: conditions: @@ -7361,6 +7414,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -7399,7 +7454,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -7474,6 +7531,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -7490,14 +7552,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -7505,11 +7572,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -7532,14 +7609,32 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) + && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))' + - message: NONE mode cannot set endpoints + rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) + : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' status: properties: conditions: @@ -7611,6 +7706,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -7649,7 +7746,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -7724,6 +7823,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -7740,14 +7844,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -7755,11 +7864,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -7782,14 +7901,32 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/'')) + && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))' + - message: NONE mode cannot set endpoints + rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints) + : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true' status: properties: conditions: @@ -7861,6 +7998,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: true @@ -8341,9 +8480,14 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object @@ -8874,9 +9018,14 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object @@ -9407,9 +9556,14 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains(''*'')' description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object @@ -12800,8 +12954,6 @@ spec: x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: false @@ -12958,8 +13110,6 @@ spec: x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: false @@ -13116,8 +13266,6 @@ spec: x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: true @@ -13170,10 +13318,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -13202,13 +13352,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -13223,6 +13377,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -13236,8 +13391,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -13245,15 +13406,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -13264,12 +13428,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -13329,8 +13497,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' @@ -13408,6 +13574,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -13436,10 +13604,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -13468,13 +13638,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -13489,6 +13663,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -13502,8 +13677,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -13511,15 +13692,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -13530,12 +13714,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -13595,8 +13783,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' @@ -13674,6 +13860,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -13702,10 +13890,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -13734,13 +13924,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -13755,6 +13949,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -13768,8 +13963,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -13777,15 +13978,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -13796,12 +14000,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -13861,8 +14069,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' @@ -13940,6 +14146,8 @@ spec: type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: true @@ -14243,8 +14451,12 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: @@ -14592,8 +14804,12 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: @@ -15247,10 +15463,11 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object x-kubernetes-validations: - - message: only one of targetRefs or workloadSelector can be set + - message: only one of targetRefs or selector can be set rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: @@ -15533,10 +15750,11 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array type: object x-kubernetes-validations: - - message: only one of targetRefs or workloadSelector can be set + - message: only one of targetRefs or selector can be set rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: @@ -15898,6 +16116,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array tracing: description: Optional. @@ -16009,6 +16228,9 @@ spec: type: object type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: @@ -16342,6 +16564,7 @@ spec: gateway.networking.k8s.io/Gateway rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' + maxItems: 16 type: array tracing: description: Optional. @@ -16453,6 +16676,9 @@ spec: type: object type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: properties: conditions: diff --git a/resources/latest/charts/base/files/profile-compatibility-version-1.21.yaml b/resources/latest/charts/base/files/profile-compatibility-version-1.21.yaml index 2b72bd93c..c8da4d2e1 100644 --- a/resources/latest/charts/base/files/profile-compatibility-version-1.21.yaml +++ b/resources/latest/charts/base/files/profile-compatibility-version-1.21.yaml @@ -15,6 +15,8 @@ pilot: ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" meshConfig: # 1.22 behavioral changes @@ -23,6 +25,9 @@ meshConfig: ISTIO_DELTA_XDS: "false" # 1.23 behavioral changes ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" tracing: zipkin: address: zipkin.istio-system:9411 diff --git a/resources/latest/charts/base/files/profile-compatibility-version-1.22.yaml b/resources/latest/charts/base/files/profile-compatibility-version-1.22.yaml index 2badb70a5..70d8eb40c 100644 --- a/resources/latest/charts/base/files/profile-compatibility-version-1.22.yaml +++ b/resources/latest/charts/base/files/profile-compatibility-version-1.22.yaml @@ -11,6 +11,8 @@ pilot: ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" meshConfig: defaultConfig: @@ -19,3 +21,6 @@ meshConfig: ENABLE_DEFERRED_CLUSTER_CREATION: "false" # 1.23 behavioral changes ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/base/files/profile-compatibility-version-1.23.yaml b/resources/latest/charts/base/files/profile-compatibility-version-1.23.yaml index f855500b0..636bb6f15 100644 --- a/resources/latest/charts/base/files/profile-compatibility-version-1.23.yaml +++ b/resources/latest/charts/base/files/profile-compatibility-version-1.23.yaml @@ -7,4 +7,13 @@ pilot: # 1.24 behavioral changes ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" \ No newline at end of file + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/base/files/profile-openshift-ambient.yaml b/resources/latest/charts/base/files/profile-openshift-ambient.yaml deleted file mode 100644 index 444665932..000000000 --- a/resources/latest/charts/base/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift - variant: distroless - seLinuxOptions: - type: spc_t -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - env: - PILOT_ENABLE_AMBIENT: "true" \ No newline at end of file diff --git a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.23.yaml b/resources/latest/charts/base/files/profile-platform-k3d.yaml similarity index 52% rename from resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.23.yaml rename to resources/latest/charts/base/files/profile-platform-k3d.yaml index f855500b0..cd86d9ec5 100644 --- a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.23.yaml +++ b/resources/latest/charts/base/files/profile-platform-k3d.yaml @@ -2,9 +2,6 @@ # The original version of this file is located at /manifests/helm-profiles directory. # If you want to make a change in this file, edit the original one and run "make gen". -pilot: - env: - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" \ No newline at end of file +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/resources/v1.23.0/charts/ztunnel/files/profile-stable.yaml b/resources/latest/charts/base/files/profile-platform-k3s.yaml similarity index 51% rename from resources/v1.23.0/charts/ztunnel/files/profile-stable.yaml rename to resources/latest/charts/base/files/profile-platform-k3s.yaml index 358282e69..f3f2884aa 100644 --- a/resources/v1.23.0/charts/ztunnel/files/profile-stable.yaml +++ b/resources/latest/charts/base/files/profile-platform-k3s.yaml @@ -2,7 +2,6 @@ # The original version of this file is located at /manifests/helm-profiles directory. # If you want to make a change in this file, edit the original one and run "make gen". -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/current/bin/ diff --git a/resources/latest/charts/base/files/profile-platform-microk8s.yaml b/resources/latest/charts/base/files/profile-platform-microk8s.yaml new file mode 100644 index 000000000..57d7f5e3c --- /dev/null +++ b/resources/latest/charts/base/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/resources/latest/charts/base/files/profile-platform-minikube.yaml b/resources/latest/charts/base/files/profile-platform-minikube.yaml new file mode 100644 index 000000000..fa9992e20 --- /dev/null +++ b/resources/latest/charts/base/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/resources/latest/charts/gateway/files/profile-openshift.yaml b/resources/latest/charts/base/files/profile-platform-openshift.yaml similarity index 84% rename from resources/latest/charts/gateway/files/profile-openshift.yaml rename to resources/latest/charts/base/files/profile-platform-openshift.yaml index 38357bd99..69eda2b1d 100644 --- a/resources/latest/charts/gateway/files/profile-openshift.yaml +++ b/resources/latest/charts/base/files/profile-platform-openshift.yaml @@ -3,18 +3,15 @@ # If you want to make a change in this file, edit the original one and run "make gen". # The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. cni: cniBinDir: /var/lib/cni/bin cniConfDir: /etc/cni/multus/net.d chained: false cniConfFileName: "istio-cni.conf" - logLevel: info provider: "multus" -global: - platform: openshift pilot: cni: enabled: true provider: "multus" -platform: openshift \ No newline at end of file +seLinuxOptions: + type: spc_t diff --git a/resources/latest/charts/base/files/profile-remote.yaml b/resources/latest/charts/base/files/profile-remote.yaml new file mode 100644 index 000000000..d17b9a801 --- /dev/null +++ b/resources/latest/charts/base/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/resources/latest/charts/base/templates/crds.yaml b/resources/latest/charts/base/templates/crds.yaml index af9901c6e..f7756d132 100644 --- a/resources/latest/charts/base/templates/crds.yaml +++ b/resources/latest/charts/base/templates/crds.yaml @@ -1,3 +1,21 @@ +# TODO enableCRDTemplates is now defaulted to true as we +# want to always self-manage CRD upgrades via plain templates, +# so we should remove this flag after a few releases {{- if .Values.base.enableCRDTemplates }} -{{ .Files.Get "crds/crd-all.gen.yaml" }} +{{- $replacement := include "istio.labels" . | fromYaml}} +{{- range $crd := .Files.Get "files/crd-all.gen.yaml"|splitList "\n---\n"}} +{{- $name := (index ($crd |fromYaml) "metadata" "name") }} +{{- if not (has $name $.Values.base.excludedCRDs)}} +{{- $asDict := ($crd | fromYaml) }} +# If we are templating these CRDs, we want to wipe out the "static"/legacy +# labels and replace them with the standard templated istio ones. +# This allows the continued use of `kubectl apply -f crd-all.gen.yaml` +# without any templating+the old labels, if desired. +{{- $_ := set $asDict.metadata "labels" $replacement }} +{{$asDict | toYaml }} +--- +{{- end }} +{{- end }} +{{- else }} +{{ .Files.Get "files/crd-all.gen.yaml" }} {{- end }} diff --git a/resources/latest/charts/base/templates/validatingadmissionpolicy.yaml b/resources/latest/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml similarity index 100% rename from resources/latest/charts/base/templates/validatingadmissionpolicy.yaml rename to resources/latest/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml diff --git a/resources/latest/charts/base/templates/default.yaml b/resources/latest/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml similarity index 100% rename from resources/latest/charts/base/templates/default.yaml rename to resources/latest/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml diff --git a/resources/latest/charts/base/templates/endpoints.yaml b/resources/latest/charts/base/templates/endpoints.yaml deleted file mode 100644 index 1cc26dd78..000000000 --- a/resources/latest/charts/base/templates/endpoints.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} -# if the remotePilotAddress is an IP addr -apiVersion: v1 -kind: Endpoints -metadata: - {{- if .Values.pilot.enabled }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -subsets: -- addresses: - - ip: {{ .Values.global.remotePilotAddress }} - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 15017 - name: tcp-webhook - protocol: TCP ---- -{{- end }} diff --git a/resources/latest/charts/base/templates/reader-serviceaccount.yaml b/resources/latest/charts/base/templates/reader-serviceaccount.yaml index 342eea41f..ba829a6bf 100644 --- a/resources/latest/charts/base/templates/reader-serviceaccount.yaml +++ b/resources/latest/charts/base/templates/reader-serviceaccount.yaml @@ -1,4 +1,6 @@ -# This service account aggregates reader permissions for the revisions in a given cluster +# This singleton service account aggregates reader permissions for the revisions in a given cluster +# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be, +# as otherwise compromising the token for this SA would give you access to *every* installed revision. # Should be used for remote secret creation. apiVersion: v1 kind: ServiceAccount diff --git a/resources/latest/charts/base/templates/zzz_profile.yaml b/resources/latest/charts/base/templates/zzz_profile.yaml index b96dcafcb..35623047c 100644 --- a/resources/latest/charts/base/templates/zzz_profile.yaml +++ b/resources/latest/charts/base/templates/zzz_profile.yaml @@ -15,9 +15,14 @@ However, we can workaround this by placing all of (1) under a specific key (.Val We can then merge the profile onto the defaults, then the user settings onto that. Finally, we can set all of that under .Values so the chart behaves without awareness. */}} -{{- $globals := $.Values.global | default dict | deepCopy }} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} {{- $profile := dict }} {{- with .Values.profile }} {{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} @@ -33,12 +38,19 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} {{- end }} {{- end }} +{{- if ($.Values.global).platform }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" ($.Values.global).platform) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" ($.Values.global).platform) }} +{{- end }} +{{- end }} {{- if $profile }} {{- $a := mustMergeOverwrite $defaults $profile }} {{- end }} # Flatten globals, if defined on a per-chart basis {{- if false }} -{{- $a := mustMergeOverwrite $defaults $globals }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} {{- end }} {{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/latest/charts/base/values.yaml b/resources/latest/charts/base/values.yaml index fae4e61e4..98c9c3645 100644 --- a/resources/latest/charts/base/values.yaml +++ b/resources/latest/charts/base/values.yaml @@ -1,6 +1,6 @@ -# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. -defaults: +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: global: # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace @@ -11,22 +11,22 @@ defaults: # Used to locate istiod. istioNamespace: istio-system - externalIstiod: false - remotePilotAddress: "" - # Platform where Istio is deployed. Possible values are: "openshift", "gcp". # An empty value means it is a vanilla Kubernetes distribution, therefore no special # treatment will be considered. platform: "" - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - # This is intended only for use with external istiod. - ipFamilyPolicy: "" - ipFamilies: [] - base: - # Used for helm2 to add the CRDs to templates. - enableCRDTemplates: false + # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true. + # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`. + # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set. + excludedCRDs: [] + # Helm (as of V3) does not support upgrading CRDs, because it is not universally + # safe for them to support this. + # Istio as a project enforces certain backwards-compat guarantees that allow us + # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs + # as standard K8S resources in Helm, and disable Helm's CRD management. See also: + # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts + enableCRDTemplates: true # Validation webhook configuration url # For example: https://$remotePilotAddress:15017/validate diff --git a/resources/latest/charts/cni/Chart.yaml b/resources/latest/charts/cni/Chart.yaml index 72b0cbb69..07bc06d3c 100644 --- a/resources/latest/charts/cni/Chart.yaml +++ b/resources/latest/charts/cni/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 +appVersion: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 description: Helm chart for istio-cni components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: cni sources: - https://github.com/istio/istio -version: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 +version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 diff --git a/resources/latest/charts/cni/files/profile-compatibility-version-1.21.yaml b/resources/latest/charts/cni/files/profile-compatibility-version-1.21.yaml index 2b72bd93c..c8da4d2e1 100644 --- a/resources/latest/charts/cni/files/profile-compatibility-version-1.21.yaml +++ b/resources/latest/charts/cni/files/profile-compatibility-version-1.21.yaml @@ -15,6 +15,8 @@ pilot: ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" meshConfig: # 1.22 behavioral changes @@ -23,6 +25,9 @@ meshConfig: ISTIO_DELTA_XDS: "false" # 1.23 behavioral changes ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" tracing: zipkin: address: zipkin.istio-system:9411 diff --git a/resources/latest/charts/cni/files/profile-compatibility-version-1.22.yaml b/resources/latest/charts/cni/files/profile-compatibility-version-1.22.yaml index 2badb70a5..70d8eb40c 100644 --- a/resources/latest/charts/cni/files/profile-compatibility-version-1.22.yaml +++ b/resources/latest/charts/cni/files/profile-compatibility-version-1.22.yaml @@ -11,6 +11,8 @@ pilot: ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" meshConfig: defaultConfig: @@ -19,3 +21,6 @@ meshConfig: ENABLE_DEFERRED_CLUSTER_CREATION: "false" # 1.23 behavioral changes ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/cni/files/profile-compatibility-version-1.23.yaml b/resources/latest/charts/cni/files/profile-compatibility-version-1.23.yaml index f855500b0..636bb6f15 100644 --- a/resources/latest/charts/cni/files/profile-compatibility-version-1.23.yaml +++ b/resources/latest/charts/cni/files/profile-compatibility-version-1.23.yaml @@ -7,4 +7,13 @@ pilot: # 1.24 behavioral changes ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" \ No newline at end of file + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/cni/files/profile-openshift-ambient.yaml b/resources/latest/charts/cni/files/profile-openshift-ambient.yaml deleted file mode 100644 index 444665932..000000000 --- a/resources/latest/charts/cni/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift - variant: distroless - seLinuxOptions: - type: spc_t -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - env: - PILOT_ENABLE_AMBIENT: "true" \ No newline at end of file diff --git a/resources/latest/charts/cni/files/profile-platform-k3d.yaml b/resources/latest/charts/cni/files/profile-platform-k3d.yaml new file mode 100644 index 000000000..cd86d9ec5 --- /dev/null +++ b/resources/latest/charts/cni/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/resources/latest/charts/cni/files/profile-platform-k3s.yaml b/resources/latest/charts/cni/files/profile-platform-k3s.yaml new file mode 100644 index 000000000..f3f2884aa --- /dev/null +++ b/resources/latest/charts/cni/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/current/bin/ diff --git a/resources/latest/charts/cni/files/profile-platform-microk8s.yaml b/resources/latest/charts/cni/files/profile-platform-microk8s.yaml new file mode 100644 index 000000000..57d7f5e3c --- /dev/null +++ b/resources/latest/charts/cni/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/resources/latest/charts/cni/files/profile-platform-minikube.yaml b/resources/latest/charts/cni/files/profile-platform-minikube.yaml new file mode 100644 index 000000000..fa9992e20 --- /dev/null +++ b/resources/latest/charts/cni/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/resources/latest/charts/istiod-remote/files/profile-openshift.yaml b/resources/latest/charts/cni/files/profile-platform-openshift.yaml similarity index 84% rename from resources/latest/charts/istiod-remote/files/profile-openshift.yaml rename to resources/latest/charts/cni/files/profile-platform-openshift.yaml index 38357bd99..69eda2b1d 100644 --- a/resources/latest/charts/istiod-remote/files/profile-openshift.yaml +++ b/resources/latest/charts/cni/files/profile-platform-openshift.yaml @@ -3,18 +3,15 @@ # If you want to make a change in this file, edit the original one and run "make gen". # The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. cni: cniBinDir: /var/lib/cni/bin cniConfDir: /etc/cni/multus/net.d chained: false cniConfFileName: "istio-cni.conf" - logLevel: info provider: "multus" -global: - platform: openshift pilot: cni: enabled: true provider: "multus" -platform: openshift \ No newline at end of file +seLinuxOptions: + type: spc_t diff --git a/resources/latest/charts/cni/files/profile-remote.yaml b/resources/latest/charts/cni/files/profile-remote.yaml new file mode 100644 index 000000000..d17b9a801 --- /dev/null +++ b/resources/latest/charts/cni/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/resources/latest/charts/cni/templates/clusterrole.yaml b/resources/latest/charts/cni/templates/clusterrole.yaml index a1640c5d4..30f159603 100644 --- a/resources/latest/charts/cni/templates/clusterrole.yaml +++ b/resources/latest/charts/cni/templates/clusterrole.yaml @@ -18,7 +18,7 @@ rules: - apiGroups: [""] resources: ["pods","nodes","namespaces"] verbs: ["get", "list", "watch"] -{{- if (eq .Values.platform "openshift") }} +{{- if (eq (coalesce .Values.platform .Values.global.platform) "openshift") }} - apiGroups: ["security.openshift.io"] resources: ["securitycontextconstraints"] resourceNames: ["privileged"] diff --git a/resources/latest/charts/cni/templates/daemonset.yaml b/resources/latest/charts/cni/templates/daemonset.yaml index fad5c3287..2ce4a0665 100644 --- a/resources/latest/charts/cni/templates/daemonset.yaml +++ b/resources/latest/charts/cni/templates/daemonset.yaml @@ -82,7 +82,6 @@ spec: {{- end }} ports: - containerPort: 15014 - hostPort: 15014 name: metrics protocol: TCP readinessProbe: diff --git a/resources/latest/charts/cni/templates/zzz_profile.yaml b/resources/latest/charts/cni/templates/zzz_profile.yaml index b96dcafcb..35623047c 100644 --- a/resources/latest/charts/cni/templates/zzz_profile.yaml +++ b/resources/latest/charts/cni/templates/zzz_profile.yaml @@ -15,9 +15,14 @@ However, we can workaround this by placing all of (1) under a specific key (.Val We can then merge the profile onto the defaults, then the user settings onto that. Finally, we can set all of that under .Values so the chart behaves without awareness. */}} -{{- $globals := $.Values.global | default dict | deepCopy }} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} {{- $profile := dict }} {{- with .Values.profile }} {{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} @@ -33,12 +38,19 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} {{- end }} {{- end }} +{{- if ($.Values.global).platform }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" ($.Values.global).platform) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" ($.Values.global).platform) }} +{{- end }} +{{- end }} {{- if $profile }} {{- $a := mustMergeOverwrite $defaults $profile }} {{- end }} # Flatten globals, if defined on a per-chart basis {{- if false }} -{{- $a := mustMergeOverwrite $defaults $globals }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} {{- end }} {{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/latest/charts/cni/values.yaml b/resources/latest/charts/cni/values.yaml index ff80bed0a..491f58253 100644 --- a/resources/latest/charts/cni/values.yaml +++ b/resources/latest/charts/cni/values.yaml @@ -1,6 +1,6 @@ -# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. -defaults: +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: hub: "" tag: "" variant: "" @@ -112,7 +112,7 @@ defaults: hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 + tag: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 # Variant of the image to use. # Currently supported are: [debug, distroless] diff --git a/resources/latest/charts/gateway/Chart.yaml b/resources/latest/charts/gateway/Chart.yaml index 344196f94..49bde88c7 100644 --- a/resources/latest/charts/gateway/Chart.yaml +++ b/resources/latest/charts/gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 +appVersion: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 description: Helm chart for deploying Istio gateways icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ name: gateway sources: - https://github.com/istio/istio type: application -version: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 +version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 diff --git a/resources/latest/charts/gateway/files/profile-compatibility-version-1.21.yaml b/resources/latest/charts/gateway/files/profile-compatibility-version-1.21.yaml index 2b72bd93c..c8da4d2e1 100644 --- a/resources/latest/charts/gateway/files/profile-compatibility-version-1.21.yaml +++ b/resources/latest/charts/gateway/files/profile-compatibility-version-1.21.yaml @@ -15,6 +15,8 @@ pilot: ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" meshConfig: # 1.22 behavioral changes @@ -23,6 +25,9 @@ meshConfig: ISTIO_DELTA_XDS: "false" # 1.23 behavioral changes ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" tracing: zipkin: address: zipkin.istio-system:9411 diff --git a/resources/latest/charts/gateway/files/profile-compatibility-version-1.22.yaml b/resources/latest/charts/gateway/files/profile-compatibility-version-1.22.yaml index 2badb70a5..70d8eb40c 100644 --- a/resources/latest/charts/gateway/files/profile-compatibility-version-1.22.yaml +++ b/resources/latest/charts/gateway/files/profile-compatibility-version-1.22.yaml @@ -11,6 +11,8 @@ pilot: ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" meshConfig: defaultConfig: @@ -19,3 +21,6 @@ meshConfig: ENABLE_DEFERRED_CLUSTER_CREATION: "false" # 1.23 behavioral changes ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/gateway/files/profile-compatibility-version-1.23.yaml b/resources/latest/charts/gateway/files/profile-compatibility-version-1.23.yaml index f855500b0..636bb6f15 100644 --- a/resources/latest/charts/gateway/files/profile-compatibility-version-1.23.yaml +++ b/resources/latest/charts/gateway/files/profile-compatibility-version-1.23.yaml @@ -7,4 +7,13 @@ pilot: # 1.24 behavioral changes ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" \ No newline at end of file + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/gateway/files/profile-openshift-ambient.yaml b/resources/latest/charts/gateway/files/profile-openshift-ambient.yaml deleted file mode 100644 index 444665932..000000000 --- a/resources/latest/charts/gateway/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift - variant: distroless - seLinuxOptions: - type: spc_t -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - env: - PILOT_ENABLE_AMBIENT: "true" \ No newline at end of file diff --git a/resources/latest/charts/gateway/files/profile-platform-k3d.yaml b/resources/latest/charts/gateway/files/profile-platform-k3d.yaml new file mode 100644 index 000000000..cd86d9ec5 --- /dev/null +++ b/resources/latest/charts/gateway/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/resources/latest/charts/gateway/files/profile-platform-k3s.yaml b/resources/latest/charts/gateway/files/profile-platform-k3s.yaml new file mode 100644 index 000000000..f3f2884aa --- /dev/null +++ b/resources/latest/charts/gateway/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/current/bin/ diff --git a/resources/latest/charts/gateway/files/profile-platform-microk8s.yaml b/resources/latest/charts/gateway/files/profile-platform-microk8s.yaml new file mode 100644 index 000000000..57d7f5e3c --- /dev/null +++ b/resources/latest/charts/gateway/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/resources/latest/charts/gateway/files/profile-platform-minikube.yaml b/resources/latest/charts/gateway/files/profile-platform-minikube.yaml new file mode 100644 index 000000000..fa9992e20 --- /dev/null +++ b/resources/latest/charts/gateway/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/resources/latest/charts/base/files/profile-openshift.yaml b/resources/latest/charts/gateway/files/profile-platform-openshift.yaml similarity index 84% rename from resources/latest/charts/base/files/profile-openshift.yaml rename to resources/latest/charts/gateway/files/profile-platform-openshift.yaml index 38357bd99..69eda2b1d 100644 --- a/resources/latest/charts/base/files/profile-openshift.yaml +++ b/resources/latest/charts/gateway/files/profile-platform-openshift.yaml @@ -3,18 +3,15 @@ # If you want to make a change in this file, edit the original one and run "make gen". # The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. cni: cniBinDir: /var/lib/cni/bin cniConfDir: /etc/cni/multus/net.d chained: false cniConfFileName: "istio-cni.conf" - logLevel: info provider: "multus" -global: - platform: openshift pilot: cni: enabled: true provider: "multus" -platform: openshift \ No newline at end of file +seLinuxOptions: + type: spc_t diff --git a/resources/latest/charts/gateway/files/profile-remote.yaml b/resources/latest/charts/gateway/files/profile-remote.yaml new file mode 100644 index 000000000..d17b9a801 --- /dev/null +++ b/resources/latest/charts/gateway/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/resources/latest/charts/gateway/templates/deployment.yaml b/resources/latest/charts/gateway/templates/deployment.yaml index 73ecc1a73..e9bfbbd36 100644 --- a/resources/latest/charts/gateway/templates/deployment.yaml +++ b/resources/latest/charts/gateway/templates/deployment.yaml @@ -15,6 +15,13 @@ spec: replicas: {{ . }} {{- end }} {{- end }} + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.minReadySeconds }} + minReadySeconds: {{ . }} + {{- end }} selector: matchLabels: {{- include "gateway.selectorLabels" . | nindent 6 }} @@ -93,7 +100,11 @@ spec: {{- toYaml .Values.resources | nindent 12 }} {{- with .Values.volumeMounts }} volumeMounts: - {{ toYaml . | nindent 12 }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} {{- end }} {{- with .Values.nodeSelector }} nodeSelector: diff --git a/resources/latest/charts/gateway/templates/zzz_profile.yaml b/resources/latest/charts/gateway/templates/zzz_profile.yaml index b96dcafcb..35623047c 100644 --- a/resources/latest/charts/gateway/templates/zzz_profile.yaml +++ b/resources/latest/charts/gateway/templates/zzz_profile.yaml @@ -15,9 +15,14 @@ However, we can workaround this by placing all of (1) under a specific key (.Val We can then merge the profile onto the defaults, then the user settings onto that. Finally, we can set all of that under .Values so the chart behaves without awareness. */}} -{{- $globals := $.Values.global | default dict | deepCopy }} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} {{- $profile := dict }} {{- with .Values.profile }} {{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} @@ -33,12 +38,19 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} {{- end }} {{- end }} +{{- if ($.Values.global).platform }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" ($.Values.global).platform) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" ($.Values.global).platform) }} +{{- end }} +{{- end }} {{- if $profile }} {{- $a := mustMergeOverwrite $defaults $profile }} {{- end }} # Flatten globals, if defined on a per-chart basis {{- if false }} -{{- $a := mustMergeOverwrite $defaults $globals }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} {{- end }} {{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/latest/charts/gateway/values.schema.json b/resources/latest/charts/gateway/values.schema.json index 4c4f0836d..3108259a9 100644 --- a/resources/latest/charts/gateway/values.schema.json +++ b/resources/latest/charts/gateway/values.schema.json @@ -60,6 +60,15 @@ "env": { "type": "object" }, + "strategy": { + "type": "object" + }, + "minReadySeconds": { + "type": [ "null", "integer" ] + }, + "readinessProbe": { + "type": [ "null", "object" ] + }, "labels": { "type": "object" }, diff --git a/resources/latest/charts/gateway/values.yaml b/resources/latest/charts/gateway/values.yaml index 72205b4a1..b02240df1 100644 --- a/resources/latest/charts/gateway/values.yaml +++ b/resources/latest/charts/gateway/values.yaml @@ -1,6 +1,6 @@ -# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. -defaults: +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: # Name allows overriding the release name. Generally this should not be set name: "" # revision declares which revision this gateway is a part of @@ -84,6 +84,17 @@ defaults: # Pod environment variables env: {} + # Deployment Update strategy + strategy: {} + + # Sets the Deployment minReadySeconds value + minReadySeconds: + + # Optionally configure a custom readinessProbe. By default the control plane + # automatically injects the readinessProbe. If you wish to override that + # behavior, you may define your own readinessProbe here. + readinessProbe: {} + # Labels to apply to all resources labels: {} @@ -137,6 +148,7 @@ defaults: # podDisruptionBudget: {} + # Sets the per-pod terminationGracePeriodSeconds setting. terminationGracePeriodSeconds: 30 # A list of `Volumes` added into the Gateway Pods. See diff --git a/resources/latest/charts/istiod-remote/Chart.yaml b/resources/latest/charts/istiod-remote/Chart.yaml deleted file mode 100644 index 1f72b8275..000000000 --- a/resources/latest/charts/istiod-remote/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 -description: Helm chart for a remote cluster using an external istio control plane -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- external-istiod -name: istiod-remote -sources: -- https://github.com/istio/istio -version: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 diff --git a/resources/latest/charts/istiod-remote/files/injection-template.yaml b/resources/latest/charts/istiod-remote/files/injection-template.yaml deleted file mode 100644 index 63bc0e734..000000000 --- a/resources/latest/charts/istiod-remote/files/injection-template.yaml +++ /dev/null @@ -1,536 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} -{{- if .Values.pilot.cni.enabled }} - {{- if eq .Values.pilot.cni.provider "multus" }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} -{{- end }} - } -spec: - {{- $holdProxy := and - (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) - (not $nativeSidecar) }} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.pilot.cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - - "-u" - - {{ .ProxyUID | default "1337" | quote }} - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if .Values.pilot.cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.pilot.cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.pilot.cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsUser: {{ .ProxyUID | default "1337" }} - runAsNonRoot: true - {{- end }} - {{ end -}} - {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} - {{ if not $nativeSidecar }} - containers: - {{ end }} - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{ if $nativeSidecar }}restartPolicy: Always{{end}} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- else if $nativeSidecar }} - {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} - lifecycle: - preStop: - exec: - command: - - pilot-agent - - request - - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - - POST - - drain - {{- end }} - env: - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - {{ if .Values.global.proxy.startupProbe.enabled }} - startupProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: 0 - periodSeconds: 1 - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} - {{ end }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - add: - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - - NET_ADMIN - {{- end }} - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - runAsNonRoot: false - runAsUser: 0 - {{- else -}} - runAsNonRoot: true - runAsUser: {{ .ProxyUID | default "1337" }} - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/resources/latest/charts/istiod-remote/files/profile-ambient.yaml b/resources/latest/charts/istiod-remote/files/profile-ambient.yaml deleted file mode 100644 index 2805fe46b..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-ambient.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml b/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml deleted file mode 100644 index 2b72bd93c..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" - - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" - -meshConfig: - # 1.22 behavioral changes - defaultConfig: - proxyMetadata: - ISTIO_DELTA_XDS: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/latest/charts/istiod-remote/files/profile-demo.yaml b/resources/latest/charts/istiod-remote/files/profile-demo.yaml deleted file mode 100644 index eadbde17c..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-demo.yaml +++ /dev/null @@ -1,90 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/resources/latest/charts/istiod-remote/files/profile-openshift-ambient.yaml b/resources/latest/charts/istiod-remote/files/profile-openshift-ambient.yaml deleted file mode 100644 index 444665932..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift - variant: distroless - seLinuxOptions: - type: spc_t -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - env: - PILOT_ENABLE_AMBIENT: "true" \ No newline at end of file diff --git a/resources/latest/charts/istiod-remote/templates/_helpers.tpl b/resources/latest/charts/istiod-remote/templates/_helpers.tpl deleted file mode 100644 index 042c92538..000000000 --- a/resources/latest/charts/istiod-remote/templates/_helpers.tpl +++ /dev/null @@ -1,23 +0,0 @@ -{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} -{{ define "default-prometheus" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} -{{ define "default-sd-metrics" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. */}} -{{ define "default-sd-logs" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/clusterrole.yaml b/resources/latest/charts/istiod-remote/templates/clusterrole.yaml deleted file mode 100644 index b2eeb92cc..000000000 --- a/resources/latest/charts/istiod-remote/templates/clusterrole.yaml +++ /dev/null @@ -1,167 +0,0 @@ -{{- if .Values.global.configCluster }} -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update"] - # TODO: should be on just */status but wildcard is not supported - resources: ["*"] - - # Needed because status reporter sets the config map owner reference to the istiod pod - - apiGroups: [""] - verbs: ["update"] - resources: ["pods/finalizers"] -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status" ] - - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch" ] - resources: [ "serviceentries/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - -{{- if .Values.taint.enabled }} - - apiGroups: [""] - resources: ["nodes"] - verbs: ["patch"] -{{- end }} - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} -{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: -{{- range .Values.global.certSigners }} - - {{ . | quote }} -{{- end }} - verbs: ["approve"] -{{- end}} - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] # TODO: should be on just */status but wildcard is not supported - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: [ "get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: ["apps"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "deployments" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "serviceaccounts"] -{{- end }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/clusterrolebinding.yaml b/resources/latest/charts/istiod-remote/templates/clusterrolebinding.yaml deleted file mode 100644 index ced064bdc..000000000 --- a/resources/latest/charts/istiod-remote/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- if .Values.global.configCluster }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: -- kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/configmap.yaml b/resources/latest/charts/istiod-remote/templates/configmap.yaml deleted file mode 100644 index 109e2bb82..000000000 --- a/resources/latest/charts/istiod-remote/templates/configmap.yaml +++ /dev/null @@ -1,114 +0,0 @@ -{{- define "mesh" }} - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The namespace to treat as the administrative root namespace for Istio configuration. - # When processing a leaf namespace Istio will search for declarations in that namespace first - # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace - # is processed as if it were declared in the leaf namespace. - rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} - - {{ $prom := include "default-prometheus" . | eq "true" }} - {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} - {{ $sdLogs := include "default-sd-logs" . | eq "true" }} - {{- if or $prom $sdMetrics $sdLogs }} - defaultProviders: - {{- if or $prom $sdMetrics }} - metrics: - {{ if $prom }}- prometheus{{ end }} - {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} - {{- end }} - {{- if and $sdMetrics $sdLogs }} - accessLogging: - - stackdriver - {{- end }} - {{- end }} - - defaultConfig: - {{- if .Values.global.meshID }} - meshId: "{{ .Values.global.meshID }}" - {{- end }} - {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} - image: - imageType: {{. | quote}} - {{- end }} - {{- if not (eq .Values.global.proxy.tracer "none") }} - tracing: - {{- if eq .Values.global.proxy.tracer "lightstep" }} - lightstep: - # Address of the LightStep Satellite pool - address: {{ .Values.global.tracer.lightstep.address }} - # Access Token used to communicate with the Satellite pool - accessToken: {{ .Values.global.tracer.lightstep.accessToken }} - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - zipkin: - # Address of the Zipkin collector - address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} - {{- else if eq .Values.global.proxy.tracer "datadog" }} - datadog: - # Address of the Datadog Agent - address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} - {{- else if eq .Values.global.proxy.tracer "stackdriver" }} - stackdriver: - # enables trace output to stdout. - debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} - # The global default max number of attributes per span. - maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} - # The global default max number of annotation events per span. - maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} - # The global default max number of message events per span. - maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} - {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} - {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} -{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} - {{- end }} - {{- end }} - {{- if .Values.global.remotePilotAddress }} - {{- if .Values.enabled }} - discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 - {{- else }} - discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 - {{- end }} - {{- else }} - discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 - {{- end }} -{{- end }} - -{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} -{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} -{{- $originalMesh := include "mesh" . | fromYaml }} -{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} - -{{- if .Values.configMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - {{- if .Values.global.meshNetworks }} - networks: -{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} - {{- else }} - networks: {} - {{- end }} - - mesh: |- -{{- if .Values.meshConfig }} -{{ $mesh | toYaml | indent 4 }} -{{- else }} -{{- include "mesh" . }} -{{- end }} ---- -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/default.yaml b/resources/latest/charts/istiod-remote/templates/default.yaml deleted file mode 100644 index bfc464439..000000000 --- a/resources/latest/charts/istiod-remote/templates/default.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- if .Values.global.configCluster }} -{{- if not (eq .Values.defaultRevision "") }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-default-validator - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision | quote }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: - - name: validation.istio.io - clientConfig: - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - {{- if (eq .Values.defaultRevision "default") }} - name: istiod - {{- else }} - name: istiod-{{ .Values.defaultRevision }} - {{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1"] -{{- end }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml b/resources/latest/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml deleted file mode 100644 index 857f04eb3..000000000 --- a/resources/latest/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml +++ /dev/null @@ -1,55 +0,0 @@ -{{- if .Values.global.configCluster }} -{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-default-policy.istio.io" - labels: - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision }} - app.kubernetes.io/name: "istiod" - {{ include "istio.labels" . | nindent 4 }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-default-policy-binding.istio.io" -spec: - policyName: "stable-channel-default-policy.istio.io" - validationActions: [Deny] -{{- end }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/istiod-injector-configmap.yaml b/resources/latest/charts/istiod-remote/templates/istiod-injector-configmap.yaml deleted file mode 100644 index b87691742..000000000 --- a/resources/latest/charts/istiod-remote/templates/istiod-injector-configmap.yaml +++ /dev/null @@ -1,82 +0,0 @@ -{{- if not .Values.global.omitSidecarInjectorConfigMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: -{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} - values: |- -{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}} -{{ $pilotVals := pick .Values "cni" -}} -{{ $vals = set $vals "pilot" $pilotVals -}} -{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}} -{{ $vals = set $vals "gateways" $gatewayVals -}} -{{ $vals | toPrettyJson | indent 4 }} - - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching - # and istiod webhook functionality. - # - # New fields should not use Values - it is a 'primary' config object, users should be able - # to fine tune it or use it with kube-inject. - config: |- - # defaultTemplates defines the default template to use for pods that do not explicitly specify a template - {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} - defaultTemplates: -{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} - - {{ . }} -{{- end }} - {{- else }} - defaultTemplates: [sidecar] - {{- end }} - policy: {{ .Values.global.proxy.autoInject }} - alwaysInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} - neverInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} - injectedAnnotations: - {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} - "{{ $key }}": {{ $val | quote }} - {{- end }} - {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template - which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". - This should make it obvious that their installation is broken. - */}} - template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} - templates: -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} - sidecar: | -{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} - gateway: | -{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} - grpc-simple: | -{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} - grpc-agent: | -{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} - waypoint: | -{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} - kube-gateway: | -{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} -{{- end }} -{{- with .Values.sidecarInjectorWebhook.templates }} -{{ toYaml . | trim | indent 6 }} -{{- end }} - -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/mutatingwebhook.yaml b/resources/latest/charts/istiod-remote/templates/mutatingwebhook.yaml deleted file mode 100644 index 5b7e734e4..000000000 --- a/resources/latest/charts/istiod-remote/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,160 +0,0 @@ -{{- /* Core defines the common configuration used by all webhook segments */}} -{{/* Copy just what we need to avoid expensive deepCopy */}} -{{- $whv := dict - "revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - {{- if .caBundle }} - caBundle: "{{ .caBundle }}" - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} -{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} -{{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq .Release.Namespace "istio-system"}} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- else }} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -{{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} - app.kubernetes.io/name: "sidecar-injector" - {{- include "istio.labels" . | nindent 4 }} -webhooks: -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} - -{{- /* Case 1: namespace selector matches, and object doesn't disable */}} -{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - -{{- /* Webhooks for default revision */}} -{{- if (eq .Values.revision "") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/reader-clusterrole.yaml b/resources/latest/charts/istiod-remote/templates/reader-clusterrole.yaml deleted file mode 100644 index 85707cb87..000000000 --- a/resources/latest/charts/istiod-remote/templates/reader-clusterrole.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - - "telemetry.istio.io" - - "extensions.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["gateways"] - verbs: ["get", "watch", "list"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] -{{- if .Values.global.externalIstiod }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} diff --git a/resources/latest/charts/istiod-remote/templates/reader-clusterrolebinding.yaml b/resources/latest/charts/istiod-remote/templates/reader-clusterrolebinding.yaml deleted file mode 100644 index aea9f01f7..000000000 --- a/resources/latest/charts/istiod-remote/templates/reader-clusterrolebinding.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} diff --git a/resources/latest/charts/istiod-remote/templates/reader-serviceaccount.yaml b/resources/latest/charts/istiod-remote/templates/reader-serviceaccount.yaml deleted file mode 100644 index 342eea41f..000000000 --- a/resources/latest/charts/istiod-remote/templates/reader-serviceaccount.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# This service account aggregates reader permissions for the revisions in a given cluster -# Should be used for remote secret creation. -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} diff --git a/resources/latest/charts/istiod-remote/templates/role.yaml b/resources/latest/charts/istiod-remote/templates/role.yaml deleted file mode 100644 index c9c4e47c1..000000000 --- a/resources/latest/charts/istiod-remote/templates/role.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.global.configCluster }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] - -# For status controller, so it can delete the distribution report configmap -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["delete"] - -# For gateway deployment controller -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "update", "patch", "create"] -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/rolebinding.yaml b/resources/latest/charts/istiod-remote/templates/rolebinding.yaml deleted file mode 100644 index 717eeabee..000000000 --- a/resources/latest/charts/istiod-remote/templates/rolebinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.global.configCluster }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/serviceaccount.yaml b/resources/latest/charts/istiod-remote/templates/serviceaccount.yaml deleted file mode 100644 index c2dad3b70..000000000 --- a/resources/latest/charts/istiod-remote/templates/serviceaccount.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.global.configCluster }} -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} - {{- if .Values.serviceAccountAnnotations }} - annotations: -{{- toYaml .Values.serviceAccountAnnotations | indent 4 }} - {{- end }} ---- -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/services.yaml b/resources/latest/charts/istiod-remote/templates/services.yaml deleted file mode 100644 index 4290f2848..000000000 --- a/resources/latest/charts/istiod-remote/templates/services.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if .Values.global.remotePilotAddress }} -apiVersion: v1 -kind: Service -metadata: - {{- if .Values.pilot.enabled }} - # when local istiod is enabled, we can't use istiod service name to reach the remote control plane - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: "istiod" - {{ include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 443 - targetPort: 15017 - name: tcp-webhook - protocol: TCP - {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }} - # if the remotePilotAddress is not an IP addr, we use ExternalName - type: ExternalName - externalName: {{ .Values.global.remotePilotAddress }} - {{- end }} -{{- if .Values.global.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} -{{- end }} -{{- if .Values.global.ipFamilies }} - ipFamilies: -{{- range .Values.global.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} ---- -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/validatingadmissionpolicy.yaml b/resources/latest/charts/istiod-remote/templates/validatingadmissionpolicy.yaml deleted file mode 100644 index 71ea407ad..000000000 --- a/resources/latest/charts/istiod-remote/templates/validatingadmissionpolicy.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{- if .Values.global.configCluster }} -{{- if .Values.experimental.stableValidationPolicy }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - labels: - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" -spec: - policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - validationActions: [Deny] -{{- end }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml b/resources/latest/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index c9e9eb22e..000000000 --- a/resources/latest/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,67 +0,0 @@ -{{- if .Values.global.configCluster }} -{{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} ---- -{{- end }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/zzy_descope_legacy.yaml b/resources/latest/charts/istiod-remote/templates/zzy_descope_legacy.yaml deleted file mode 100644 index ae8fced29..000000000 --- a/resources/latest/charts/istiod-remote/templates/zzy_descope_legacy.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix. -Due to the file naming, this always happens after zzz_profile.yaml */}} -{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }} \ No newline at end of file diff --git a/resources/latest/charts/istiod-remote/templates/zzz_profile.yaml b/resources/latest/charts/istiod-remote/templates/zzz_profile.yaml deleted file mode 100644 index b96dcafcb..000000000 --- a/resources/latest/charts/istiod-remote/templates/zzz_profile.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- $globals := $.Values.global | default dict | deepCopy }} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} -{{- $profile := dict }} -{{- with .Values.profile }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" $.Values.profile) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults $globals }} -{{- end }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/resources/latest/charts/istiod-remote/values.yaml b/resources/latest/charts/istiod-remote/values.yaml deleted file mode 100644 index 3d511673d..000000000 --- a/resources/latest/charts/istiod-remote/values.yaml +++ /dev/null @@ -1,441 +0,0 @@ -# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. -defaults: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - hub: "" - tag: "" - variant: "" - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - # Additional container arguments - extraContainerArgs: [] - env: {} - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - affinity: {} - tolerations: [] - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - # Additional volumes to the istiod pod - volumes: [] - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - topologySpreadConstraints: [] - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - # Additional labels to apply to the deployment. - deploymentLabels: {} - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: false - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - rewriteAppHTTPProbe: true - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - injectionCABundle: "" - telemetry: - enabled: false - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - # For Helm compatibility. - ownerName: "" - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - experimental: - stableValidationPolicy: false - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-testing - # Default tag for Istio images. - tag: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - omitSidecarInjectorConfigMap: true - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - proxy: - image: proxyv2 - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - # If set, newly injected sidecars will have core dumps enabled. - enableCoreDump: false - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - # The period between readiness probes. - readinessPeriodSeconds: 15 - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - # Configure a remote cluster data plane controlled by an external istiod. - # When set to true, istiod is not deployed locally and only a subset of the other - # discovery charts are enabled. - externalIstiod: true - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - multiCluster: - # Set to true to connect two kubernetes clusters via their respective - # ingressgateway services when pods in each cluster cannot directly - # talk to one another. All clusters should be using Istio mTLS and must - # have a shared root CA for this model to work. - enabled: false - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} diff --git a/resources/latest/charts/istiod/Chart.yaml b/resources/latest/charts/istiod/Chart.yaml index 5dfee6540..c064a3baa 100644 --- a/resources/latest/charts/istiod/Chart.yaml +++ b/resources/latest/charts/istiod/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 +appVersion: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 description: Helm chart for istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ keywords: name: istiod sources: - https://github.com/istio/istio -version: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 +version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 diff --git a/resources/latest/charts/istiod/files/injection-template.yaml b/resources/latest/charts/istiod/files/injection-template.yaml index 63bc0e734..f41122f9b 100644 --- a/resources/latest/charts/istiod/files/injection-template.yaml +++ b/resources/latest/charts/istiod/files/injection-template.yaml @@ -125,6 +125,8 @@ spec: {{ if .Values.pilot.cni.enabled -}} - "--run-validation" - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" {{ end -}} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{- if .ProxyConfig.ProxyMetadata }} diff --git a/resources/latest/charts/istiod/files/kube-gateway.yaml b/resources/latest/charts/istiod/files/kube-gateway.yaml index a2b1c904a..dbe158de1 100644 --- a/resources/latest/charts/istiod/files/kube-gateway.yaml +++ b/resources/latest/charts/istiod/files/kube-gateway.yaml @@ -103,6 +103,9 @@ spec: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP @@ -325,6 +328,7 @@ metadata: name: {{.Name}} uid: {{.UID}} spec: + ipFamilyPolicy: PreferDualStack ports: {{- range $key, $val := .Ports }} - name: {{ $val.Name | quote }} diff --git a/resources/latest/charts/istiod/files/profile-compatibility-version-1.21.yaml b/resources/latest/charts/istiod/files/profile-compatibility-version-1.21.yaml index 2b72bd93c..c8da4d2e1 100644 --- a/resources/latest/charts/istiod/files/profile-compatibility-version-1.21.yaml +++ b/resources/latest/charts/istiod/files/profile-compatibility-version-1.21.yaml @@ -15,6 +15,8 @@ pilot: ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" meshConfig: # 1.22 behavioral changes @@ -23,6 +25,9 @@ meshConfig: ISTIO_DELTA_XDS: "false" # 1.23 behavioral changes ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" tracing: zipkin: address: zipkin.istio-system:9411 diff --git a/resources/latest/charts/istiod/files/profile-compatibility-version-1.22.yaml b/resources/latest/charts/istiod/files/profile-compatibility-version-1.22.yaml index 2badb70a5..70d8eb40c 100644 --- a/resources/latest/charts/istiod/files/profile-compatibility-version-1.22.yaml +++ b/resources/latest/charts/istiod/files/profile-compatibility-version-1.22.yaml @@ -11,6 +11,8 @@ pilot: ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" meshConfig: defaultConfig: @@ -19,3 +21,6 @@ meshConfig: ENABLE_DEFERRED_CLUSTER_CREATION: "false" # 1.23 behavioral changes ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/istiod/files/profile-compatibility-version-1.23.yaml b/resources/latest/charts/istiod/files/profile-compatibility-version-1.23.yaml index f855500b0..636bb6f15 100644 --- a/resources/latest/charts/istiod/files/profile-compatibility-version-1.23.yaml +++ b/resources/latest/charts/istiod/files/profile-compatibility-version-1.23.yaml @@ -7,4 +7,13 @@ pilot: # 1.24 behavioral changes ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" \ No newline at end of file + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/istiod/files/profile-openshift-ambient.yaml b/resources/latest/charts/istiod/files/profile-openshift-ambient.yaml deleted file mode 100644 index 444665932..000000000 --- a/resources/latest/charts/istiod/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift - variant: distroless - seLinuxOptions: - type: spc_t -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - env: - PILOT_ENABLE_AMBIENT: "true" \ No newline at end of file diff --git a/resources/latest/charts/istiod/files/profile-openshift.yaml b/resources/latest/charts/istiod/files/profile-openshift.yaml deleted file mode 100644 index 38357bd99..000000000 --- a/resources/latest/charts/istiod/files/profile-openshift.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -global: - platform: openshift -pilot: - cni: - enabled: true - provider: "multus" -platform: openshift \ No newline at end of file diff --git a/resources/latest/charts/istiod/files/profile-platform-k3d.yaml b/resources/latest/charts/istiod/files/profile-platform-k3d.yaml new file mode 100644 index 000000000..cd86d9ec5 --- /dev/null +++ b/resources/latest/charts/istiod/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/resources/latest/charts/istiod/files/profile-platform-k3s.yaml b/resources/latest/charts/istiod/files/profile-platform-k3s.yaml new file mode 100644 index 000000000..f3f2884aa --- /dev/null +++ b/resources/latest/charts/istiod/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/current/bin/ diff --git a/resources/latest/charts/istiod/files/profile-platform-microk8s.yaml b/resources/latest/charts/istiod/files/profile-platform-microk8s.yaml new file mode 100644 index 000000000..57d7f5e3c --- /dev/null +++ b/resources/latest/charts/istiod/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/resources/latest/charts/istiod/files/profile-platform-minikube.yaml b/resources/latest/charts/istiod/files/profile-platform-minikube.yaml new file mode 100644 index 000000000..fa9992e20 --- /dev/null +++ b/resources/latest/charts/istiod/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/resources/latest/charts/cni/files/profile-openshift.yaml b/resources/latest/charts/istiod/files/profile-platform-openshift.yaml similarity index 84% rename from resources/latest/charts/cni/files/profile-openshift.yaml rename to resources/latest/charts/istiod/files/profile-platform-openshift.yaml index 38357bd99..69eda2b1d 100644 --- a/resources/latest/charts/cni/files/profile-openshift.yaml +++ b/resources/latest/charts/istiod/files/profile-platform-openshift.yaml @@ -3,18 +3,15 @@ # If you want to make a change in this file, edit the original one and run "make gen". # The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. cni: cniBinDir: /var/lib/cni/bin cniConfDir: /etc/cni/multus/net.d chained: false cniConfFileName: "istio-cni.conf" - logLevel: info provider: "multus" -global: - platform: openshift pilot: cni: enabled: true provider: "multus" -platform: openshift \ No newline at end of file +seLinuxOptions: + type: spc_t diff --git a/resources/latest/charts/istiod/files/profile-remote.yaml b/resources/latest/charts/istiod/files/profile-remote.yaml new file mode 100644 index 000000000..d17b9a801 --- /dev/null +++ b/resources/latest/charts/istiod/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/resources/latest/charts/istiod/files/waypoint.yaml b/resources/latest/charts/istiod/files/waypoint.yaml index e01409503..f12a128f4 100644 --- a/resources/latest/charts/istiod/files/waypoint.yaml +++ b/resources/latest/charts/istiod/files/waypoint.yaml @@ -68,11 +68,30 @@ spec: "gateway.istio.io/managed" "istio.io-mesh-controller" ) | nindent 8}} spec: + {{- if .Values.global.waypoint.affinity }} + affinity: + {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.nodeSelector }} + nodeSelector: + {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.tolerations }} + tolerations: + {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} + {{- end }} terminationGracePeriodSeconds: 2 serviceAccountName: {{.ServiceAccount | quote}} containers: - name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP @@ -218,8 +237,8 @@ spec: {{- toYaml .Values.gateways.seccompProfile | nindent 12 }} {{- end }} volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket - mountPath: /var/run/secrets/istio name: istiod-ca-cert - mountPath: /var/lib/istio/data diff --git a/resources/latest/charts/istiod/templates/autoscale.yaml b/resources/latest/charts/istiod/templates/autoscale.yaml index 5283a5090..363a834f2 100644 --- a/resources/latest/charts/istiod/templates/autoscale.yaml +++ b/resources/latest/charts/istiod/templates/autoscale.yaml @@ -1,3 +1,5 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} {{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler @@ -39,3 +41,4 @@ spec: {{- end }} --- {{- end }} +{{- end }} diff --git a/resources/latest/charts/istiod/templates/clusterrole.yaml b/resources/latest/charts/istiod/templates/clusterrole.yaml index ac86e28b6..0c340b5b3 100644 --- a/resources/latest/charts/istiod/templates/clusterrole.yaml +++ b/resources/latest/charts/istiod/templates/clusterrole.yaml @@ -1,3 +1,5 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} {{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -27,25 +29,35 @@ rules: resources: ["*"] {{- if .Values.global.istiod.enableAnalysis }} - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update"] - # TODO: should be on just */status but wildcard is not supported - resources: ["*"] - - # Needed because status reporter sets the config map owner reference to the istiod pod - - apiGroups: [""] - verbs: ["update"] - resources: ["pods/finalizers"] + verbs: ["update", "patch"] + resources: + - authorizationpolicies/status + - destinationrules/status + - envoyfilters/status + - gateways/status + - peerauthentications/status + - proxyconfigs/status + - requestauthentications/status + - serviceentries/status + - sidecars/status + - telemetries/status + - virtualservices/status + - wasmplugins/status + - workloadentries/status + - workloadgroups/status {{- end }} - apiGroups: ["networking.istio.io"] verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] resources: [ "workloadentries" ] - apiGroups: ["networking.istio.io"] verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status" ] - - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch" ] - resources: [ "serviceentries/status" ] + resources: [ "workloadentries/status", "serviceentries/status" ] + - apiGroups: ["security.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "authorizationpolicies/status" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services/status" ] # auto-detect installed CRD definitions - apiGroups: ["apiextensions.k8s.io"] @@ -117,11 +129,20 @@ rules: verbs: ["create"] # Use for Kubernetes Service APIs - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + - apiGroups: ["gateway.networking.k8s.io"] resources: ["*"] verbs: ["get", "watch", "list"] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] # TODO: should be on just */status but wildcard is not supported + - apiGroups: ["gateway.networking.k8s.io"] + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status verbs: ["update", "patch"] - apiGroups: ["gateway.networking.k8s.io"] resources: ["gatewayclasses"] @@ -163,3 +184,4 @@ rules: verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] resources: [ "serviceaccounts"] {{- end }} +{{- end }} diff --git a/resources/latest/charts/istiod/templates/clusterrolebinding.yaml b/resources/latest/charts/istiod/templates/clusterrolebinding.yaml index 8a1a70f86..10781b407 100644 --- a/resources/latest/charts/istiod/templates/clusterrolebinding.yaml +++ b/resources/latest/charts/istiod/templates/clusterrolebinding.yaml @@ -1,3 +1,5 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -35,3 +37,4 @@ subjects: name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} namespace: {{ .Values.global.istioNamespace }} {{- end }} +{{- end }} diff --git a/resources/latest/charts/istiod/templates/configmap-jwks.yaml b/resources/latest/charts/istiod/templates/configmap-jwks.yaml index df60db12a..6d4ce6c73 100644 --- a/resources/latest/charts/istiod/templates/configmap-jwks.yaml +++ b/resources/latest/charts/istiod/templates/configmap-jwks.yaml @@ -1,3 +1,5 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} {{- if .Values.jwksResolverExtraRootCA }} apiVersion: v1 kind: ConfigMap @@ -14,3 +16,4 @@ metadata: data: extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} {{- end }} +{{- end }} diff --git a/resources/latest/charts/istiod/templates/deployment.yaml b/resources/latest/charts/istiod/templates/deployment.yaml index 3b8ea75d9..2e07d1233 100644 --- a/resources/latest/charts/istiod/templates/deployment.yaml +++ b/resources/latest/charts/istiod/templates/deployment.yaml @@ -1,3 +1,5 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} apiVersion: apps/v1 kind: Deployment metadata: @@ -81,6 +83,10 @@ spec: serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} {{- if .Values.global.priorityClassName }} priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- with .Values.initContainers }} + initContainers: + {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} containers: - name: discovery @@ -116,12 +122,19 @@ spec: ports: - containerPort: 8080 protocol: TCP + name: http-debug - containerPort: 15010 protocol: TCP + name: grpc-xds + - containerPort: 15012 + protocol: TCP + name: tls-xds - containerPort: 15017 protocol: TCP + name: https-webhooks - containerPort: 15014 protocol: TCP + name: http-monitoring readinessProbe: httpGet: path: /ready @@ -189,8 +202,9 @@ spec: valueFrom: resourceFieldRef: resource: limits.cpu + divisor: "1" - name: PLATFORM - value: "{{ .Values.global.platform }}" + value: "{{ coalesce .Values.global.platform .Values.platform }}" resources: {{- if .Values.resources }} {{ toYaml .Values.resources | trim | indent 12 }} @@ -275,3 +289,4 @@ spec: {{- end }} --- +{{- end }} diff --git a/resources/latest/charts/istiod/templates/mutatingwebhook.yaml b/resources/latest/charts/istiod/templates/mutatingwebhook.yaml index 5b7e734e4..c1428bf60 100644 --- a/resources/latest/charts/istiod/templates/mutatingwebhook.yaml +++ b/resources/latest/charts/istiod/templates/mutatingwebhook.yaml @@ -1,3 +1,4 @@ +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. {{- /* Core defines the common configuration used by all webhook segments */}} {{/* Copy just what we need to avoid expensive deepCopy */}} {{- $whv := dict @@ -50,8 +51,12 @@ metadata: operator.istio.io/component: "Pilot" app: sidecar-injector release: {{ .Release.Name }} - app.kubernetes.io/name: "sidecar-injector" + app.kubernetes.io/name: "istiod" {{- include "istio.labels" . | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} webhooks: {{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} diff --git a/resources/latest/charts/istiod/templates/poddisruptionbudget.yaml b/resources/latest/charts/istiod/templates/poddisruptionbudget.yaml index ed8931727..8ba27dc0b 100644 --- a/resources/latest/charts/istiod/templates/poddisruptionbudget.yaml +++ b/resources/latest/charts/istiod/templates/poddisruptionbudget.yaml @@ -1,3 +1,5 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} {{- if .Values.global.defaultPodDisruptionBudget.enabled }} apiVersion: policy/v1 kind: PodDisruptionBudget @@ -25,3 +27,4 @@ spec: {{- end }} --- {{- end }} +{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/endpoints.yaml b/resources/latest/charts/istiod/templates/remote-istiod-endpoints.yaml similarity index 82% rename from resources/latest/charts/istiod-remote/templates/endpoints.yaml rename to resources/latest/charts/istiod/templates/remote-istiod-endpoints.yaml index 1cc26dd78..da0fe7bfe 100644 --- a/resources/latest/charts/istiod-remote/templates/endpoints.yaml +++ b/resources/latest/charts/istiod/templates/remote-istiod-endpoints.yaml @@ -1,12 +1,14 @@ -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +# This file is only used for remote `istiod` installs. +{{- if .Values.istiodRemote.enabled }} # if the remotePilotAddress is an IP addr +{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} apiVersion: v1 kind: Endpoints metadata: - {{- if .Values.pilot.enabled }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} + {{- if .Values.global.externalIstiod }} name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- else }} + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote {{- end }} namespace: {{ .Release.Namespace }} labels: @@ -24,3 +26,4 @@ subsets: protocol: TCP --- {{- end }} +{{- end }} diff --git a/resources/latest/charts/base/templates/services.yaml b/resources/latest/charts/istiod/templates/remote-istiod-service.yaml similarity index 70% rename from resources/latest/charts/base/templates/services.yaml rename to resources/latest/charts/istiod/templates/remote-istiod-service.yaml index 4290f2848..d33196301 100644 --- a/resources/latest/charts/base/templates/services.yaml +++ b/resources/latest/charts/istiod/templates/remote-istiod-service.yaml @@ -1,13 +1,12 @@ -{{- if .Values.global.remotePilotAddress }} +# This file is only used for remote `istiod` installs. +{{- if .Values.istiodRemote.enabled }} apiVersion: v1 kind: Service metadata: - {{- if .Values.pilot.enabled }} - # when local istiod is enabled, we can't use istiod service name to reach the remote control plane - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane + {{- if .Values.global.externalIstiod }} name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- else }} + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote {{- end }} namespace: {{ .Release.Namespace }} labels: @@ -22,7 +21,7 @@ spec: targetPort: 15017 name: tcp-webhook protocol: TCP - {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }} + {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} # if the remotePilotAddress is not an IP addr, we use ExternalName type: ExternalName externalName: {{ .Values.global.remotePilotAddress }} diff --git a/resources/latest/charts/istiod/templates/revision-tags.yaml b/resources/latest/charts/istiod/templates/revision-tags.yaml index 1d13d62d5..31c221d30 100644 --- a/resources/latest/charts/istiod/templates/revision-tags.yaml +++ b/resources/latest/charts/istiod/templates/revision-tags.yaml @@ -1,6 +1,7 @@ # Adapted from istio-discovery/templates/mutatingwebhook.yaml # Removed paths for legacy and default selectors since a revision tag # is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. {{- $whv := dict "revision" .Values.revision "injectionPath" .Values.istiodRemote.injectionPath @@ -30,6 +31,8 @@ a unique prefix to each. */}} failurePolicy: Fail admissionReviewVersions: ["v1"] {{- end }} +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} {{- range $tagName := $.Values.revisionTags }} apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration @@ -46,8 +49,12 @@ metadata: operator.istio.io/component: "Pilot" app: sidecar-injector release: {{ $.Release.Name }} - app.kubernetes.io/name: "sidecar-injector" + app.kubernetes.io/name: "istiod" {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} webhooks: {{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} namespaceSelector: @@ -141,3 +148,4 @@ webhooks: {{- end }} --- {{- end }} +{{- end }} diff --git a/resources/latest/charts/istiod/templates/role.yaml b/resources/latest/charts/istiod/templates/role.yaml index 68e44d4de..10d89e8d1 100644 --- a/resources/latest/charts/istiod/templates/role.yaml +++ b/resources/latest/charts/istiod/templates/role.yaml @@ -1,3 +1,5 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -30,3 +32,4 @@ rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "update", "patch", "create"] +{{- end }} diff --git a/resources/latest/charts/istiod/templates/rolebinding.yaml b/resources/latest/charts/istiod/templates/rolebinding.yaml index cdb3f5dab..a42f4ec44 100644 --- a/resources/latest/charts/istiod/templates/rolebinding.yaml +++ b/resources/latest/charts/istiod/templates/rolebinding.yaml @@ -1,3 +1,5 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -16,3 +18,4 @@ subjects: - kind: ServiceAccount name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} namespace: {{ .Values.global.istioNamespace }} +{{- end }} diff --git a/resources/latest/charts/istiod/templates/service.yaml b/resources/latest/charts/istiod/templates/service.yaml index d474462c6..8829f0f43 100644 --- a/resources/latest/charts/istiod/templates/service.yaml +++ b/resources/latest/charts/istiod/templates/service.yaml @@ -1,3 +1,5 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} apiVersion: v1 kind: Service metadata: @@ -50,3 +52,4 @@ spec: {{- end }} {{- end }} --- +{{- end }} diff --git a/resources/latest/charts/istiod/templates/serviceaccount.yaml b/resources/latest/charts/istiod/templates/serviceaccount.yaml index 280695d5a..22b841e87 100644 --- a/resources/latest/charts/istiod/templates/serviceaccount.yaml +++ b/resources/latest/charts/istiod/templates/serviceaccount.yaml @@ -1,3 +1,5 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} apiVersion: v1 kind: ServiceAccount {{- if .Values.global.imagePullSecrets }} @@ -18,4 +20,5 @@ metadata: annotations: {{- toYaml .Values.serviceAccountAnnotations | indent 4 }} {{- end }} +{{- end }} --- diff --git a/resources/latest/charts/istiod/templates/validatingadmissionpolicy.yaml b/resources/latest/charts/istiod/templates/validatingadmissionpolicy.yaml index acf732916..d36eef68e 100644 --- a/resources/latest/charts/istiod/templates/validatingadmissionpolicy.yaml +++ b/resources/latest/charts/istiod/templates/validatingadmissionpolicy.yaml @@ -1,3 +1,5 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} {{- if .Values.experimental.stableValidationPolicy }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy @@ -58,3 +60,4 @@ spec: policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" validationActions: [Deny] {{- end }} +{{- end }} diff --git a/resources/latest/charts/istiod/templates/validatingwebhookconfiguration.yaml b/resources/latest/charts/istiod/templates/validatingwebhookconfiguration.yaml index 116ce4ce7..fb28836a0 100644 --- a/resources/latest/charts/istiod/templates/validatingwebhookconfiguration.yaml +++ b/resources/latest/charts/istiod/templates/validatingwebhookconfiguration.yaml @@ -1,3 +1,5 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} {{- if .Values.global.configValidation }} apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration @@ -63,3 +65,4 @@ webhooks: {{- end }} --- {{- end }} +{{- end }} diff --git a/resources/latest/charts/istiod/templates/zzz_profile.yaml b/resources/latest/charts/istiod/templates/zzz_profile.yaml index b96dcafcb..35623047c 100644 --- a/resources/latest/charts/istiod/templates/zzz_profile.yaml +++ b/resources/latest/charts/istiod/templates/zzz_profile.yaml @@ -15,9 +15,14 @@ However, we can workaround this by placing all of (1) under a specific key (.Val We can then merge the profile onto the defaults, then the user settings onto that. Finally, we can set all of that under .Values so the chart behaves without awareness. */}} -{{- $globals := $.Values.global | default dict | deepCopy }} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} {{- $profile := dict }} {{- with .Values.profile }} {{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} @@ -33,12 +38,19 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} {{- end }} {{- end }} +{{- if ($.Values.global).platform }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" ($.Values.global).platform) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" ($.Values.global).platform) }} +{{- end }} +{{- end }} {{- if $profile }} {{- $a := mustMergeOverwrite $defaults $profile }} {{- end }} # Flatten globals, if defined on a per-chart basis {{- if false }} -{{- $a := mustMergeOverwrite $defaults $globals }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} {{- end }} {{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/latest/charts/istiod/values.yaml b/resources/latest/charts/istiod/values.yaml index bc83baf91..c727eb887 100644 --- a/resources/latest/charts/istiod/values.yaml +++ b/resources/latest/charts/istiod/values.yaml @@ -1,6 +1,6 @@ -# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. -defaults: +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: autoscaleEnabled: true autoscaleMin: 1 autoscaleMax: 5 @@ -60,10 +60,14 @@ defaults: # Additional volumes to the istiod pod volumes: [] + # Inject initContainers into the istiod pod + initContainers: [] + nodeSelector: {} podAnnotations: {} serviceAnnotations: {} serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} topologySpreadConstraints: [] @@ -162,6 +166,10 @@ defaults: # defaultTemplates: ["sidecar", "hello"] defaultTemplates: [] istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false # Sidecar injector mutating webhook configuration clientConfig.url value. # For example: https://$remotePilotAddress:15017/inject # The host should not refer to a service running in the cluster; use a service reference by specifying @@ -234,7 +242,7 @@ defaults: # Dev builds from prow are on gcr.io hub: gcr.io/istio-testing # Default tag for Istio images. - tag: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 + tag: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" @@ -377,6 +385,9 @@ defaults: proxy_init: # Base name for the proxy_init container, used to configure iptables. image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false # configure remote pilot and istiod service and endpoint remotePilotAddress: "" @@ -506,6 +517,18 @@ defaults: cpu: "2" memory: 1Gi + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + base: # For istioctl usage to disable istio config crds in base enableIstioConfigCRDs: true diff --git a/resources/latest/charts/ztunnel/Chart.yaml b/resources/latest/charts/ztunnel/Chart.yaml index 4eb63bbed..c6f4a8861 100644 --- a/resources/latest/charts/ztunnel/Chart.yaml +++ b/resources/latest/charts/ztunnel/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 +appVersion: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 description: Helm chart for istio ztunnel components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: ztunnel sources: - https://github.com/istio/istio -version: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 +version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 diff --git a/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.21.yaml b/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.21.yaml index 2b72bd93c..c8da4d2e1 100644 --- a/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.21.yaml +++ b/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.21.yaml @@ -15,6 +15,8 @@ pilot: ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" meshConfig: # 1.22 behavioral changes @@ -23,6 +25,9 @@ meshConfig: ISTIO_DELTA_XDS: "false" # 1.23 behavioral changes ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" tracing: zipkin: address: zipkin.istio-system:9411 diff --git a/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.22.yaml b/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.22.yaml index 2badb70a5..70d8eb40c 100644 --- a/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.22.yaml +++ b/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.22.yaml @@ -11,6 +11,8 @@ pilot: ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" meshConfig: defaultConfig: @@ -19,3 +21,6 @@ meshConfig: ENABLE_DEFERRED_CLUSTER_CREATION: "false" # 1.23 behavioral changes ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.23.yaml b/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.23.yaml index f855500b0..636bb6f15 100644 --- a/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.23.yaml +++ b/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.23.yaml @@ -7,4 +7,13 @@ pilot: # 1.24 behavioral changes ENABLE_INBOUND_RETRY_POLICY: "false" EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" \ No newline at end of file + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" diff --git a/resources/latest/charts/ztunnel/files/profile-openshift-ambient.yaml b/resources/latest/charts/ztunnel/files/profile-openshift-ambient.yaml deleted file mode 100644 index 444665932..000000000 --- a/resources/latest/charts/ztunnel/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift - variant: distroless - seLinuxOptions: - type: spc_t -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - env: - PILOT_ENABLE_AMBIENT: "true" \ No newline at end of file diff --git a/resources/latest/charts/ztunnel/files/profile-openshift.yaml b/resources/latest/charts/ztunnel/files/profile-openshift.yaml deleted file mode 100644 index 38357bd99..000000000 --- a/resources/latest/charts/ztunnel/files/profile-openshift.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -global: - platform: openshift -pilot: - cni: - enabled: true - provider: "multus" -platform: openshift \ No newline at end of file diff --git a/resources/latest/charts/ztunnel/files/profile-platform-k3d.yaml b/resources/latest/charts/ztunnel/files/profile-platform-k3d.yaml new file mode 100644 index 000000000..cd86d9ec5 --- /dev/null +++ b/resources/latest/charts/ztunnel/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/resources/latest/charts/ztunnel/files/profile-platform-k3s.yaml b/resources/latest/charts/ztunnel/files/profile-platform-k3s.yaml new file mode 100644 index 000000000..f3f2884aa --- /dev/null +++ b/resources/latest/charts/ztunnel/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/current/bin/ diff --git a/resources/latest/charts/ztunnel/files/profile-platform-microk8s.yaml b/resources/latest/charts/ztunnel/files/profile-platform-microk8s.yaml new file mode 100644 index 000000000..57d7f5e3c --- /dev/null +++ b/resources/latest/charts/ztunnel/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/resources/latest/charts/ztunnel/files/profile-platform-minikube.yaml b/resources/latest/charts/ztunnel/files/profile-platform-minikube.yaml new file mode 100644 index 000000000..fa9992e20 --- /dev/null +++ b/resources/latest/charts/ztunnel/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/resources/latest/charts/ztunnel/files/profile-platform-openshift.yaml b/resources/latest/charts/ztunnel/files/profile-platform-openshift.yaml new file mode 100644 index 000000000..69eda2b1d --- /dev/null +++ b/resources/latest/charts/ztunnel/files/profile-platform-openshift.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t diff --git a/resources/latest/charts/ztunnel/files/profile-remote.yaml b/resources/latest/charts/ztunnel/files/profile-remote.yaml new file mode 100644 index 000000000..d17b9a801 --- /dev/null +++ b/resources/latest/charts/ztunnel/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/resources/latest/charts/ztunnel/templates/daemonset.yaml b/resources/latest/charts/ztunnel/templates/daemonset.yaml index 6025871e9..c6e2daf48 100644 --- a/resources/latest/charts/ztunnel/templates/daemonset.yaml +++ b/resources/latest/charts/ztunnel/templates/daemonset.yaml @@ -188,7 +188,7 @@ spec: - name: cni-ztunnel-sock-dir hostPath: path: /var/run/ztunnel - type: DirectoryOrCreate # ideally this would be a socket, but ztunnel may not have started yet. + type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one - name: tmp emptyDir: {} diff --git a/resources/latest/charts/ztunnel/templates/zzz_profile.yaml b/resources/latest/charts/ztunnel/templates/zzz_profile.yaml index 68a66eec6..72d3adc53 100644 --- a/resources/latest/charts/ztunnel/templates/zzz_profile.yaml +++ b/resources/latest/charts/ztunnel/templates/zzz_profile.yaml @@ -15,9 +15,14 @@ However, we can workaround this by placing all of (1) under a specific key (.Val We can then merge the profile onto the defaults, then the user settings onto that. Finally, we can set all of that under .Values so the chart behaves without awareness. */}} -{{- $globals := $.Values.global | default dict | deepCopy }} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} {{- $profile := dict }} {{- with .Values.profile }} {{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} @@ -33,12 +38,19 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} {{- end }} {{- end }} +{{- if ($.Values.global).platform }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" ($.Values.global).platform) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" ($.Values.global).platform) }} +{{- end }} +{{- end }} {{- if $profile }} {{- $a := mustMergeOverwrite $defaults $profile }} {{- end }} # Flatten globals, if defined on a per-chart basis {{- if true }} -{{- $a := mustMergeOverwrite $defaults $globals }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} {{- end }} {{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/latest/charts/ztunnel/values.yaml b/resources/latest/charts/ztunnel/values.yaml index 955528f5b..877f05f27 100644 --- a/resources/latest/charts/ztunnel/values.yaml +++ b/resources/latest/charts/ztunnel/values.yaml @@ -1,10 +1,10 @@ -# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. -defaults: +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: # Hub to pull from. Image will be `Hub/Image:Tag-Variant` hub: gcr.io/istio-testing # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 + tag: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. variant: "" diff --git a/resources/v1.21.5/charts/base/Chart.yaml b/resources/v1.21.6/charts/base/Chart.yaml similarity index 86% rename from resources/v1.21.5/charts/base/Chart.yaml rename to resources/v1.21.6/charts/base/Chart.yaml index 61e7978b9..df758d1a4 100644 --- a/resources/v1.21.5/charts/base/Chart.yaml +++ b/resources/v1.21.6/charts/base/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 1.21.5 +appVersion: 1.21.6 description: Helm chart for deploying Istio cluster resources and CRDs icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,4 +7,4 @@ keywords: name: base sources: - https://github.com/istio/istio -version: 1.21.5 +version: 1.21.6 diff --git a/resources/v1.21.5/charts/base/README.md b/resources/v1.21.6/charts/base/README.md similarity index 100% rename from resources/v1.21.5/charts/base/README.md rename to resources/v1.21.6/charts/base/README.md diff --git a/resources/v1.21.5/charts/base/crds/crd-all.gen.yaml b/resources/v1.21.6/charts/base/crds/crd-all.gen.yaml similarity index 100% rename from resources/v1.21.5/charts/base/crds/crd-all.gen.yaml rename to resources/v1.21.6/charts/base/crds/crd-all.gen.yaml diff --git a/resources/v1.21.5/charts/base/files/profile-ambient.yaml b/resources/v1.21.6/charts/base/files/profile-ambient.yaml similarity index 100% rename from resources/v1.21.5/charts/base/files/profile-ambient.yaml rename to resources/v1.21.6/charts/base/files/profile-ambient.yaml diff --git a/resources/v1.21.5/charts/base/files/profile-compatibility-version-1.20.yaml b/resources/v1.21.6/charts/base/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.21.5/charts/base/files/profile-compatibility-version-1.20.yaml rename to resources/v1.21.6/charts/base/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.21.5/charts/base/files/profile-demo.yaml b/resources/v1.21.6/charts/base/files/profile-demo.yaml similarity index 100% rename from resources/v1.21.5/charts/base/files/profile-demo.yaml rename to resources/v1.21.6/charts/base/files/profile-demo.yaml diff --git a/resources/v1.21.5/charts/base/files/profile-openshift.yaml b/resources/v1.21.6/charts/base/files/profile-openshift.yaml similarity index 100% rename from resources/v1.21.5/charts/base/files/profile-openshift.yaml rename to resources/v1.21.6/charts/base/files/profile-openshift.yaml diff --git a/resources/v1.21.5/charts/base/files/profile-preview.yaml b/resources/v1.21.6/charts/base/files/profile-preview.yaml similarity index 100% rename from resources/v1.21.5/charts/base/files/profile-preview.yaml rename to resources/v1.21.6/charts/base/files/profile-preview.yaml diff --git a/resources/v1.21.5/charts/base/templates/NOTES.txt b/resources/v1.21.6/charts/base/templates/NOTES.txt similarity index 100% rename from resources/v1.21.5/charts/base/templates/NOTES.txt rename to resources/v1.21.6/charts/base/templates/NOTES.txt diff --git a/resources/v1.21.5/charts/base/templates/crds.yaml b/resources/v1.21.6/charts/base/templates/crds.yaml similarity index 100% rename from resources/v1.21.5/charts/base/templates/crds.yaml rename to resources/v1.21.6/charts/base/templates/crds.yaml diff --git a/resources/v1.21.5/charts/base/templates/default.yaml b/resources/v1.21.6/charts/base/templates/default.yaml similarity index 100% rename from resources/v1.21.5/charts/base/templates/default.yaml rename to resources/v1.21.6/charts/base/templates/default.yaml diff --git a/resources/v1.21.5/charts/base/templates/endpoints.yaml b/resources/v1.21.6/charts/base/templates/endpoints.yaml similarity index 100% rename from resources/v1.21.5/charts/base/templates/endpoints.yaml rename to resources/v1.21.6/charts/base/templates/endpoints.yaml diff --git a/resources/v1.21.5/charts/base/templates/reader-serviceaccount.yaml b/resources/v1.21.6/charts/base/templates/reader-serviceaccount.yaml similarity index 100% rename from resources/v1.21.5/charts/base/templates/reader-serviceaccount.yaml rename to resources/v1.21.6/charts/base/templates/reader-serviceaccount.yaml diff --git a/resources/v1.21.5/charts/base/templates/services.yaml b/resources/v1.21.6/charts/base/templates/services.yaml similarity index 100% rename from resources/v1.21.5/charts/base/templates/services.yaml rename to resources/v1.21.6/charts/base/templates/services.yaml diff --git a/resources/v1.21.5/charts/base/templates/zzz_profile.yaml b/resources/v1.21.6/charts/base/templates/zzz_profile.yaml similarity index 100% rename from resources/v1.21.5/charts/base/templates/zzz_profile.yaml rename to resources/v1.21.6/charts/base/templates/zzz_profile.yaml diff --git a/resources/v1.21.5/charts/base/values.yaml b/resources/v1.21.6/charts/base/values.yaml similarity index 100% rename from resources/v1.21.5/charts/base/values.yaml rename to resources/v1.21.6/charts/base/values.yaml diff --git a/resources/v1.21.5/charts/cni/Chart.yaml b/resources/v1.21.6/charts/cni/Chart.yaml similarity index 86% rename from resources/v1.21.5/charts/cni/Chart.yaml rename to resources/v1.21.6/charts/cni/Chart.yaml index 8c4d91551..6435229e4 100644 --- a/resources/v1.21.5/charts/cni/Chart.yaml +++ b/resources/v1.21.6/charts/cni/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 1.21.5 +appVersion: 1.21.6 description: Helm chart for istio-cni components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: cni sources: - https://github.com/istio/istio/tree/release-1.21/cni -version: 1.21.5 +version: 1.21.6 diff --git a/resources/v1.21.5/charts/cni/README.md b/resources/v1.21.6/charts/cni/README.md similarity index 100% rename from resources/v1.21.5/charts/cni/README.md rename to resources/v1.21.6/charts/cni/README.md diff --git a/resources/v1.21.5/charts/cni/files/profile-ambient.yaml b/resources/v1.21.6/charts/cni/files/profile-ambient.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/files/profile-ambient.yaml rename to resources/v1.21.6/charts/cni/files/profile-ambient.yaml diff --git a/resources/v1.21.5/charts/cni/files/profile-compatibility-version-1.20.yaml b/resources/v1.21.6/charts/cni/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/files/profile-compatibility-version-1.20.yaml rename to resources/v1.21.6/charts/cni/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.21.5/charts/cni/files/profile-demo.yaml b/resources/v1.21.6/charts/cni/files/profile-demo.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/files/profile-demo.yaml rename to resources/v1.21.6/charts/cni/files/profile-demo.yaml diff --git a/resources/v1.21.5/charts/cni/files/profile-openshift.yaml b/resources/v1.21.6/charts/cni/files/profile-openshift.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/files/profile-openshift.yaml rename to resources/v1.21.6/charts/cni/files/profile-openshift.yaml diff --git a/resources/v1.21.5/charts/cni/files/profile-preview.yaml b/resources/v1.21.6/charts/cni/files/profile-preview.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/files/profile-preview.yaml rename to resources/v1.21.6/charts/cni/files/profile-preview.yaml diff --git a/resources/v1.21.5/charts/cni/templates/NOTES.txt b/resources/v1.21.6/charts/cni/templates/NOTES.txt similarity index 100% rename from resources/v1.21.5/charts/cni/templates/NOTES.txt rename to resources/v1.21.6/charts/cni/templates/NOTES.txt diff --git a/resources/v1.21.5/charts/cni/templates/clusterrole.yaml b/resources/v1.21.6/charts/cni/templates/clusterrole.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/templates/clusterrole.yaml rename to resources/v1.21.6/charts/cni/templates/clusterrole.yaml diff --git a/resources/v1.21.5/charts/cni/templates/clusterrolebinding.yaml b/resources/v1.21.6/charts/cni/templates/clusterrolebinding.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/templates/clusterrolebinding.yaml rename to resources/v1.21.6/charts/cni/templates/clusterrolebinding.yaml diff --git a/resources/v1.21.5/charts/cni/templates/configmap-cni.yaml b/resources/v1.21.6/charts/cni/templates/configmap-cni.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/templates/configmap-cni.yaml rename to resources/v1.21.6/charts/cni/templates/configmap-cni.yaml diff --git a/resources/v1.21.5/charts/cni/templates/daemonset.yaml b/resources/v1.21.6/charts/cni/templates/daemonset.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/templates/daemonset.yaml rename to resources/v1.21.6/charts/cni/templates/daemonset.yaml diff --git a/resources/v1.21.5/charts/cni/templates/network-attachment-definition.yaml b/resources/v1.21.6/charts/cni/templates/network-attachment-definition.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/templates/network-attachment-definition.yaml rename to resources/v1.21.6/charts/cni/templates/network-attachment-definition.yaml diff --git a/resources/v1.21.5/charts/cni/templates/resourcequota.yaml b/resources/v1.21.6/charts/cni/templates/resourcequota.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/templates/resourcequota.yaml rename to resources/v1.21.6/charts/cni/templates/resourcequota.yaml diff --git a/resources/v1.21.5/charts/cni/templates/serviceaccount.yaml b/resources/v1.21.6/charts/cni/templates/serviceaccount.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/templates/serviceaccount.yaml rename to resources/v1.21.6/charts/cni/templates/serviceaccount.yaml diff --git a/resources/v1.21.5/charts/cni/templates/zzz_profile.yaml b/resources/v1.21.6/charts/cni/templates/zzz_profile.yaml similarity index 100% rename from resources/v1.21.5/charts/cni/templates/zzz_profile.yaml rename to resources/v1.21.6/charts/cni/templates/zzz_profile.yaml diff --git a/resources/v1.21.5/charts/cni/values.yaml b/resources/v1.21.6/charts/cni/values.yaml similarity index 99% rename from resources/v1.21.5/charts/cni/values.yaml rename to resources/v1.21.6/charts/cni/values.yaml index 8f65adbea..e23c58b64 100644 --- a/resources/v1.21.5/charts/cni/values.yaml +++ b/resources/v1.21.6/charts/cni/values.yaml @@ -116,7 +116,7 @@ defaults: hub: docker.io/istio # Default tag for Istio images. - tag: 1.21.5 + tag: 1.21.6 # Variant of the image to use. # Currently supported are: [debug, distroless] diff --git a/resources/v1.22.3/charts/gateway/Chart.yaml b/resources/v1.21.6/charts/gateway/Chart.yaml similarity index 86% rename from resources/v1.22.3/charts/gateway/Chart.yaml rename to resources/v1.21.6/charts/gateway/Chart.yaml index 626ba6957..b5b027eb3 100644 --- a/resources/v1.22.3/charts/gateway/Chart.yaml +++ b/resources/v1.21.6/charts/gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.22.3 +appVersion: 1.21.6 description: Helm chart for deploying Istio gateways icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ name: gateway sources: - https://github.com/istio/istio type: application -version: 1.22.3 +version: 1.21.6 diff --git a/resources/v1.21.5/charts/gateway/README.md b/resources/v1.21.6/charts/gateway/README.md similarity index 100% rename from resources/v1.21.5/charts/gateway/README.md rename to resources/v1.21.6/charts/gateway/README.md diff --git a/resources/v1.21.5/charts/gateway/files/profile-ambient.yaml b/resources/v1.21.6/charts/gateway/files/profile-ambient.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/files/profile-ambient.yaml rename to resources/v1.21.6/charts/gateway/files/profile-ambient.yaml diff --git a/resources/v1.21.5/charts/gateway/files/profile-compatibility-version-1.20.yaml b/resources/v1.21.6/charts/gateway/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/files/profile-compatibility-version-1.20.yaml rename to resources/v1.21.6/charts/gateway/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.21.5/charts/gateway/files/profile-demo.yaml b/resources/v1.21.6/charts/gateway/files/profile-demo.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/files/profile-demo.yaml rename to resources/v1.21.6/charts/gateway/files/profile-demo.yaml diff --git a/resources/v1.21.5/charts/gateway/files/profile-openshift.yaml b/resources/v1.21.6/charts/gateway/files/profile-openshift.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/files/profile-openshift.yaml rename to resources/v1.21.6/charts/gateway/files/profile-openshift.yaml diff --git a/resources/v1.21.5/charts/gateway/files/profile-preview.yaml b/resources/v1.21.6/charts/gateway/files/profile-preview.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/files/profile-preview.yaml rename to resources/v1.21.6/charts/gateway/files/profile-preview.yaml diff --git a/resources/v1.21.5/charts/gateway/templates/NOTES.txt b/resources/v1.21.6/charts/gateway/templates/NOTES.txt similarity index 100% rename from resources/v1.21.5/charts/gateway/templates/NOTES.txt rename to resources/v1.21.6/charts/gateway/templates/NOTES.txt diff --git a/resources/v1.21.5/charts/gateway/templates/_helpers.tpl b/resources/v1.21.6/charts/gateway/templates/_helpers.tpl similarity index 100% rename from resources/v1.21.5/charts/gateway/templates/_helpers.tpl rename to resources/v1.21.6/charts/gateway/templates/_helpers.tpl diff --git a/resources/v1.21.5/charts/gateway/templates/deployment.yaml b/resources/v1.21.6/charts/gateway/templates/deployment.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/templates/deployment.yaml rename to resources/v1.21.6/charts/gateway/templates/deployment.yaml diff --git a/resources/v1.21.5/charts/gateway/templates/hpa.yaml b/resources/v1.21.6/charts/gateway/templates/hpa.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/templates/hpa.yaml rename to resources/v1.21.6/charts/gateway/templates/hpa.yaml diff --git a/resources/v1.21.5/charts/gateway/templates/poddisruptionbudget.yaml b/resources/v1.21.6/charts/gateway/templates/poddisruptionbudget.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/templates/poddisruptionbudget.yaml rename to resources/v1.21.6/charts/gateway/templates/poddisruptionbudget.yaml diff --git a/resources/v1.21.5/charts/gateway/templates/role.yaml b/resources/v1.21.6/charts/gateway/templates/role.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/templates/role.yaml rename to resources/v1.21.6/charts/gateway/templates/role.yaml diff --git a/resources/v1.21.5/charts/gateway/templates/service.yaml b/resources/v1.21.6/charts/gateway/templates/service.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/templates/service.yaml rename to resources/v1.21.6/charts/gateway/templates/service.yaml diff --git a/resources/v1.21.5/charts/gateway/templates/serviceaccount.yaml b/resources/v1.21.6/charts/gateway/templates/serviceaccount.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/templates/serviceaccount.yaml rename to resources/v1.21.6/charts/gateway/templates/serviceaccount.yaml diff --git a/resources/v1.21.5/charts/gateway/templates/zzz_profile.yaml b/resources/v1.21.6/charts/gateway/templates/zzz_profile.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/templates/zzz_profile.yaml rename to resources/v1.21.6/charts/gateway/templates/zzz_profile.yaml diff --git a/resources/v1.21.5/charts/gateway/values.schema.json b/resources/v1.21.6/charts/gateway/values.schema.json similarity index 100% rename from resources/v1.21.5/charts/gateway/values.schema.json rename to resources/v1.21.6/charts/gateway/values.schema.json diff --git a/resources/v1.21.5/charts/gateway/values.yaml b/resources/v1.21.6/charts/gateway/values.yaml similarity index 100% rename from resources/v1.21.5/charts/gateway/values.yaml rename to resources/v1.21.6/charts/gateway/values.yaml diff --git a/resources/v1.21.5/charts/istiod/Chart.yaml b/resources/v1.21.6/charts/istiod/Chart.yaml similarity index 86% rename from resources/v1.21.5/charts/istiod/Chart.yaml rename to resources/v1.21.6/charts/istiod/Chart.yaml index 9a783f4eb..121a4ab64 100644 --- a/resources/v1.21.5/charts/istiod/Chart.yaml +++ b/resources/v1.21.6/charts/istiod/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 1.21.5 +appVersion: 1.21.6 description: Helm chart for istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ keywords: name: istiod sources: - https://github.com/istio/istio -version: 1.21.5 +version: 1.21.6 diff --git a/resources/v1.21.5/charts/istiod/README.md b/resources/v1.21.6/charts/istiod/README.md similarity index 100% rename from resources/v1.21.5/charts/istiod/README.md rename to resources/v1.21.6/charts/istiod/README.md diff --git a/resources/v1.21.5/charts/istiod/files/gateway-injection-template.yaml b/resources/v1.21.6/charts/istiod/files/gateway-injection-template.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/files/gateway-injection-template.yaml rename to resources/v1.21.6/charts/istiod/files/gateway-injection-template.yaml diff --git a/resources/v1.21.5/charts/istiod/files/grpc-agent.yaml b/resources/v1.21.6/charts/istiod/files/grpc-agent.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/files/grpc-agent.yaml rename to resources/v1.21.6/charts/istiod/files/grpc-agent.yaml diff --git a/resources/v1.21.5/charts/istiod/files/grpc-simple.yaml b/resources/v1.21.6/charts/istiod/files/grpc-simple.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/files/grpc-simple.yaml rename to resources/v1.21.6/charts/istiod/files/grpc-simple.yaml diff --git a/resources/v1.21.5/charts/istiod/files/injection-template.yaml b/resources/v1.21.6/charts/istiod/files/injection-template.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/files/injection-template.yaml rename to resources/v1.21.6/charts/istiod/files/injection-template.yaml diff --git a/resources/v1.21.5/charts/istiod/files/kube-gateway.yaml b/resources/v1.21.6/charts/istiod/files/kube-gateway.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/files/kube-gateway.yaml rename to resources/v1.21.6/charts/istiod/files/kube-gateway.yaml diff --git a/resources/v1.21.5/charts/istiod/files/profile-ambient.yaml b/resources/v1.21.6/charts/istiod/files/profile-ambient.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/files/profile-ambient.yaml rename to resources/v1.21.6/charts/istiod/files/profile-ambient.yaml diff --git a/resources/v1.21.5/charts/istiod/files/profile-compatibility-version-1.20.yaml b/resources/v1.21.6/charts/istiod/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/files/profile-compatibility-version-1.20.yaml rename to resources/v1.21.6/charts/istiod/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.21.5/charts/istiod/files/profile-demo.yaml b/resources/v1.21.6/charts/istiod/files/profile-demo.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/files/profile-demo.yaml rename to resources/v1.21.6/charts/istiod/files/profile-demo.yaml diff --git a/resources/v1.21.5/charts/istiod/files/profile-openshift.yaml b/resources/v1.21.6/charts/istiod/files/profile-openshift.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/files/profile-openshift.yaml rename to resources/v1.21.6/charts/istiod/files/profile-openshift.yaml diff --git a/resources/v1.21.5/charts/istiod/files/profile-preview.yaml b/resources/v1.21.6/charts/istiod/files/profile-preview.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/files/profile-preview.yaml rename to resources/v1.21.6/charts/istiod/files/profile-preview.yaml diff --git a/resources/v1.21.5/charts/istiod/files/waypoint.yaml b/resources/v1.21.6/charts/istiod/files/waypoint.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/files/waypoint.yaml rename to resources/v1.21.6/charts/istiod/files/waypoint.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/NOTES.txt b/resources/v1.21.6/charts/istiod/templates/NOTES.txt similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/NOTES.txt rename to resources/v1.21.6/charts/istiod/templates/NOTES.txt diff --git a/resources/v1.21.5/charts/istiod/templates/_helpers.tpl b/resources/v1.21.6/charts/istiod/templates/_helpers.tpl similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/_helpers.tpl rename to resources/v1.21.6/charts/istiod/templates/_helpers.tpl diff --git a/resources/v1.21.5/charts/istiod/templates/autoscale.yaml b/resources/v1.21.6/charts/istiod/templates/autoscale.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/autoscale.yaml rename to resources/v1.21.6/charts/istiod/templates/autoscale.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/clusterrole.yaml b/resources/v1.21.6/charts/istiod/templates/clusterrole.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/clusterrole.yaml rename to resources/v1.21.6/charts/istiod/templates/clusterrole.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/clusterrolebinding.yaml b/resources/v1.21.6/charts/istiod/templates/clusterrolebinding.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/clusterrolebinding.yaml rename to resources/v1.21.6/charts/istiod/templates/clusterrolebinding.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/configmap-jwks.yaml b/resources/v1.21.6/charts/istiod/templates/configmap-jwks.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/configmap-jwks.yaml rename to resources/v1.21.6/charts/istiod/templates/configmap-jwks.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/configmap.yaml b/resources/v1.21.6/charts/istiod/templates/configmap.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/configmap.yaml rename to resources/v1.21.6/charts/istiod/templates/configmap.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/deployment.yaml b/resources/v1.21.6/charts/istiod/templates/deployment.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/deployment.yaml rename to resources/v1.21.6/charts/istiod/templates/deployment.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/istiod-injector-configmap.yaml b/resources/v1.21.6/charts/istiod/templates/istiod-injector-configmap.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/istiod-injector-configmap.yaml rename to resources/v1.21.6/charts/istiod/templates/istiod-injector-configmap.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/mutatingwebhook.yaml b/resources/v1.21.6/charts/istiod/templates/mutatingwebhook.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/mutatingwebhook.yaml rename to resources/v1.21.6/charts/istiod/templates/mutatingwebhook.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/poddisruptionbudget.yaml b/resources/v1.21.6/charts/istiod/templates/poddisruptionbudget.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/poddisruptionbudget.yaml rename to resources/v1.21.6/charts/istiod/templates/poddisruptionbudget.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/reader-clusterrole.yaml b/resources/v1.21.6/charts/istiod/templates/reader-clusterrole.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/reader-clusterrole.yaml rename to resources/v1.21.6/charts/istiod/templates/reader-clusterrole.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/reader-clusterrolebinding.yaml b/resources/v1.21.6/charts/istiod/templates/reader-clusterrolebinding.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/reader-clusterrolebinding.yaml rename to resources/v1.21.6/charts/istiod/templates/reader-clusterrolebinding.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/revision-tags.yaml b/resources/v1.21.6/charts/istiod/templates/revision-tags.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/revision-tags.yaml rename to resources/v1.21.6/charts/istiod/templates/revision-tags.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/role.yaml b/resources/v1.21.6/charts/istiod/templates/role.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/role.yaml rename to resources/v1.21.6/charts/istiod/templates/role.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/rolebinding.yaml b/resources/v1.21.6/charts/istiod/templates/rolebinding.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/rolebinding.yaml rename to resources/v1.21.6/charts/istiod/templates/rolebinding.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/service.yaml b/resources/v1.21.6/charts/istiod/templates/service.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/service.yaml rename to resources/v1.21.6/charts/istiod/templates/service.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/serviceaccount.yaml b/resources/v1.21.6/charts/istiod/templates/serviceaccount.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/serviceaccount.yaml rename to resources/v1.21.6/charts/istiod/templates/serviceaccount.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/validatingwebhookconfiguration.yaml b/resources/v1.21.6/charts/istiod/templates/validatingwebhookconfiguration.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/validatingwebhookconfiguration.yaml rename to resources/v1.21.6/charts/istiod/templates/validatingwebhookconfiguration.yaml diff --git a/resources/v1.21.5/charts/istiod/templates/zzz_profile.yaml b/resources/v1.21.6/charts/istiod/templates/zzz_profile.yaml similarity index 100% rename from resources/v1.21.5/charts/istiod/templates/zzz_profile.yaml rename to resources/v1.21.6/charts/istiod/templates/zzz_profile.yaml diff --git a/resources/v1.21.5/charts/istiod/values.yaml b/resources/v1.21.6/charts/istiod/values.yaml similarity index 99% rename from resources/v1.21.5/charts/istiod/values.yaml rename to resources/v1.21.6/charts/istiod/values.yaml index a520c7a48..2a80fa50d 100644 --- a/resources/v1.21.5/charts/istiod/values.yaml +++ b/resources/v1.21.6/charts/istiod/values.yaml @@ -216,7 +216,7 @@ defaults: # Dev builds from prow are on gcr.io hub: docker.io/istio # Default tag for Istio images. - tag: 1.21.5 + tag: 1.21.6 # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" diff --git a/resources/v1.22.3/charts/ztunnel/Chart.yaml b/resources/v1.21.6/charts/ztunnel/Chart.yaml similarity index 86% rename from resources/v1.22.3/charts/ztunnel/Chart.yaml rename to resources/v1.21.6/charts/ztunnel/Chart.yaml index 8bc58b9bd..d557e634b 100644 --- a/resources/v1.22.3/charts/ztunnel/Chart.yaml +++ b/resources/v1.21.6/charts/ztunnel/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 1.22.3 +appVersion: 1.21.6 description: Helm chart for istio ztunnel components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: ztunnel sources: - https://github.com/istio/istio -version: 1.22.3 +version: 1.21.6 diff --git a/resources/v1.21.5/charts/ztunnel/README.md b/resources/v1.21.6/charts/ztunnel/README.md similarity index 100% rename from resources/v1.21.5/charts/ztunnel/README.md rename to resources/v1.21.6/charts/ztunnel/README.md diff --git a/resources/v1.21.5/charts/ztunnel/files/profile-ambient.yaml b/resources/v1.21.6/charts/ztunnel/files/profile-ambient.yaml similarity index 100% rename from resources/v1.21.5/charts/ztunnel/files/profile-ambient.yaml rename to resources/v1.21.6/charts/ztunnel/files/profile-ambient.yaml diff --git a/resources/v1.21.5/charts/ztunnel/files/profile-compatibility-version-1.20.yaml b/resources/v1.21.6/charts/ztunnel/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.21.5/charts/ztunnel/files/profile-compatibility-version-1.20.yaml rename to resources/v1.21.6/charts/ztunnel/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.21.5/charts/ztunnel/files/profile-demo.yaml b/resources/v1.21.6/charts/ztunnel/files/profile-demo.yaml similarity index 100% rename from resources/v1.21.5/charts/ztunnel/files/profile-demo.yaml rename to resources/v1.21.6/charts/ztunnel/files/profile-demo.yaml diff --git a/resources/v1.21.5/charts/ztunnel/files/profile-openshift.yaml b/resources/v1.21.6/charts/ztunnel/files/profile-openshift.yaml similarity index 100% rename from resources/v1.21.5/charts/ztunnel/files/profile-openshift.yaml rename to resources/v1.21.6/charts/ztunnel/files/profile-openshift.yaml diff --git a/resources/v1.21.5/charts/ztunnel/files/profile-preview.yaml b/resources/v1.21.6/charts/ztunnel/files/profile-preview.yaml similarity index 100% rename from resources/v1.21.5/charts/ztunnel/files/profile-preview.yaml rename to resources/v1.21.6/charts/ztunnel/files/profile-preview.yaml diff --git a/resources/v1.21.5/charts/ztunnel/templates/NOTES.txt b/resources/v1.21.6/charts/ztunnel/templates/NOTES.txt similarity index 100% rename from resources/v1.21.5/charts/ztunnel/templates/NOTES.txt rename to resources/v1.21.6/charts/ztunnel/templates/NOTES.txt diff --git a/resources/v1.21.5/charts/ztunnel/templates/daemonset.yaml b/resources/v1.21.6/charts/ztunnel/templates/daemonset.yaml similarity index 100% rename from resources/v1.21.5/charts/ztunnel/templates/daemonset.yaml rename to resources/v1.21.6/charts/ztunnel/templates/daemonset.yaml diff --git a/resources/v1.21.5/charts/ztunnel/templates/rbac.yaml b/resources/v1.21.6/charts/ztunnel/templates/rbac.yaml similarity index 100% rename from resources/v1.21.5/charts/ztunnel/templates/rbac.yaml rename to resources/v1.21.6/charts/ztunnel/templates/rbac.yaml diff --git a/resources/v1.21.5/charts/ztunnel/templates/zzz_profile.yaml b/resources/v1.21.6/charts/ztunnel/templates/zzz_profile.yaml similarity index 100% rename from resources/v1.21.5/charts/ztunnel/templates/zzz_profile.yaml rename to resources/v1.21.6/charts/ztunnel/templates/zzz_profile.yaml diff --git a/resources/v1.21.5/charts/ztunnel/values.yaml b/resources/v1.21.6/charts/ztunnel/values.yaml similarity index 99% rename from resources/v1.21.5/charts/ztunnel/values.yaml rename to resources/v1.21.6/charts/ztunnel/values.yaml index 0416f7374..3929f153f 100644 --- a/resources/v1.21.5/charts/ztunnel/values.yaml +++ b/resources/v1.21.6/charts/ztunnel/values.yaml @@ -2,7 +2,7 @@ defaults: # Hub to pull from. Image will be `Hub/Image:Tag-Variant` hub: docker.io/istio # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.21.5 + tag: 1.21.6 # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. variant: "" diff --git a/resources/v1.21.5/profiles/ambient.yaml b/resources/v1.21.6/profiles/ambient.yaml similarity index 100% rename from resources/v1.21.5/profiles/ambient.yaml rename to resources/v1.21.6/profiles/ambient.yaml diff --git a/resources/v1.21.5/profiles/default.yaml b/resources/v1.21.6/profiles/default.yaml similarity index 100% rename from resources/v1.21.5/profiles/default.yaml rename to resources/v1.21.6/profiles/default.yaml diff --git a/resources/v1.21.5/profiles/demo.yaml b/resources/v1.21.6/profiles/demo.yaml similarity index 100% rename from resources/v1.21.5/profiles/demo.yaml rename to resources/v1.21.6/profiles/demo.yaml diff --git a/resources/v1.21.5/profiles/empty.yaml b/resources/v1.21.6/profiles/empty.yaml similarity index 100% rename from resources/v1.21.5/profiles/empty.yaml rename to resources/v1.21.6/profiles/empty.yaml diff --git a/resources/v1.21.5/profiles/external.yaml b/resources/v1.21.6/profiles/external.yaml similarity index 100% rename from resources/v1.21.5/profiles/external.yaml rename to resources/v1.21.6/profiles/external.yaml diff --git a/resources/v1.21.5/profiles/openshift.yaml b/resources/v1.21.6/profiles/openshift.yaml similarity index 100% rename from resources/v1.21.5/profiles/openshift.yaml rename to resources/v1.21.6/profiles/openshift.yaml diff --git a/resources/v1.21.5/profiles/preview.yaml b/resources/v1.21.6/profiles/preview.yaml similarity index 100% rename from resources/v1.21.5/profiles/preview.yaml rename to resources/v1.21.6/profiles/preview.yaml diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-compatibility-version-1.21.yaml b/resources/v1.22.3/charts/ztunnel/files/profile-compatibility-version-1.21.yaml deleted file mode 100644 index 808d224ed..000000000 --- a/resources/v1.22.3/charts/ztunnel/files/profile-compatibility-version-1.21.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" -meshConfig: - # 1.22 behavioral changes - proxyMetadata: - ISTIO_DELTA_XDS: "false" - defaultConfig: - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/v1.22.3/charts/ztunnel/templates/zzz_profile.yaml b/resources/v1.22.3/charts/ztunnel/templates/zzz_profile.yaml deleted file mode 100644 index 6359d435a..000000000 --- a/resources/v1.22.3/charts/ztunnel/templates/zzz_profile.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} -{{- $profile := dict }} -{{- with .Values.profile }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" $.Values.profile) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.22.3/charts/base/Chart.yaml b/resources/v1.22.5/charts/base/Chart.yaml similarity index 86% rename from resources/v1.22.3/charts/base/Chart.yaml rename to resources/v1.22.5/charts/base/Chart.yaml index bf0eebf6f..61e79a1e5 100644 --- a/resources/v1.22.3/charts/base/Chart.yaml +++ b/resources/v1.22.5/charts/base/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 1.22.3 +appVersion: 1.22.5 description: Helm chart for deploying Istio cluster resources and CRDs icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,4 +7,4 @@ keywords: name: base sources: - https://github.com/istio/istio -version: 1.22.3 +version: 1.22.5 diff --git a/resources/v1.22.3/charts/base/README.md b/resources/v1.22.5/charts/base/README.md similarity index 100% rename from resources/v1.22.3/charts/base/README.md rename to resources/v1.22.5/charts/base/README.md diff --git a/resources/v1.22.3/charts/base/crds/crd-all.gen.yaml b/resources/v1.22.5/charts/base/crds/crd-all.gen.yaml similarity index 100% rename from resources/v1.22.3/charts/base/crds/crd-all.gen.yaml rename to resources/v1.22.5/charts/base/crds/crd-all.gen.yaml diff --git a/resources/v1.22.3/charts/base/files/profile-ambient.yaml b/resources/v1.22.5/charts/base/files/profile-ambient.yaml similarity index 100% rename from resources/v1.22.3/charts/base/files/profile-ambient.yaml rename to resources/v1.22.5/charts/base/files/profile-ambient.yaml diff --git a/resources/v1.22.3/charts/base/files/profile-compatibility-version-1.20.yaml b/resources/v1.22.5/charts/base/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.22.3/charts/base/files/profile-compatibility-version-1.20.yaml rename to resources/v1.22.5/charts/base/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.22.3/charts/istiod/files/profile-compatibility-version-1.21.yaml b/resources/v1.22.5/charts/base/files/profile-compatibility-version-1.21.yaml similarity index 90% rename from resources/v1.22.3/charts/istiod/files/profile-compatibility-version-1.21.yaml rename to resources/v1.22.5/charts/base/files/profile-compatibility-version-1.21.yaml index 808d224ed..a204a7ad4 100644 --- a/resources/v1.22.3/charts/istiod/files/profile-compatibility-version-1.21.yaml +++ b/resources/v1.22.5/charts/base/files/profile-compatibility-version-1.21.yaml @@ -9,9 +9,9 @@ pilot: ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" meshConfig: # 1.22 behavioral changes - proxyMetadata: - ISTIO_DELTA_XDS: "false" defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" tracing: zipkin: address: zipkin.istio-system:9411 diff --git a/resources/v1.22.3/charts/base/files/profile-demo.yaml b/resources/v1.22.5/charts/base/files/profile-demo.yaml similarity index 100% rename from resources/v1.22.3/charts/base/files/profile-demo.yaml rename to resources/v1.22.5/charts/base/files/profile-demo.yaml diff --git a/resources/v1.22.3/charts/base/files/profile-openshift-ambient.yaml b/resources/v1.22.5/charts/base/files/profile-openshift-ambient.yaml similarity index 100% rename from resources/v1.22.3/charts/base/files/profile-openshift-ambient.yaml rename to resources/v1.22.5/charts/base/files/profile-openshift-ambient.yaml diff --git a/resources/v1.22.3/charts/base/files/profile-openshift.yaml b/resources/v1.22.5/charts/base/files/profile-openshift.yaml similarity index 100% rename from resources/v1.22.3/charts/base/files/profile-openshift.yaml rename to resources/v1.22.5/charts/base/files/profile-openshift.yaml diff --git a/resources/latest/charts/istiod-remote/files/profile-preview.yaml b/resources/v1.22.5/charts/base/files/profile-preview.yaml similarity index 100% rename from resources/latest/charts/istiod-remote/files/profile-preview.yaml rename to resources/v1.22.5/charts/base/files/profile-preview.yaml diff --git a/resources/latest/charts/istiod-remote/files/profile-stable.yaml b/resources/v1.22.5/charts/base/files/profile-stable.yaml similarity index 100% rename from resources/latest/charts/istiod-remote/files/profile-stable.yaml rename to resources/v1.22.5/charts/base/files/profile-stable.yaml diff --git a/resources/v1.22.3/charts/base/templates/NOTES.txt b/resources/v1.22.5/charts/base/templates/NOTES.txt similarity index 100% rename from resources/v1.22.3/charts/base/templates/NOTES.txt rename to resources/v1.22.5/charts/base/templates/NOTES.txt diff --git a/resources/v1.22.3/charts/base/templates/crds.yaml b/resources/v1.22.5/charts/base/templates/crds.yaml similarity index 100% rename from resources/v1.22.3/charts/base/templates/crds.yaml rename to resources/v1.22.5/charts/base/templates/crds.yaml diff --git a/resources/v1.22.3/charts/base/templates/default.yaml b/resources/v1.22.5/charts/base/templates/default.yaml similarity index 100% rename from resources/v1.22.3/charts/base/templates/default.yaml rename to resources/v1.22.5/charts/base/templates/default.yaml diff --git a/resources/v1.22.3/charts/base/templates/endpoints.yaml b/resources/v1.22.5/charts/base/templates/endpoints.yaml similarity index 100% rename from resources/v1.22.3/charts/base/templates/endpoints.yaml rename to resources/v1.22.5/charts/base/templates/endpoints.yaml diff --git a/resources/v1.22.3/charts/base/templates/reader-serviceaccount.yaml b/resources/v1.22.5/charts/base/templates/reader-serviceaccount.yaml similarity index 100% rename from resources/v1.22.3/charts/base/templates/reader-serviceaccount.yaml rename to resources/v1.22.5/charts/base/templates/reader-serviceaccount.yaml diff --git a/resources/v1.22.3/charts/base/templates/services.yaml b/resources/v1.22.5/charts/base/templates/services.yaml similarity index 100% rename from resources/v1.22.3/charts/base/templates/services.yaml rename to resources/v1.22.5/charts/base/templates/services.yaml diff --git a/resources/v1.22.3/charts/base/templates/validatingadmissionpolicy.yaml b/resources/v1.22.5/charts/base/templates/validatingadmissionpolicy.yaml similarity index 100% rename from resources/v1.22.3/charts/base/templates/validatingadmissionpolicy.yaml rename to resources/v1.22.5/charts/base/templates/validatingadmissionpolicy.yaml diff --git a/resources/v1.23.0/charts/base/templates/zzz_profile.yaml b/resources/v1.22.5/charts/base/templates/zzz_profile.yaml similarity index 100% rename from resources/v1.23.0/charts/base/templates/zzz_profile.yaml rename to resources/v1.22.5/charts/base/templates/zzz_profile.yaml diff --git a/resources/v1.22.3/charts/base/values.yaml b/resources/v1.22.5/charts/base/values.yaml similarity index 100% rename from resources/v1.22.3/charts/base/values.yaml rename to resources/v1.22.5/charts/base/values.yaml diff --git a/resources/v1.22.3/charts/cni/Chart.yaml b/resources/v1.22.5/charts/cni/Chart.yaml similarity index 85% rename from resources/v1.22.3/charts/cni/Chart.yaml rename to resources/v1.22.5/charts/cni/Chart.yaml index 990f1e4e3..ab2bf2a1b 100644 --- a/resources/v1.22.3/charts/cni/Chart.yaml +++ b/resources/v1.22.5/charts/cni/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 1.22.3 +appVersion: 1.22.5 description: Helm chart for istio-cni components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: cni sources: - https://github.com/istio/istio -version: 1.22.3 +version: 1.22.5 diff --git a/resources/v1.22.3/charts/cni/README.md b/resources/v1.22.5/charts/cni/README.md similarity index 100% rename from resources/v1.22.3/charts/cni/README.md rename to resources/v1.22.5/charts/cni/README.md diff --git a/resources/v1.22.3/charts/cni/files/profile-ambient.yaml b/resources/v1.22.5/charts/cni/files/profile-ambient.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/files/profile-ambient.yaml rename to resources/v1.22.5/charts/cni/files/profile-ambient.yaml diff --git a/resources/v1.22.3/charts/cni/files/profile-compatibility-version-1.20.yaml b/resources/v1.22.5/charts/cni/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/files/profile-compatibility-version-1.20.yaml rename to resources/v1.22.5/charts/cni/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.22.3/charts/cni/files/profile-compatibility-version-1.21.yaml b/resources/v1.22.5/charts/cni/files/profile-compatibility-version-1.21.yaml similarity index 90% rename from resources/v1.22.3/charts/cni/files/profile-compatibility-version-1.21.yaml rename to resources/v1.22.5/charts/cni/files/profile-compatibility-version-1.21.yaml index 808d224ed..a204a7ad4 100644 --- a/resources/v1.22.3/charts/cni/files/profile-compatibility-version-1.21.yaml +++ b/resources/v1.22.5/charts/cni/files/profile-compatibility-version-1.21.yaml @@ -9,9 +9,9 @@ pilot: ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" meshConfig: # 1.22 behavioral changes - proxyMetadata: - ISTIO_DELTA_XDS: "false" defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" tracing: zipkin: address: zipkin.istio-system:9411 diff --git a/resources/v1.22.3/charts/cni/files/profile-demo.yaml b/resources/v1.22.5/charts/cni/files/profile-demo.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/files/profile-demo.yaml rename to resources/v1.22.5/charts/cni/files/profile-demo.yaml diff --git a/resources/v1.22.3/charts/cni/files/profile-openshift-ambient.yaml b/resources/v1.22.5/charts/cni/files/profile-openshift-ambient.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/files/profile-openshift-ambient.yaml rename to resources/v1.22.5/charts/cni/files/profile-openshift-ambient.yaml diff --git a/resources/v1.22.3/charts/cni/files/profile-openshift.yaml b/resources/v1.22.5/charts/cni/files/profile-openshift.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/files/profile-openshift.yaml rename to resources/v1.22.5/charts/cni/files/profile-openshift.yaml diff --git a/resources/v1.22.3/charts/base/files/profile-preview.yaml b/resources/v1.22.5/charts/cni/files/profile-preview.yaml similarity index 100% rename from resources/v1.22.3/charts/base/files/profile-preview.yaml rename to resources/v1.22.5/charts/cni/files/profile-preview.yaml diff --git a/resources/v1.22.3/charts/base/files/profile-stable.yaml b/resources/v1.22.5/charts/cni/files/profile-stable.yaml similarity index 100% rename from resources/v1.22.3/charts/base/files/profile-stable.yaml rename to resources/v1.22.5/charts/cni/files/profile-stable.yaml diff --git a/resources/v1.22.3/charts/cni/templates/NOTES.txt b/resources/v1.22.5/charts/cni/templates/NOTES.txt similarity index 100% rename from resources/v1.22.3/charts/cni/templates/NOTES.txt rename to resources/v1.22.5/charts/cni/templates/NOTES.txt diff --git a/resources/v1.22.3/charts/cni/templates/clusterrole.yaml b/resources/v1.22.5/charts/cni/templates/clusterrole.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/templates/clusterrole.yaml rename to resources/v1.22.5/charts/cni/templates/clusterrole.yaml diff --git a/resources/v1.22.3/charts/cni/templates/clusterrolebinding.yaml b/resources/v1.22.5/charts/cni/templates/clusterrolebinding.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/templates/clusterrolebinding.yaml rename to resources/v1.22.5/charts/cni/templates/clusterrolebinding.yaml diff --git a/resources/v1.22.3/charts/cni/templates/configmap-cni.yaml b/resources/v1.22.5/charts/cni/templates/configmap-cni.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/templates/configmap-cni.yaml rename to resources/v1.22.5/charts/cni/templates/configmap-cni.yaml diff --git a/resources/v1.22.3/charts/cni/templates/daemonset.yaml b/resources/v1.22.5/charts/cni/templates/daemonset.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/templates/daemonset.yaml rename to resources/v1.22.5/charts/cni/templates/daemonset.yaml diff --git a/resources/v1.22.3/charts/cni/templates/network-attachment-definition.yaml b/resources/v1.22.5/charts/cni/templates/network-attachment-definition.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/templates/network-attachment-definition.yaml rename to resources/v1.22.5/charts/cni/templates/network-attachment-definition.yaml diff --git a/resources/v1.22.3/charts/cni/templates/resourcequota.yaml b/resources/v1.22.5/charts/cni/templates/resourcequota.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/templates/resourcequota.yaml rename to resources/v1.22.5/charts/cni/templates/resourcequota.yaml diff --git a/resources/v1.22.3/charts/cni/templates/serviceaccount.yaml b/resources/v1.22.5/charts/cni/templates/serviceaccount.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/templates/serviceaccount.yaml rename to resources/v1.22.5/charts/cni/templates/serviceaccount.yaml diff --git a/resources/v1.23.0/charts/cni/templates/zzz_profile.yaml b/resources/v1.22.5/charts/cni/templates/zzz_profile.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/templates/zzz_profile.yaml rename to resources/v1.22.5/charts/cni/templates/zzz_profile.yaml diff --git a/resources/v1.22.3/charts/cni/values.yaml b/resources/v1.22.5/charts/cni/values.yaml similarity index 99% rename from resources/v1.22.3/charts/cni/values.yaml rename to resources/v1.22.5/charts/cni/values.yaml index f40a5f801..3c1031325 100644 --- a/resources/v1.22.3/charts/cni/values.yaml +++ b/resources/v1.22.5/charts/cni/values.yaml @@ -110,7 +110,7 @@ defaults: hub: docker.io/istio # Default tag for Istio images. - tag: 1.22.3 + tag: 1.22.5 # Variant of the image to use. # Currently supported are: [debug, distroless] diff --git a/resources/v1.23.0/charts/gateway/Chart.yaml b/resources/v1.22.5/charts/gateway/Chart.yaml similarity index 86% rename from resources/v1.23.0/charts/gateway/Chart.yaml rename to resources/v1.22.5/charts/gateway/Chart.yaml index e96b476bc..bd4020cd7 100644 --- a/resources/v1.23.0/charts/gateway/Chart.yaml +++ b/resources/v1.22.5/charts/gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.23.0 +appVersion: 1.22.5 description: Helm chart for deploying Istio gateways icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ name: gateway sources: - https://github.com/istio/istio type: application -version: 1.23.0 +version: 1.22.5 diff --git a/resources/v1.22.3/charts/gateway/README.md b/resources/v1.22.5/charts/gateway/README.md similarity index 100% rename from resources/v1.22.3/charts/gateway/README.md rename to resources/v1.22.5/charts/gateway/README.md diff --git a/resources/v1.22.3/charts/gateway/files/profile-ambient.yaml b/resources/v1.22.5/charts/gateway/files/profile-ambient.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/files/profile-ambient.yaml rename to resources/v1.22.5/charts/gateway/files/profile-ambient.yaml diff --git a/resources/v1.22.3/charts/gateway/files/profile-compatibility-version-1.20.yaml b/resources/v1.22.5/charts/gateway/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/files/profile-compatibility-version-1.20.yaml rename to resources/v1.22.5/charts/gateway/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.22.3/charts/base/files/profile-compatibility-version-1.21.yaml b/resources/v1.22.5/charts/gateway/files/profile-compatibility-version-1.21.yaml similarity index 90% rename from resources/v1.22.3/charts/base/files/profile-compatibility-version-1.21.yaml rename to resources/v1.22.5/charts/gateway/files/profile-compatibility-version-1.21.yaml index 808d224ed..a204a7ad4 100644 --- a/resources/v1.22.3/charts/base/files/profile-compatibility-version-1.21.yaml +++ b/resources/v1.22.5/charts/gateway/files/profile-compatibility-version-1.21.yaml @@ -9,9 +9,9 @@ pilot: ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" meshConfig: # 1.22 behavioral changes - proxyMetadata: - ISTIO_DELTA_XDS: "false" defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" tracing: zipkin: address: zipkin.istio-system:9411 diff --git a/resources/v1.22.3/charts/gateway/files/profile-demo.yaml b/resources/v1.22.5/charts/gateway/files/profile-demo.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/files/profile-demo.yaml rename to resources/v1.22.5/charts/gateway/files/profile-demo.yaml diff --git a/resources/v1.22.3/charts/gateway/files/profile-openshift-ambient.yaml b/resources/v1.22.5/charts/gateway/files/profile-openshift-ambient.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/files/profile-openshift-ambient.yaml rename to resources/v1.22.5/charts/gateway/files/profile-openshift-ambient.yaml diff --git a/resources/v1.22.3/charts/gateway/files/profile-openshift.yaml b/resources/v1.22.5/charts/gateway/files/profile-openshift.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/files/profile-openshift.yaml rename to resources/v1.22.5/charts/gateway/files/profile-openshift.yaml diff --git a/resources/v1.22.3/charts/cni/files/profile-preview.yaml b/resources/v1.22.5/charts/gateway/files/profile-preview.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/files/profile-preview.yaml rename to resources/v1.22.5/charts/gateway/files/profile-preview.yaml diff --git a/resources/v1.22.3/charts/cni/files/profile-stable.yaml b/resources/v1.22.5/charts/gateway/files/profile-stable.yaml similarity index 100% rename from resources/v1.22.3/charts/cni/files/profile-stable.yaml rename to resources/v1.22.5/charts/gateway/files/profile-stable.yaml diff --git a/resources/v1.22.3/charts/gateway/templates/NOTES.txt b/resources/v1.22.5/charts/gateway/templates/NOTES.txt similarity index 100% rename from resources/v1.22.3/charts/gateway/templates/NOTES.txt rename to resources/v1.22.5/charts/gateway/templates/NOTES.txt diff --git a/resources/v1.22.3/charts/gateway/templates/_helpers.tpl b/resources/v1.22.5/charts/gateway/templates/_helpers.tpl similarity index 100% rename from resources/v1.22.3/charts/gateway/templates/_helpers.tpl rename to resources/v1.22.5/charts/gateway/templates/_helpers.tpl diff --git a/resources/v1.22.3/charts/gateway/templates/deployment.yaml b/resources/v1.22.5/charts/gateway/templates/deployment.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/templates/deployment.yaml rename to resources/v1.22.5/charts/gateway/templates/deployment.yaml diff --git a/resources/v1.22.3/charts/gateway/templates/hpa.yaml b/resources/v1.22.5/charts/gateway/templates/hpa.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/templates/hpa.yaml rename to resources/v1.22.5/charts/gateway/templates/hpa.yaml diff --git a/resources/v1.22.3/charts/gateway/templates/poddisruptionbudget.yaml b/resources/v1.22.5/charts/gateway/templates/poddisruptionbudget.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/templates/poddisruptionbudget.yaml rename to resources/v1.22.5/charts/gateway/templates/poddisruptionbudget.yaml diff --git a/resources/v1.22.3/charts/gateway/templates/role.yaml b/resources/v1.22.5/charts/gateway/templates/role.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/templates/role.yaml rename to resources/v1.22.5/charts/gateway/templates/role.yaml diff --git a/resources/v1.22.3/charts/gateway/templates/service.yaml b/resources/v1.22.5/charts/gateway/templates/service.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/templates/service.yaml rename to resources/v1.22.5/charts/gateway/templates/service.yaml diff --git a/resources/v1.22.3/charts/gateway/templates/serviceaccount.yaml b/resources/v1.22.5/charts/gateway/templates/serviceaccount.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/templates/serviceaccount.yaml rename to resources/v1.22.5/charts/gateway/templates/serviceaccount.yaml diff --git a/resources/v1.23.0/charts/gateway/templates/zzz_profile.yaml b/resources/v1.22.5/charts/gateway/templates/zzz_profile.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/templates/zzz_profile.yaml rename to resources/v1.22.5/charts/gateway/templates/zzz_profile.yaml diff --git a/resources/v1.23.0/charts/gateway/values.schema.json b/resources/v1.22.5/charts/gateway/values.schema.json similarity index 100% rename from resources/v1.23.0/charts/gateway/values.schema.json rename to resources/v1.22.5/charts/gateway/values.schema.json diff --git a/resources/v1.22.3/charts/gateway/values.yaml b/resources/v1.22.5/charts/gateway/values.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/values.yaml rename to resources/v1.22.5/charts/gateway/values.yaml diff --git a/resources/v1.22.3/charts/istiod/Chart.yaml b/resources/v1.22.5/charts/istiod/Chart.yaml similarity index 86% rename from resources/v1.22.3/charts/istiod/Chart.yaml rename to resources/v1.22.5/charts/istiod/Chart.yaml index 3cf7bd630..dc261d81a 100644 --- a/resources/v1.22.3/charts/istiod/Chart.yaml +++ b/resources/v1.22.5/charts/istiod/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 1.22.3 +appVersion: 1.22.5 description: Helm chart for istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ keywords: name: istiod sources: - https://github.com/istio/istio -version: 1.22.3 +version: 1.22.5 diff --git a/resources/v1.22.3/charts/istiod/README.md b/resources/v1.22.5/charts/istiod/README.md similarity index 100% rename from resources/v1.22.3/charts/istiod/README.md rename to resources/v1.22.5/charts/istiod/README.md diff --git a/resources/v1.22.3/charts/istiod/files/gateway-injection-template.yaml b/resources/v1.22.5/charts/istiod/files/gateway-injection-template.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/gateway-injection-template.yaml rename to resources/v1.22.5/charts/istiod/files/gateway-injection-template.yaml diff --git a/resources/v1.22.3/charts/istiod/files/grpc-agent.yaml b/resources/v1.22.5/charts/istiod/files/grpc-agent.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/grpc-agent.yaml rename to resources/v1.22.5/charts/istiod/files/grpc-agent.yaml diff --git a/resources/v1.22.3/charts/istiod/files/grpc-simple.yaml b/resources/v1.22.5/charts/istiod/files/grpc-simple.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/grpc-simple.yaml rename to resources/v1.22.5/charts/istiod/files/grpc-simple.yaml diff --git a/resources/v1.22.3/charts/istiod/files/injection-template.yaml b/resources/v1.22.5/charts/istiod/files/injection-template.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/injection-template.yaml rename to resources/v1.22.5/charts/istiod/files/injection-template.yaml diff --git a/resources/v1.22.3/charts/istiod/files/kube-gateway.yaml b/resources/v1.22.5/charts/istiod/files/kube-gateway.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/kube-gateway.yaml rename to resources/v1.22.5/charts/istiod/files/kube-gateway.yaml diff --git a/resources/v1.22.3/charts/istiod/files/profile-ambient.yaml b/resources/v1.22.5/charts/istiod/files/profile-ambient.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/profile-ambient.yaml rename to resources/v1.22.5/charts/istiod/files/profile-ambient.yaml diff --git a/resources/v1.22.3/charts/istiod/files/profile-compatibility-version-1.20.yaml b/resources/v1.22.5/charts/istiod/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/profile-compatibility-version-1.20.yaml rename to resources/v1.22.5/charts/istiod/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.22.3/charts/gateway/files/profile-compatibility-version-1.21.yaml b/resources/v1.22.5/charts/istiod/files/profile-compatibility-version-1.21.yaml similarity index 90% rename from resources/v1.22.3/charts/gateway/files/profile-compatibility-version-1.21.yaml rename to resources/v1.22.5/charts/istiod/files/profile-compatibility-version-1.21.yaml index 808d224ed..a204a7ad4 100644 --- a/resources/v1.22.3/charts/gateway/files/profile-compatibility-version-1.21.yaml +++ b/resources/v1.22.5/charts/istiod/files/profile-compatibility-version-1.21.yaml @@ -9,9 +9,9 @@ pilot: ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" meshConfig: # 1.22 behavioral changes - proxyMetadata: - ISTIO_DELTA_XDS: "false" defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" tracing: zipkin: address: zipkin.istio-system:9411 diff --git a/resources/v1.22.3/charts/istiod/files/profile-demo.yaml b/resources/v1.22.5/charts/istiod/files/profile-demo.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/profile-demo.yaml rename to resources/v1.22.5/charts/istiod/files/profile-demo.yaml diff --git a/resources/v1.22.3/charts/istiod/files/profile-openshift-ambient.yaml b/resources/v1.22.5/charts/istiod/files/profile-openshift-ambient.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/profile-openshift-ambient.yaml rename to resources/v1.22.5/charts/istiod/files/profile-openshift-ambient.yaml diff --git a/resources/v1.22.3/charts/istiod/files/profile-openshift.yaml b/resources/v1.22.5/charts/istiod/files/profile-openshift.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/profile-openshift.yaml rename to resources/v1.22.5/charts/istiod/files/profile-openshift.yaml diff --git a/resources/v1.22.3/charts/gateway/files/profile-preview.yaml b/resources/v1.22.5/charts/istiod/files/profile-preview.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/files/profile-preview.yaml rename to resources/v1.22.5/charts/istiod/files/profile-preview.yaml diff --git a/resources/v1.22.3/charts/gateway/files/profile-stable.yaml b/resources/v1.22.5/charts/istiod/files/profile-stable.yaml similarity index 100% rename from resources/v1.22.3/charts/gateway/files/profile-stable.yaml rename to resources/v1.22.5/charts/istiod/files/profile-stable.yaml diff --git a/resources/v1.22.3/charts/istiod/files/waypoint.yaml b/resources/v1.22.5/charts/istiod/files/waypoint.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/waypoint.yaml rename to resources/v1.22.5/charts/istiod/files/waypoint.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/NOTES.txt b/resources/v1.22.5/charts/istiod/templates/NOTES.txt similarity index 98% rename from resources/v1.22.3/charts/istiod/templates/NOTES.txt rename to resources/v1.22.5/charts/istiod/templates/NOTES.txt index 0771b919d..1acb4dbf9 100644 --- a/resources/v1.22.3/charts/istiod/templates/NOTES.txt +++ b/resources/v1.22.5/charts/istiod/templates/NOTES.txt @@ -5,7 +5,8 @@ To learn more about the release, try: $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} Next steps: -{{- if (eq .Values.profile "ambient") }} +{{- $profile := default "" .Values.profile }} +{{- if (eq $profile "ambient") }} * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/ * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/ {{- else }} diff --git a/resources/v1.22.3/charts/istiod/templates/_helpers.tpl b/resources/v1.22.5/charts/istiod/templates/_helpers.tpl similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/_helpers.tpl rename to resources/v1.22.5/charts/istiod/templates/_helpers.tpl diff --git a/resources/v1.22.3/charts/istiod/templates/autoscale.yaml b/resources/v1.22.5/charts/istiod/templates/autoscale.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/autoscale.yaml rename to resources/v1.22.5/charts/istiod/templates/autoscale.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/clusterrole.yaml b/resources/v1.22.5/charts/istiod/templates/clusterrole.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/clusterrole.yaml rename to resources/v1.22.5/charts/istiod/templates/clusterrole.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/clusterrolebinding.yaml b/resources/v1.22.5/charts/istiod/templates/clusterrolebinding.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/clusterrolebinding.yaml rename to resources/v1.22.5/charts/istiod/templates/clusterrolebinding.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/configmap-jwks.yaml b/resources/v1.22.5/charts/istiod/templates/configmap-jwks.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/configmap-jwks.yaml rename to resources/v1.22.5/charts/istiod/templates/configmap-jwks.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/configmap.yaml b/resources/v1.22.5/charts/istiod/templates/configmap.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/configmap.yaml rename to resources/v1.22.5/charts/istiod/templates/configmap.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/deployment.yaml b/resources/v1.22.5/charts/istiod/templates/deployment.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/deployment.yaml rename to resources/v1.22.5/charts/istiod/templates/deployment.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/istiod-injector-configmap.yaml b/resources/v1.22.5/charts/istiod/templates/istiod-injector-configmap.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/istiod-injector-configmap.yaml rename to resources/v1.22.5/charts/istiod/templates/istiod-injector-configmap.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/mutatingwebhook.yaml b/resources/v1.22.5/charts/istiod/templates/mutatingwebhook.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/mutatingwebhook.yaml rename to resources/v1.22.5/charts/istiod/templates/mutatingwebhook.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/poddisruptionbudget.yaml b/resources/v1.22.5/charts/istiod/templates/poddisruptionbudget.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/poddisruptionbudget.yaml rename to resources/v1.22.5/charts/istiod/templates/poddisruptionbudget.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/reader-clusterrole.yaml b/resources/v1.22.5/charts/istiod/templates/reader-clusterrole.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/reader-clusterrole.yaml rename to resources/v1.22.5/charts/istiod/templates/reader-clusterrole.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/reader-clusterrolebinding.yaml b/resources/v1.22.5/charts/istiod/templates/reader-clusterrolebinding.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/reader-clusterrolebinding.yaml rename to resources/v1.22.5/charts/istiod/templates/reader-clusterrolebinding.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/revision-tags.yaml b/resources/v1.22.5/charts/istiod/templates/revision-tags.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/revision-tags.yaml rename to resources/v1.22.5/charts/istiod/templates/revision-tags.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/role.yaml b/resources/v1.22.5/charts/istiod/templates/role.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/role.yaml rename to resources/v1.22.5/charts/istiod/templates/role.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/rolebinding.yaml b/resources/v1.22.5/charts/istiod/templates/rolebinding.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/rolebinding.yaml rename to resources/v1.22.5/charts/istiod/templates/rolebinding.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/service.yaml b/resources/v1.22.5/charts/istiod/templates/service.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/service.yaml rename to resources/v1.22.5/charts/istiod/templates/service.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/serviceaccount.yaml b/resources/v1.22.5/charts/istiod/templates/serviceaccount.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/serviceaccount.yaml rename to resources/v1.22.5/charts/istiod/templates/serviceaccount.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/validatingadmissionpolicy.yaml b/resources/v1.22.5/charts/istiod/templates/validatingadmissionpolicy.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/validatingadmissionpolicy.yaml rename to resources/v1.22.5/charts/istiod/templates/validatingadmissionpolicy.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/validatingwebhookconfiguration.yaml b/resources/v1.22.5/charts/istiod/templates/validatingwebhookconfiguration.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/templates/validatingwebhookconfiguration.yaml rename to resources/v1.22.5/charts/istiod/templates/validatingwebhookconfiguration.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/zzz_profile.yaml b/resources/v1.22.5/charts/istiod/templates/zzz_profile.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/zzz_profile.yaml rename to resources/v1.22.5/charts/istiod/templates/zzz_profile.yaml diff --git a/resources/v1.22.3/charts/istiod/values.yaml b/resources/v1.22.5/charts/istiod/values.yaml similarity index 99% rename from resources/v1.22.3/charts/istiod/values.yaml rename to resources/v1.22.5/charts/istiod/values.yaml index cde10002b..1eff1e7b3 100644 --- a/resources/v1.22.3/charts/istiod/values.yaml +++ b/resources/v1.22.5/charts/istiod/values.yaml @@ -234,7 +234,7 @@ defaults: # Dev builds from prow are on gcr.io hub: docker.io/istio # Default tag for Istio images. - tag: 1.22.3 + tag: 1.22.5 # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" diff --git a/resources/v1.21.5/charts/ztunnel/Chart.yaml b/resources/v1.22.5/charts/ztunnel/Chart.yaml similarity index 86% rename from resources/v1.21.5/charts/ztunnel/Chart.yaml rename to resources/v1.22.5/charts/ztunnel/Chart.yaml index 39c53c819..a4ad01f5c 100644 --- a/resources/v1.21.5/charts/ztunnel/Chart.yaml +++ b/resources/v1.22.5/charts/ztunnel/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 1.21.5 +appVersion: 1.22.5 description: Helm chart for istio ztunnel components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: ztunnel sources: - https://github.com/istio/istio -version: 1.21.5 +version: 1.22.5 diff --git a/resources/v1.22.3/charts/ztunnel/README.md b/resources/v1.22.5/charts/ztunnel/README.md similarity index 100% rename from resources/v1.22.3/charts/ztunnel/README.md rename to resources/v1.22.5/charts/ztunnel/README.md diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-ambient.yaml b/resources/v1.22.5/charts/ztunnel/files/profile-ambient.yaml similarity index 100% rename from resources/v1.22.3/charts/ztunnel/files/profile-ambient.yaml rename to resources/v1.22.5/charts/ztunnel/files/profile-ambient.yaml diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-compatibility-version-1.20.yaml b/resources/v1.22.5/charts/ztunnel/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.22.3/charts/ztunnel/files/profile-compatibility-version-1.20.yaml rename to resources/v1.22.5/charts/ztunnel/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.22.5/charts/ztunnel/files/profile-compatibility-version-1.21.yaml b/resources/v1.22.5/charts/ztunnel/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..a204a7ad4 --- /dev/null +++ b/resources/v1.22.5/charts/ztunnel/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-demo.yaml b/resources/v1.22.5/charts/ztunnel/files/profile-demo.yaml similarity index 100% rename from resources/v1.22.3/charts/ztunnel/files/profile-demo.yaml rename to resources/v1.22.5/charts/ztunnel/files/profile-demo.yaml diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-openshift-ambient.yaml b/resources/v1.22.5/charts/ztunnel/files/profile-openshift-ambient.yaml similarity index 100% rename from resources/v1.22.3/charts/ztunnel/files/profile-openshift-ambient.yaml rename to resources/v1.22.5/charts/ztunnel/files/profile-openshift-ambient.yaml diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-openshift.yaml b/resources/v1.22.5/charts/ztunnel/files/profile-openshift.yaml similarity index 100% rename from resources/v1.22.3/charts/ztunnel/files/profile-openshift.yaml rename to resources/v1.22.5/charts/ztunnel/files/profile-openshift.yaml diff --git a/resources/v1.22.3/charts/istiod/files/profile-preview.yaml b/resources/v1.22.5/charts/ztunnel/files/profile-preview.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/profile-preview.yaml rename to resources/v1.22.5/charts/ztunnel/files/profile-preview.yaml diff --git a/resources/v1.22.3/charts/istiod/files/profile-stable.yaml b/resources/v1.22.5/charts/ztunnel/files/profile-stable.yaml similarity index 100% rename from resources/v1.22.3/charts/istiod/files/profile-stable.yaml rename to resources/v1.22.5/charts/ztunnel/files/profile-stable.yaml diff --git a/resources/v1.22.3/charts/ztunnel/templates/NOTES.txt b/resources/v1.22.5/charts/ztunnel/templates/NOTES.txt similarity index 100% rename from resources/v1.22.3/charts/ztunnel/templates/NOTES.txt rename to resources/v1.22.5/charts/ztunnel/templates/NOTES.txt diff --git a/resources/latest/charts/ztunnel/templates/_helpers.tpl b/resources/v1.22.5/charts/ztunnel/templates/_helpers.tpl similarity index 100% rename from resources/latest/charts/ztunnel/templates/_helpers.tpl rename to resources/v1.22.5/charts/ztunnel/templates/_helpers.tpl diff --git a/resources/v1.22.3/charts/ztunnel/templates/daemonset.yaml b/resources/v1.22.5/charts/ztunnel/templates/daemonset.yaml similarity index 98% rename from resources/v1.22.3/charts/ztunnel/templates/daemonset.yaml rename to resources/v1.22.5/charts/ztunnel/templates/daemonset.yaml index 5d600d3cc..f83c36dfa 100644 --- a/resources/v1.22.3/charts/ztunnel/templates/daemonset.yaml +++ b/resources/v1.22.5/charts/ztunnel/templates/daemonset.yaml @@ -4,7 +4,8 @@ metadata: name: ztunnel namespace: {{ .Release.Namespace }} labels: - {{- .Values.labels | toYaml | nindent 4}} +{{- template "istio-labels" -}} +{{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} annotations: {{- .Values.annotations | toYaml | nindent 4 }} spec: diff --git a/resources/v1.22.3/charts/ztunnel/templates/rbac.yaml b/resources/v1.22.5/charts/ztunnel/templates/rbac.yaml similarity index 93% rename from resources/v1.22.3/charts/ztunnel/templates/rbac.yaml rename to resources/v1.22.5/charts/ztunnel/templates/rbac.yaml index 9583b200e..f332898e1 100644 --- a/resources/v1.22.3/charts/ztunnel/templates/rbac.yaml +++ b/resources/v1.22.5/charts/ztunnel/templates/rbac.yaml @@ -10,7 +10,8 @@ metadata: name: ztunnel namespace: {{ .Release.Namespace }} labels: - {{- .Values.labels | toYaml | nindent 4}} +{{- template "istio-labels" -}} +{{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} annotations: {{- .Values.annotations | toYaml | nindent 4 }} --- diff --git a/resources/v1.23.0/charts/ztunnel/templates/zzz_profile.yaml b/resources/v1.22.5/charts/ztunnel/templates/zzz_profile.yaml similarity index 100% rename from resources/v1.23.0/charts/ztunnel/templates/zzz_profile.yaml rename to resources/v1.22.5/charts/ztunnel/templates/zzz_profile.yaml diff --git a/resources/v1.22.3/charts/ztunnel/values.yaml b/resources/v1.22.5/charts/ztunnel/values.yaml similarity index 99% rename from resources/v1.22.3/charts/ztunnel/values.yaml rename to resources/v1.22.5/charts/ztunnel/values.yaml index 1e51bdb60..d45fcf86c 100644 --- a/resources/v1.22.3/charts/ztunnel/values.yaml +++ b/resources/v1.22.5/charts/ztunnel/values.yaml @@ -2,7 +2,7 @@ defaults: # Hub to pull from. Image will be `Hub/Image:Tag-Variant` hub: docker.io/istio # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.22.3 + tag: 1.22.5 # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. variant: "" diff --git a/resources/v1.22.3/profiles/ambient.yaml b/resources/v1.22.5/profiles/ambient.yaml similarity index 100% rename from resources/v1.22.3/profiles/ambient.yaml rename to resources/v1.22.5/profiles/ambient.yaml diff --git a/resources/v1.22.3/profiles/default.yaml b/resources/v1.22.5/profiles/default.yaml similarity index 100% rename from resources/v1.22.3/profiles/default.yaml rename to resources/v1.22.5/profiles/default.yaml diff --git a/resources/v1.22.3/profiles/demo.yaml b/resources/v1.22.5/profiles/demo.yaml similarity index 100% rename from resources/v1.22.3/profiles/demo.yaml rename to resources/v1.22.5/profiles/demo.yaml diff --git a/resources/v1.22.3/profiles/empty.yaml b/resources/v1.22.5/profiles/empty.yaml similarity index 100% rename from resources/v1.22.3/profiles/empty.yaml rename to resources/v1.22.5/profiles/empty.yaml diff --git a/resources/v1.22.3/profiles/openshift-ambient.yaml b/resources/v1.22.5/profiles/openshift-ambient.yaml similarity index 100% rename from resources/v1.22.3/profiles/openshift-ambient.yaml rename to resources/v1.22.5/profiles/openshift-ambient.yaml diff --git a/resources/v1.22.3/profiles/openshift.yaml b/resources/v1.22.5/profiles/openshift.yaml similarity index 100% rename from resources/v1.22.3/profiles/openshift.yaml rename to resources/v1.22.5/profiles/openshift.yaml diff --git a/resources/v1.22.3/profiles/preview.yaml b/resources/v1.22.5/profiles/preview.yaml similarity index 100% rename from resources/v1.22.3/profiles/preview.yaml rename to resources/v1.22.5/profiles/preview.yaml diff --git a/resources/v1.22.3/profiles/stable.yaml b/resources/v1.22.5/profiles/stable.yaml similarity index 100% rename from resources/v1.22.3/profiles/stable.yaml rename to resources/v1.22.5/profiles/stable.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/NOTES.txt b/resources/v1.23.0/charts/istiod-remote/NOTES.txt deleted file mode 100644 index 0230b6f86..000000000 --- a/resources/v1.23.0/charts/istiod-remote/NOTES.txt +++ /dev/null @@ -1,4 +0,0 @@ -Install for a remote cluster using an external control plane. - -The templates in this directory are copies of base and istio-discovery templates. -DO NOT EDIT! Make changes in the corresponding files in base or istio-discovery and they will be copied here by make gen. diff --git a/resources/v1.23.0/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml b/resources/v1.23.0/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml deleted file mode 100644 index 16a7e6481..000000000 --- a/resources/v1.23.0/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - # 1.22 behavioral changes - ENABLE_DEFERRED_CLUSTER_CREATION: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX": "false" diff --git a/resources/v1.23.0/charts/istiod/files/gateway-injection-template.yaml b/resources/v1.23.0/charts/istiod/files/gateway-injection-template.yaml deleted file mode 100644 index 97ffb71f2..000000000 --- a/resources/v1.23.0/charts/istiod/files/gateway-injection-template.yaml +++ /dev/null @@ -1,250 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if eq (len $containers) 1 }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{ end }} - } -spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 4 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - securityContext: - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/resources/v1.23.0/charts/istiod/files/profile-compatibility-version-1.21.yaml b/resources/v1.23.0/charts/istiod/files/profile-compatibility-version-1.21.yaml deleted file mode 100644 index 292f60742..000000000 --- a/resources/v1.23.0/charts/istiod/files/profile-compatibility-version-1.21.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" -meshConfig: - # 1.22 behavioral changes - defaultConfig: - proxyMetadata: - ISTIO_DELTA_XDS: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/v1.23.0/charts/istiod/files/profile-compatibility-version-1.22.yaml b/resources/v1.23.0/charts/istiod/files/profile-compatibility-version-1.22.yaml deleted file mode 100644 index 16a7e6481..000000000 --- a/resources/v1.23.0/charts/istiod/files/profile-compatibility-version-1.22.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - # 1.22 behavioral changes - ENABLE_DEFERRED_CLUSTER_CREATION: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX": "false" diff --git a/resources/v1.23.0/charts/ztunnel/files/profile-compatibility-version-1.21.yaml b/resources/v1.23.0/charts/ztunnel/files/profile-compatibility-version-1.21.yaml deleted file mode 100644 index 292f60742..000000000 --- a/resources/v1.23.0/charts/ztunnel/files/profile-compatibility-version-1.21.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" -meshConfig: - # 1.22 behavioral changes - defaultConfig: - proxyMetadata: - ISTIO_DELTA_XDS: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/v1.23.0/charts/ztunnel/files/profile-compatibility-version-1.22.yaml b/resources/v1.23.0/charts/ztunnel/files/profile-compatibility-version-1.22.yaml deleted file mode 100644 index 16a7e6481..000000000 --- a/resources/v1.23.0/charts/ztunnel/files/profile-compatibility-version-1.22.yaml +++ /dev/null @@ -1,11 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - # 1.22 behavioral changes - ENABLE_DEFERRED_CLUSTER_CREATION: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX": "false" diff --git a/resources/v1.23.0/charts/ztunnel/files/profile-preview.yaml b/resources/v1.23.0/charts/ztunnel/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2..000000000 --- a/resources/v1.23.0/charts/ztunnel/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.23.0/charts/base/Chart.yaml b/resources/v1.23.2/charts/base/Chart.yaml similarity index 86% rename from resources/v1.23.0/charts/base/Chart.yaml rename to resources/v1.23.2/charts/base/Chart.yaml index a09228e65..ad303d352 100644 --- a/resources/v1.23.0/charts/base/Chart.yaml +++ b/resources/v1.23.2/charts/base/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.23.0 +appVersion: 1.23.2 description: Helm chart for deploying Istio cluster resources and CRDs icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -7,4 +7,4 @@ keywords: name: base sources: - https://github.com/istio/istio -version: 1.23.0 +version: 1.23.2 diff --git a/resources/v1.23.0/charts/base/README.md b/resources/v1.23.2/charts/base/README.md similarity index 100% rename from resources/v1.23.0/charts/base/README.md rename to resources/v1.23.2/charts/base/README.md diff --git a/resources/v1.23.0/charts/base/crds/crd-all.gen.yaml b/resources/v1.23.2/charts/base/crds/crd-all.gen.yaml similarity index 99% rename from resources/v1.23.0/charts/base/crds/crd-all.gen.yaml rename to resources/v1.23.2/charts/base/crds/crd-all.gen.yaml index 5efc8b4a5..2f3d6a4b0 100644 --- a/resources/v1.23.0/charts/base/crds/crd-all.gen.yaml +++ b/resources/v1.23.2/charts/base/crds/crd-all.gen.yaml @@ -11895,8 +11895,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' @@ -12093,8 +12091,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' @@ -12291,8 +12287,6 @@ spec: type: integer type: object x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - message: UDS may not include ports rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? !has(self.ports) : true' diff --git a/resources/v1.23.0/charts/base/files/profile-ambient.yaml b/resources/v1.23.2/charts/base/files/profile-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/base/files/profile-ambient.yaml rename to resources/v1.23.2/charts/base/files/profile-ambient.yaml diff --git a/resources/v1.23.0/charts/base/files/profile-compatibility-version-1.20.yaml b/resources/v1.23.2/charts/base/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.23.0/charts/base/files/profile-compatibility-version-1.20.yaml rename to resources/v1.23.2/charts/base/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml b/resources/v1.23.2/charts/base/files/profile-compatibility-version-1.21.yaml similarity index 88% rename from resources/v1.23.0/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml rename to resources/v1.23.2/charts/base/files/profile-compatibility-version-1.21.yaml index 292f60742..d11c242b5 100644 --- a/resources/v1.23.0/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml +++ b/resources/v1.23.2/charts/base/files/profile-compatibility-version-1.21.yaml @@ -7,6 +7,10 @@ pilot: # 1.22 behavioral changes ENABLE_ENHANCED_RESOURCE_SCOPING: "false" ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + meshConfig: # 1.22 behavioral changes defaultConfig: diff --git a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml b/resources/v1.23.2/charts/base/files/profile-compatibility-version-1.22.yaml similarity index 73% rename from resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml rename to resources/v1.23.2/charts/base/files/profile-compatibility-version-1.22.yaml index 2badb70a5..b091e2b94 100644 --- a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml +++ b/resources/v1.23.2/charts/base/files/profile-compatibility-version-1.22.yaml @@ -6,12 +6,7 @@ pilot: env: # 1.23 behavioral changes ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" - + meshConfig: defaultConfig: proxyMetadata: diff --git a/resources/v1.23.0/charts/base/files/profile-demo.yaml b/resources/v1.23.2/charts/base/files/profile-demo.yaml similarity index 100% rename from resources/v1.23.0/charts/base/files/profile-demo.yaml rename to resources/v1.23.2/charts/base/files/profile-demo.yaml diff --git a/resources/v1.23.0/charts/base/files/profile-openshift-ambient.yaml b/resources/v1.23.2/charts/base/files/profile-openshift-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/base/files/profile-openshift-ambient.yaml rename to resources/v1.23.2/charts/base/files/profile-openshift-ambient.yaml diff --git a/resources/v1.23.0/charts/base/files/profile-openshift.yaml b/resources/v1.23.2/charts/base/files/profile-openshift.yaml similarity index 100% rename from resources/v1.23.0/charts/base/files/profile-openshift.yaml rename to resources/v1.23.2/charts/base/files/profile-openshift.yaml diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-preview.yaml b/resources/v1.23.2/charts/base/files/profile-preview.yaml similarity index 100% rename from resources/v1.22.3/charts/ztunnel/files/profile-preview.yaml rename to resources/v1.23.2/charts/base/files/profile-preview.yaml diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-stable.yaml b/resources/v1.23.2/charts/base/files/profile-stable.yaml similarity index 100% rename from resources/v1.22.3/charts/ztunnel/files/profile-stable.yaml rename to resources/v1.23.2/charts/base/files/profile-stable.yaml diff --git a/resources/v1.23.0/charts/base/templates/NOTES.txt b/resources/v1.23.2/charts/base/templates/NOTES.txt similarity index 100% rename from resources/v1.23.0/charts/base/templates/NOTES.txt rename to resources/v1.23.2/charts/base/templates/NOTES.txt diff --git a/resources/v1.23.0/charts/base/templates/crds.yaml b/resources/v1.23.2/charts/base/templates/crds.yaml similarity index 100% rename from resources/v1.23.0/charts/base/templates/crds.yaml rename to resources/v1.23.2/charts/base/templates/crds.yaml diff --git a/resources/v1.23.0/charts/base/templates/default.yaml b/resources/v1.23.2/charts/base/templates/default.yaml similarity index 100% rename from resources/v1.23.0/charts/base/templates/default.yaml rename to resources/v1.23.2/charts/base/templates/default.yaml diff --git a/resources/v1.23.0/charts/base/templates/endpoints.yaml b/resources/v1.23.2/charts/base/templates/endpoints.yaml similarity index 100% rename from resources/v1.23.0/charts/base/templates/endpoints.yaml rename to resources/v1.23.2/charts/base/templates/endpoints.yaml diff --git a/resources/v1.23.0/charts/base/templates/reader-serviceaccount.yaml b/resources/v1.23.2/charts/base/templates/reader-serviceaccount.yaml similarity index 100% rename from resources/v1.23.0/charts/base/templates/reader-serviceaccount.yaml rename to resources/v1.23.2/charts/base/templates/reader-serviceaccount.yaml diff --git a/resources/v1.23.0/charts/base/templates/services.yaml b/resources/v1.23.2/charts/base/templates/services.yaml similarity index 100% rename from resources/v1.23.0/charts/base/templates/services.yaml rename to resources/v1.23.2/charts/base/templates/services.yaml diff --git a/resources/v1.23.0/charts/base/templates/validatingadmissionpolicy.yaml b/resources/v1.23.2/charts/base/templates/validatingadmissionpolicy.yaml similarity index 100% rename from resources/v1.23.0/charts/base/templates/validatingadmissionpolicy.yaml rename to resources/v1.23.2/charts/base/templates/validatingadmissionpolicy.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/zzz_profile.yaml b/resources/v1.23.2/charts/base/templates/zzz_profile.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/zzz_profile.yaml rename to resources/v1.23.2/charts/base/templates/zzz_profile.yaml diff --git a/resources/v1.23.0/charts/base/values.yaml b/resources/v1.23.2/charts/base/values.yaml similarity index 100% rename from resources/v1.23.0/charts/base/values.yaml rename to resources/v1.23.2/charts/base/values.yaml diff --git a/resources/v1.23.0/charts/cni/Chart.yaml b/resources/v1.23.2/charts/cni/Chart.yaml similarity index 85% rename from resources/v1.23.0/charts/cni/Chart.yaml rename to resources/v1.23.2/charts/cni/Chart.yaml index 399703948..4ffafb619 100644 --- a/resources/v1.23.0/charts/cni/Chart.yaml +++ b/resources/v1.23.2/charts/cni/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.23.0 +appVersion: 1.23.2 description: Helm chart for istio-cni components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: cni sources: - https://github.com/istio/istio -version: 1.23.0 +version: 1.23.2 diff --git a/resources/v1.23.0/charts/cni/README.md b/resources/v1.23.2/charts/cni/README.md similarity index 100% rename from resources/v1.23.0/charts/cni/README.md rename to resources/v1.23.2/charts/cni/README.md diff --git a/resources/v1.23.0/charts/cni/files/profile-ambient.yaml b/resources/v1.23.2/charts/cni/files/profile-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/files/profile-ambient.yaml rename to resources/v1.23.2/charts/cni/files/profile-ambient.yaml diff --git a/resources/v1.23.0/charts/cni/files/profile-compatibility-version-1.20.yaml b/resources/v1.23.2/charts/cni/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/files/profile-compatibility-version-1.20.yaml rename to resources/v1.23.2/charts/cni/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.23.0/charts/base/files/profile-compatibility-version-1.21.yaml b/resources/v1.23.2/charts/cni/files/profile-compatibility-version-1.21.yaml similarity index 88% rename from resources/v1.23.0/charts/base/files/profile-compatibility-version-1.21.yaml rename to resources/v1.23.2/charts/cni/files/profile-compatibility-version-1.21.yaml index 292f60742..d11c242b5 100644 --- a/resources/v1.23.0/charts/base/files/profile-compatibility-version-1.21.yaml +++ b/resources/v1.23.2/charts/cni/files/profile-compatibility-version-1.21.yaml @@ -7,6 +7,10 @@ pilot: # 1.22 behavioral changes ENABLE_ENHANCED_RESOURCE_SCOPING: "false" ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + meshConfig: # 1.22 behavioral changes defaultConfig: diff --git a/resources/v1.23.0/charts/base/files/profile-compatibility-version-1.22.yaml b/resources/v1.23.2/charts/cni/files/profile-compatibility-version-1.22.yaml similarity index 72% rename from resources/v1.23.0/charts/base/files/profile-compatibility-version-1.22.yaml rename to resources/v1.23.2/charts/cni/files/profile-compatibility-version-1.22.yaml index 16a7e6481..b091e2b94 100644 --- a/resources/v1.23.0/charts/base/files/profile-compatibility-version-1.22.yaml +++ b/resources/v1.23.2/charts/cni/files/profile-compatibility-version-1.22.yaml @@ -2,10 +2,15 @@ # The original version of this file is located at /manifests/helm-profiles directory. # If you want to make a change in this file, edit the original one and run "make gen". +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + meshConfig: defaultConfig: proxyMetadata: # 1.22 behavioral changes ENABLE_DEFERRED_CLUSTER_CREATION: "false" # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX": "false" + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/resources/v1.23.0/charts/cni/files/profile-demo.yaml b/resources/v1.23.2/charts/cni/files/profile-demo.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/files/profile-demo.yaml rename to resources/v1.23.2/charts/cni/files/profile-demo.yaml diff --git a/resources/v1.23.0/charts/cni/files/profile-openshift-ambient.yaml b/resources/v1.23.2/charts/cni/files/profile-openshift-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/files/profile-openshift-ambient.yaml rename to resources/v1.23.2/charts/cni/files/profile-openshift-ambient.yaml diff --git a/resources/v1.23.0/charts/cni/files/profile-openshift.yaml b/resources/v1.23.2/charts/cni/files/profile-openshift.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/files/profile-openshift.yaml rename to resources/v1.23.2/charts/cni/files/profile-openshift.yaml diff --git a/resources/v1.23.0/charts/base/files/profile-preview.yaml b/resources/v1.23.2/charts/cni/files/profile-preview.yaml similarity index 100% rename from resources/v1.23.0/charts/base/files/profile-preview.yaml rename to resources/v1.23.2/charts/cni/files/profile-preview.yaml diff --git a/resources/v1.23.0/charts/base/files/profile-stable.yaml b/resources/v1.23.2/charts/cni/files/profile-stable.yaml similarity index 100% rename from resources/v1.23.0/charts/base/files/profile-stable.yaml rename to resources/v1.23.2/charts/cni/files/profile-stable.yaml diff --git a/resources/v1.23.0/charts/cni/templates/NOTES.txt b/resources/v1.23.2/charts/cni/templates/NOTES.txt similarity index 100% rename from resources/v1.23.0/charts/cni/templates/NOTES.txt rename to resources/v1.23.2/charts/cni/templates/NOTES.txt diff --git a/resources/v1.23.0/charts/cni/templates/_helpers.tpl b/resources/v1.23.2/charts/cni/templates/_helpers.tpl similarity index 100% rename from resources/v1.23.0/charts/cni/templates/_helpers.tpl rename to resources/v1.23.2/charts/cni/templates/_helpers.tpl diff --git a/resources/v1.23.0/charts/cni/templates/clusterrole.yaml b/resources/v1.23.2/charts/cni/templates/clusterrole.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/templates/clusterrole.yaml rename to resources/v1.23.2/charts/cni/templates/clusterrole.yaml diff --git a/resources/v1.23.0/charts/cni/templates/clusterrolebinding.yaml b/resources/v1.23.2/charts/cni/templates/clusterrolebinding.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/templates/clusterrolebinding.yaml rename to resources/v1.23.2/charts/cni/templates/clusterrolebinding.yaml diff --git a/resources/v1.23.0/charts/cni/templates/configmap-cni.yaml b/resources/v1.23.2/charts/cni/templates/configmap-cni.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/templates/configmap-cni.yaml rename to resources/v1.23.2/charts/cni/templates/configmap-cni.yaml diff --git a/resources/v1.23.0/charts/cni/templates/daemonset.yaml b/resources/v1.23.2/charts/cni/templates/daemonset.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/templates/daemonset.yaml rename to resources/v1.23.2/charts/cni/templates/daemonset.yaml diff --git a/resources/v1.23.0/charts/cni/templates/network-attachment-definition.yaml b/resources/v1.23.2/charts/cni/templates/network-attachment-definition.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/templates/network-attachment-definition.yaml rename to resources/v1.23.2/charts/cni/templates/network-attachment-definition.yaml diff --git a/resources/v1.23.0/charts/cni/templates/resourcequota.yaml b/resources/v1.23.2/charts/cni/templates/resourcequota.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/templates/resourcequota.yaml rename to resources/v1.23.2/charts/cni/templates/resourcequota.yaml diff --git a/resources/v1.23.0/charts/cni/templates/serviceaccount.yaml b/resources/v1.23.2/charts/cni/templates/serviceaccount.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/templates/serviceaccount.yaml rename to resources/v1.23.2/charts/cni/templates/serviceaccount.yaml diff --git a/resources/v1.22.3/charts/gateway/templates/zzz_profile.yaml b/resources/v1.23.2/charts/cni/templates/zzz_profile.yaml similarity index 88% rename from resources/v1.22.3/charts/gateway/templates/zzz_profile.yaml rename to resources/v1.23.2/charts/cni/templates/zzz_profile.yaml index 6359d435a..2d0bd4af7 100644 --- a/resources/v1.22.3/charts/gateway/templates/zzz_profile.yaml +++ b/resources/v1.23.2/charts/cni/templates/zzz_profile.yaml @@ -15,6 +15,7 @@ However, we can workaround this by placing all of (1) under a specific key (.Val We can then merge the profile onto the defaults, then the user settings onto that. Finally, we can set all of that under .Values so the chart behaves without awareness. */}} +{{- $globals := $.Values.global | default dict | deepCopy }} {{- $defaults := $.Values.defaults }} {{- $_ := unset $.Values "defaults" }} {{- $profile := dict }} @@ -35,4 +36,8 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{- if $profile }} {{- $a := mustMergeOverwrite $defaults $profile }} {{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults $globals }} +{{- end }} {{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.23.0/charts/cni/values.yaml b/resources/v1.23.2/charts/cni/values.yaml similarity index 99% rename from resources/v1.23.0/charts/cni/values.yaml rename to resources/v1.23.2/charts/cni/values.yaml index 073f6366a..4c467874d 100644 --- a/resources/v1.23.0/charts/cni/values.yaml +++ b/resources/v1.23.2/charts/cni/values.yaml @@ -113,7 +113,7 @@ defaults: hub: docker.io/istio # Default tag for Istio images. - tag: 1.23.0 + tag: 1.23.2 # Variant of the image to use. # Currently supported are: [debug, distroless] diff --git a/resources/v1.21.5/charts/gateway/Chart.yaml b/resources/v1.23.2/charts/gateway/Chart.yaml similarity index 86% rename from resources/v1.21.5/charts/gateway/Chart.yaml rename to resources/v1.23.2/charts/gateway/Chart.yaml index f17abf8ab..d1391f70a 100644 --- a/resources/v1.21.5/charts/gateway/Chart.yaml +++ b/resources/v1.23.2/charts/gateway/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.21.5 +appVersion: 1.23.2 description: Helm chart for deploying Istio gateways icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ name: gateway sources: - https://github.com/istio/istio type: application -version: 1.21.5 +version: 1.23.2 diff --git a/resources/v1.23.0/charts/gateway/README.md b/resources/v1.23.2/charts/gateway/README.md similarity index 100% rename from resources/v1.23.0/charts/gateway/README.md rename to resources/v1.23.2/charts/gateway/README.md diff --git a/resources/v1.23.0/charts/gateway/files/profile-ambient.yaml b/resources/v1.23.2/charts/gateway/files/profile-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/files/profile-ambient.yaml rename to resources/v1.23.2/charts/gateway/files/profile-ambient.yaml diff --git a/resources/v1.23.0/charts/gateway/files/profile-compatibility-version-1.20.yaml b/resources/v1.23.2/charts/gateway/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/files/profile-compatibility-version-1.20.yaml rename to resources/v1.23.2/charts/gateway/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.23.0/charts/cni/files/profile-compatibility-version-1.21.yaml b/resources/v1.23.2/charts/gateway/files/profile-compatibility-version-1.21.yaml similarity index 88% rename from resources/v1.23.0/charts/cni/files/profile-compatibility-version-1.21.yaml rename to resources/v1.23.2/charts/gateway/files/profile-compatibility-version-1.21.yaml index 292f60742..d11c242b5 100644 --- a/resources/v1.23.0/charts/cni/files/profile-compatibility-version-1.21.yaml +++ b/resources/v1.23.2/charts/gateway/files/profile-compatibility-version-1.21.yaml @@ -7,6 +7,10 @@ pilot: # 1.22 behavioral changes ENABLE_ENHANCED_RESOURCE_SCOPING: "false" ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + meshConfig: # 1.22 behavioral changes defaultConfig: diff --git a/resources/v1.23.0/charts/cni/files/profile-compatibility-version-1.22.yaml b/resources/v1.23.2/charts/gateway/files/profile-compatibility-version-1.22.yaml similarity index 72% rename from resources/v1.23.0/charts/cni/files/profile-compatibility-version-1.22.yaml rename to resources/v1.23.2/charts/gateway/files/profile-compatibility-version-1.22.yaml index 16a7e6481..b091e2b94 100644 --- a/resources/v1.23.0/charts/cni/files/profile-compatibility-version-1.22.yaml +++ b/resources/v1.23.2/charts/gateway/files/profile-compatibility-version-1.22.yaml @@ -2,10 +2,15 @@ # The original version of this file is located at /manifests/helm-profiles directory. # If you want to make a change in this file, edit the original one and run "make gen". +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + meshConfig: defaultConfig: proxyMetadata: # 1.22 behavioral changes ENABLE_DEFERRED_CLUSTER_CREATION: "false" # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX": "false" + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/resources/v1.23.0/charts/gateway/files/profile-demo.yaml b/resources/v1.23.2/charts/gateway/files/profile-demo.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/files/profile-demo.yaml rename to resources/v1.23.2/charts/gateway/files/profile-demo.yaml diff --git a/resources/v1.23.0/charts/gateway/files/profile-openshift-ambient.yaml b/resources/v1.23.2/charts/gateway/files/profile-openshift-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/files/profile-openshift-ambient.yaml rename to resources/v1.23.2/charts/gateway/files/profile-openshift-ambient.yaml diff --git a/resources/v1.23.0/charts/gateway/files/profile-openshift.yaml b/resources/v1.23.2/charts/gateway/files/profile-openshift.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/files/profile-openshift.yaml rename to resources/v1.23.2/charts/gateway/files/profile-openshift.yaml diff --git a/resources/v1.23.0/charts/cni/files/profile-preview.yaml b/resources/v1.23.2/charts/gateway/files/profile-preview.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/files/profile-preview.yaml rename to resources/v1.23.2/charts/gateway/files/profile-preview.yaml diff --git a/resources/v1.23.0/charts/cni/files/profile-stable.yaml b/resources/v1.23.2/charts/gateway/files/profile-stable.yaml similarity index 100% rename from resources/v1.23.0/charts/cni/files/profile-stable.yaml rename to resources/v1.23.2/charts/gateway/files/profile-stable.yaml diff --git a/resources/v1.23.0/charts/gateway/templates/NOTES.txt b/resources/v1.23.2/charts/gateway/templates/NOTES.txt similarity index 100% rename from resources/v1.23.0/charts/gateway/templates/NOTES.txt rename to resources/v1.23.2/charts/gateway/templates/NOTES.txt diff --git a/resources/v1.23.0/charts/gateway/templates/_helpers.tpl b/resources/v1.23.2/charts/gateway/templates/_helpers.tpl similarity index 100% rename from resources/v1.23.0/charts/gateway/templates/_helpers.tpl rename to resources/v1.23.2/charts/gateway/templates/_helpers.tpl diff --git a/resources/v1.23.0/charts/gateway/templates/deployment.yaml b/resources/v1.23.2/charts/gateway/templates/deployment.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/templates/deployment.yaml rename to resources/v1.23.2/charts/gateway/templates/deployment.yaml diff --git a/resources/v1.23.0/charts/gateway/templates/hpa.yaml b/resources/v1.23.2/charts/gateway/templates/hpa.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/templates/hpa.yaml rename to resources/v1.23.2/charts/gateway/templates/hpa.yaml diff --git a/resources/v1.23.0/charts/gateway/templates/poddisruptionbudget.yaml b/resources/v1.23.2/charts/gateway/templates/poddisruptionbudget.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/templates/poddisruptionbudget.yaml rename to resources/v1.23.2/charts/gateway/templates/poddisruptionbudget.yaml diff --git a/resources/v1.23.0/charts/gateway/templates/role.yaml b/resources/v1.23.2/charts/gateway/templates/role.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/templates/role.yaml rename to resources/v1.23.2/charts/gateway/templates/role.yaml diff --git a/resources/v1.23.0/charts/gateway/templates/service.yaml b/resources/v1.23.2/charts/gateway/templates/service.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/templates/service.yaml rename to resources/v1.23.2/charts/gateway/templates/service.yaml diff --git a/resources/v1.23.0/charts/gateway/templates/serviceaccount.yaml b/resources/v1.23.2/charts/gateway/templates/serviceaccount.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/templates/serviceaccount.yaml rename to resources/v1.23.2/charts/gateway/templates/serviceaccount.yaml diff --git a/resources/v1.22.3/charts/istiod/templates/zzz_profile.yaml b/resources/v1.23.2/charts/gateway/templates/zzz_profile.yaml similarity index 88% rename from resources/v1.22.3/charts/istiod/templates/zzz_profile.yaml rename to resources/v1.23.2/charts/gateway/templates/zzz_profile.yaml index 6359d435a..2d0bd4af7 100644 --- a/resources/v1.22.3/charts/istiod/templates/zzz_profile.yaml +++ b/resources/v1.23.2/charts/gateway/templates/zzz_profile.yaml @@ -15,6 +15,7 @@ However, we can workaround this by placing all of (1) under a specific key (.Val We can then merge the profile onto the defaults, then the user settings onto that. Finally, we can set all of that under .Values so the chart behaves without awareness. */}} +{{- $globals := $.Values.global | default dict | deepCopy }} {{- $defaults := $.Values.defaults }} {{- $_ := unset $.Values "defaults" }} {{- $profile := dict }} @@ -35,4 +36,8 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{- if $profile }} {{- $a := mustMergeOverwrite $defaults $profile }} {{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults $globals }} +{{- end }} {{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.22.3/charts/gateway/values.schema.json b/resources/v1.23.2/charts/gateway/values.schema.json similarity index 97% rename from resources/v1.22.3/charts/gateway/values.schema.json rename to resources/v1.23.2/charts/gateway/values.schema.json index c97d84c1e..4c4f0836d 100644 --- a/resources/v1.22.3/charts/gateway/values.schema.json +++ b/resources/v1.23.2/charts/gateway/values.schema.json @@ -99,10 +99,10 @@ "type": "object", "properties": { "cpu": { - "type": "string" + "type": ["string", "null"] }, "memory": { - "type": "string" + "type": ["string", "null"] } } }, @@ -110,10 +110,10 @@ "type": "object", "properties": { "cpu": { - "type": "string" + "type": ["string", "null"] }, "memory": { - "type": "string" + "type": ["string", "null"] } } } diff --git a/resources/v1.23.0/charts/gateway/values.yaml b/resources/v1.23.2/charts/gateway/values.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/values.yaml rename to resources/v1.23.2/charts/gateway/values.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/Chart.yaml b/resources/v1.23.2/charts/istiod-remote/Chart.yaml similarity index 87% rename from resources/v1.23.0/charts/istiod-remote/Chart.yaml rename to resources/v1.23.2/charts/istiod-remote/Chart.yaml index 5761e4804..9c2932152 100644 --- a/resources/v1.23.0/charts/istiod-remote/Chart.yaml +++ b/resources/v1.23.2/charts/istiod-remote/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.23.0 +appVersion: 1.23.2 description: Helm chart for a remote cluster using an external istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: istiod-remote sources: - https://github.com/istio/istio -version: 1.23.0 +version: 1.23.2 diff --git a/resources/latest/charts/istiod-remote/NOTES.txt b/resources/v1.23.2/charts/istiod-remote/NOTES.txt similarity index 100% rename from resources/latest/charts/istiod-remote/NOTES.txt rename to resources/v1.23.2/charts/istiod-remote/NOTES.txt diff --git a/resources/latest/charts/istiod-remote/files/gateway-injection-template.yaml b/resources/v1.23.2/charts/istiod-remote/files/gateway-injection-template.yaml similarity index 100% rename from resources/latest/charts/istiod-remote/files/gateway-injection-template.yaml rename to resources/v1.23.2/charts/istiod-remote/files/gateway-injection-template.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/files/injection-template.yaml b/resources/v1.23.2/charts/istiod-remote/files/injection-template.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/files/injection-template.yaml rename to resources/v1.23.2/charts/istiod-remote/files/injection-template.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/files/profile-ambient.yaml b/resources/v1.23.2/charts/istiod-remote/files/profile-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/files/profile-ambient.yaml rename to resources/v1.23.2/charts/istiod-remote/files/profile-ambient.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/files/profile-compatibility-version-1.20.yaml b/resources/v1.23.2/charts/istiod-remote/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/files/profile-compatibility-version-1.20.yaml rename to resources/v1.23.2/charts/istiod-remote/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.23.0/charts/gateway/files/profile-compatibility-version-1.21.yaml b/resources/v1.23.2/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml similarity index 88% rename from resources/v1.23.0/charts/gateway/files/profile-compatibility-version-1.21.yaml rename to resources/v1.23.2/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml index 292f60742..d11c242b5 100644 --- a/resources/v1.23.0/charts/gateway/files/profile-compatibility-version-1.21.yaml +++ b/resources/v1.23.2/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml @@ -7,6 +7,10 @@ pilot: # 1.22 behavioral changes ENABLE_ENHANCED_RESOURCE_SCOPING: "false" ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + meshConfig: # 1.22 behavioral changes defaultConfig: diff --git a/resources/v1.23.0/charts/gateway/files/profile-compatibility-version-1.22.yaml b/resources/v1.23.2/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml similarity index 72% rename from resources/v1.23.0/charts/gateway/files/profile-compatibility-version-1.22.yaml rename to resources/v1.23.2/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml index 16a7e6481..b091e2b94 100644 --- a/resources/v1.23.0/charts/gateway/files/profile-compatibility-version-1.22.yaml +++ b/resources/v1.23.2/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml @@ -2,10 +2,15 @@ # The original version of this file is located at /manifests/helm-profiles directory. # If you want to make a change in this file, edit the original one and run "make gen". +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + meshConfig: defaultConfig: proxyMetadata: # 1.22 behavioral changes ENABLE_DEFERRED_CLUSTER_CREATION: "false" # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX": "false" + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/resources/v1.23.0/charts/istiod-remote/files/profile-demo.yaml b/resources/v1.23.2/charts/istiod-remote/files/profile-demo.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/files/profile-demo.yaml rename to resources/v1.23.2/charts/istiod-remote/files/profile-demo.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/files/profile-openshift-ambient.yaml b/resources/v1.23.2/charts/istiod-remote/files/profile-openshift-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/files/profile-openshift-ambient.yaml rename to resources/v1.23.2/charts/istiod-remote/files/profile-openshift-ambient.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/files/profile-openshift.yaml b/resources/v1.23.2/charts/istiod-remote/files/profile-openshift.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/files/profile-openshift.yaml rename to resources/v1.23.2/charts/istiod-remote/files/profile-openshift.yaml diff --git a/resources/v1.23.0/charts/gateway/files/profile-preview.yaml b/resources/v1.23.2/charts/istiod-remote/files/profile-preview.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/files/profile-preview.yaml rename to resources/v1.23.2/charts/istiod-remote/files/profile-preview.yaml diff --git a/resources/v1.23.0/charts/gateway/files/profile-stable.yaml b/resources/v1.23.2/charts/istiod-remote/files/profile-stable.yaml similarity index 100% rename from resources/v1.23.0/charts/gateway/files/profile-stable.yaml rename to resources/v1.23.2/charts/istiod-remote/files/profile-stable.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/_helpers.tpl b/resources/v1.23.2/charts/istiod-remote/templates/_helpers.tpl similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/_helpers.tpl rename to resources/v1.23.2/charts/istiod-remote/templates/_helpers.tpl diff --git a/resources/v1.23.0/charts/istiod-remote/templates/clusterrole.yaml b/resources/v1.23.2/charts/istiod-remote/templates/clusterrole.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/clusterrole.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/clusterrole.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/clusterrolebinding.yaml b/resources/v1.23.2/charts/istiod-remote/templates/clusterrolebinding.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/clusterrolebinding.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/clusterrolebinding.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/configmap.yaml b/resources/v1.23.2/charts/istiod-remote/templates/configmap.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/configmap.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/configmap.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/default.yaml b/resources/v1.23.2/charts/istiod-remote/templates/default.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/default.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/default.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml b/resources/v1.23.2/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/endpoints.yaml b/resources/v1.23.2/charts/istiod-remote/templates/endpoints.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/endpoints.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/endpoints.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/istiod-injector-configmap.yaml b/resources/v1.23.2/charts/istiod-remote/templates/istiod-injector-configmap.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/istiod-injector-configmap.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/istiod-injector-configmap.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/mutatingwebhook.yaml b/resources/v1.23.2/charts/istiod-remote/templates/mutatingwebhook.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/mutatingwebhook.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/mutatingwebhook.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/reader-clusterrole.yaml b/resources/v1.23.2/charts/istiod-remote/templates/reader-clusterrole.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/reader-clusterrole.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/reader-clusterrole.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/reader-clusterrolebinding.yaml b/resources/v1.23.2/charts/istiod-remote/templates/reader-clusterrolebinding.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/reader-clusterrolebinding.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/reader-clusterrolebinding.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/reader-serviceaccount.yaml b/resources/v1.23.2/charts/istiod-remote/templates/reader-serviceaccount.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/reader-serviceaccount.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/reader-serviceaccount.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/role.yaml b/resources/v1.23.2/charts/istiod-remote/templates/role.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/role.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/role.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/rolebinding.yaml b/resources/v1.23.2/charts/istiod-remote/templates/rolebinding.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/rolebinding.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/rolebinding.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/serviceaccount.yaml b/resources/v1.23.2/charts/istiod-remote/templates/serviceaccount.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/serviceaccount.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/serviceaccount.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/services.yaml b/resources/v1.23.2/charts/istiod-remote/templates/services.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/services.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/services.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/validatingadmissionpolicy.yaml b/resources/v1.23.2/charts/istiod-remote/templates/validatingadmissionpolicy.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/validatingadmissionpolicy.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/validatingadmissionpolicy.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml b/resources/v1.23.2/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml diff --git a/resources/v1.22.3/charts/base/templates/zzz_profile.yaml b/resources/v1.23.2/charts/istiod-remote/templates/zzz_profile.yaml similarity index 88% rename from resources/v1.22.3/charts/base/templates/zzz_profile.yaml rename to resources/v1.23.2/charts/istiod-remote/templates/zzz_profile.yaml index 6359d435a..2d0bd4af7 100644 --- a/resources/v1.22.3/charts/base/templates/zzz_profile.yaml +++ b/resources/v1.23.2/charts/istiod-remote/templates/zzz_profile.yaml @@ -15,6 +15,7 @@ However, we can workaround this by placing all of (1) under a specific key (.Val We can then merge the profile onto the defaults, then the user settings onto that. Finally, we can set all of that under .Values so the chart behaves without awareness. */}} +{{- $globals := $.Values.global | default dict | deepCopy }} {{- $defaults := $.Values.defaults }} {{- $_ := unset $.Values "defaults" }} {{- $profile := dict }} @@ -35,4 +36,8 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{- if $profile }} {{- $a := mustMergeOverwrite $defaults $profile }} {{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults $globals }} +{{- end }} {{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.23.0/charts/istiod-remote/values.yaml b/resources/v1.23.2/charts/istiod-remote/values.yaml similarity index 99% rename from resources/v1.23.0/charts/istiod-remote/values.yaml rename to resources/v1.23.2/charts/istiod-remote/values.yaml index bf321991b..9e7033e2b 100644 --- a/resources/v1.23.0/charts/istiod-remote/values.yaml +++ b/resources/v1.23.2/charts/istiod-remote/values.yaml @@ -201,7 +201,7 @@ defaults: # Dev builds from prow are on gcr.io hub: docker.io/istio # Default tag for Istio images. - tag: 1.23.0 + tag: 1.23.2 # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" diff --git a/resources/v1.23.0/charts/istiod/Chart.yaml b/resources/v1.23.2/charts/istiod/Chart.yaml similarity index 86% rename from resources/v1.23.0/charts/istiod/Chart.yaml rename to resources/v1.23.2/charts/istiod/Chart.yaml index e5d4e8096..2370157bb 100644 --- a/resources/v1.23.0/charts/istiod/Chart.yaml +++ b/resources/v1.23.2/charts/istiod/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.23.0 +appVersion: 1.23.2 description: Helm chart for istio control plane icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -9,4 +9,4 @@ keywords: name: istiod sources: - https://github.com/istio/istio -version: 1.23.0 +version: 1.23.2 diff --git a/resources/v1.23.0/charts/istiod/README.md b/resources/v1.23.2/charts/istiod/README.md similarity index 100% rename from resources/v1.23.0/charts/istiod/README.md rename to resources/v1.23.2/charts/istiod/README.md diff --git a/resources/v1.23.0/charts/istiod-remote/files/gateway-injection-template.yaml b/resources/v1.23.2/charts/istiod/files/gateway-injection-template.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/files/gateway-injection-template.yaml rename to resources/v1.23.2/charts/istiod/files/gateway-injection-template.yaml diff --git a/resources/v1.23.0/charts/istiod/files/grpc-agent.yaml b/resources/v1.23.2/charts/istiod/files/grpc-agent.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/grpc-agent.yaml rename to resources/v1.23.2/charts/istiod/files/grpc-agent.yaml diff --git a/resources/v1.23.0/charts/istiod/files/grpc-simple.yaml b/resources/v1.23.2/charts/istiod/files/grpc-simple.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/grpc-simple.yaml rename to resources/v1.23.2/charts/istiod/files/grpc-simple.yaml diff --git a/resources/v1.23.0/charts/istiod/files/injection-template.yaml b/resources/v1.23.2/charts/istiod/files/injection-template.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/injection-template.yaml rename to resources/v1.23.2/charts/istiod/files/injection-template.yaml diff --git a/resources/v1.23.0/charts/istiod/files/kube-gateway.yaml b/resources/v1.23.2/charts/istiod/files/kube-gateway.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/kube-gateway.yaml rename to resources/v1.23.2/charts/istiod/files/kube-gateway.yaml diff --git a/resources/v1.23.0/charts/istiod/files/profile-ambient.yaml b/resources/v1.23.2/charts/istiod/files/profile-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/profile-ambient.yaml rename to resources/v1.23.2/charts/istiod/files/profile-ambient.yaml diff --git a/resources/v1.23.0/charts/istiod/files/profile-compatibility-version-1.20.yaml b/resources/v1.23.2/charts/istiod/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/profile-compatibility-version-1.20.yaml rename to resources/v1.23.2/charts/istiod/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.23.2/charts/istiod/files/profile-compatibility-version-1.21.yaml b/resources/v1.23.2/charts/istiod/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..d11c242b5 --- /dev/null +++ b/resources/v1.23.2/charts/istiod/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,23 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.23.2/charts/istiod/files/profile-compatibility-version-1.22.yaml b/resources/v1.23.2/charts/istiod/files/profile-compatibility-version-1.22.yaml new file mode 100644 index 000000000..b091e2b94 --- /dev/null +++ b/resources/v1.23.2/charts/istiod/files/profile-compatibility-version-1.22.yaml @@ -0,0 +1,16 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ENABLE_DEFERRED_CLUSTER_CREATION: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/resources/v1.23.0/charts/istiod/files/profile-demo.yaml b/resources/v1.23.2/charts/istiod/files/profile-demo.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/profile-demo.yaml rename to resources/v1.23.2/charts/istiod/files/profile-demo.yaml diff --git a/resources/v1.23.0/charts/istiod/files/profile-openshift-ambient.yaml b/resources/v1.23.2/charts/istiod/files/profile-openshift-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/profile-openshift-ambient.yaml rename to resources/v1.23.2/charts/istiod/files/profile-openshift-ambient.yaml diff --git a/resources/v1.23.0/charts/istiod/files/profile-openshift.yaml b/resources/v1.23.2/charts/istiod/files/profile-openshift.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/profile-openshift.yaml rename to resources/v1.23.2/charts/istiod/files/profile-openshift.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/files/profile-preview.yaml b/resources/v1.23.2/charts/istiod/files/profile-preview.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/files/profile-preview.yaml rename to resources/v1.23.2/charts/istiod/files/profile-preview.yaml diff --git a/resources/v1.23.0/charts/istiod-remote/files/profile-stable.yaml b/resources/v1.23.2/charts/istiod/files/profile-stable.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod-remote/files/profile-stable.yaml rename to resources/v1.23.2/charts/istiod/files/profile-stable.yaml diff --git a/resources/v1.23.0/charts/istiod/files/waypoint.yaml b/resources/v1.23.2/charts/istiod/files/waypoint.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/waypoint.yaml rename to resources/v1.23.2/charts/istiod/files/waypoint.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/NOTES.txt b/resources/v1.23.2/charts/istiod/templates/NOTES.txt similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/NOTES.txt rename to resources/v1.23.2/charts/istiod/templates/NOTES.txt diff --git a/resources/v1.23.0/charts/istiod/templates/_helpers.tpl b/resources/v1.23.2/charts/istiod/templates/_helpers.tpl similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/_helpers.tpl rename to resources/v1.23.2/charts/istiod/templates/_helpers.tpl diff --git a/resources/v1.23.0/charts/istiod/templates/autoscale.yaml b/resources/v1.23.2/charts/istiod/templates/autoscale.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/autoscale.yaml rename to resources/v1.23.2/charts/istiod/templates/autoscale.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/clusterrole.yaml b/resources/v1.23.2/charts/istiod/templates/clusterrole.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/clusterrole.yaml rename to resources/v1.23.2/charts/istiod/templates/clusterrole.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/clusterrolebinding.yaml b/resources/v1.23.2/charts/istiod/templates/clusterrolebinding.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/clusterrolebinding.yaml rename to resources/v1.23.2/charts/istiod/templates/clusterrolebinding.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/configmap-jwks.yaml b/resources/v1.23.2/charts/istiod/templates/configmap-jwks.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/configmap-jwks.yaml rename to resources/v1.23.2/charts/istiod/templates/configmap-jwks.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/configmap.yaml b/resources/v1.23.2/charts/istiod/templates/configmap.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/configmap.yaml rename to resources/v1.23.2/charts/istiod/templates/configmap.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/deployment.yaml b/resources/v1.23.2/charts/istiod/templates/deployment.yaml similarity index 97% rename from resources/v1.23.0/charts/istiod/templates/deployment.yaml rename to resources/v1.23.2/charts/istiod/templates/deployment.yaml index ec688808d..940c49a8e 100644 --- a/resources/v1.23.0/charts/istiod/templates/deployment.yaml +++ b/resources/v1.23.2/charts/istiod/templates/deployment.yaml @@ -166,7 +166,8 @@ spec: {{- end }} # If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then # don't set it here to avoid duplication. -{{- if and .Values.global.externalIstiod (eq .Values.pilot.env.EXTERNAL_ISTIOD "")}} +# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 +{{- if and .Values.global.externalIstiod (not (and .Values.pilot.env .Values.pilot.env.EXTERNAL_ISTIOD)) }} - name: EXTERNAL_ISTIOD value: "{{ .Values.global.externalIstiod }}" {{- end }} diff --git a/resources/v1.23.0/charts/istiod/templates/istiod-injector-configmap.yaml b/resources/v1.23.2/charts/istiod/templates/istiod-injector-configmap.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/istiod-injector-configmap.yaml rename to resources/v1.23.2/charts/istiod/templates/istiod-injector-configmap.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/mutatingwebhook.yaml b/resources/v1.23.2/charts/istiod/templates/mutatingwebhook.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/mutatingwebhook.yaml rename to resources/v1.23.2/charts/istiod/templates/mutatingwebhook.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/poddisruptionbudget.yaml b/resources/v1.23.2/charts/istiod/templates/poddisruptionbudget.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/poddisruptionbudget.yaml rename to resources/v1.23.2/charts/istiod/templates/poddisruptionbudget.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/reader-clusterrole.yaml b/resources/v1.23.2/charts/istiod/templates/reader-clusterrole.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/reader-clusterrole.yaml rename to resources/v1.23.2/charts/istiod/templates/reader-clusterrole.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/reader-clusterrolebinding.yaml b/resources/v1.23.2/charts/istiod/templates/reader-clusterrolebinding.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/reader-clusterrolebinding.yaml rename to resources/v1.23.2/charts/istiod/templates/reader-clusterrolebinding.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/revision-tags.yaml b/resources/v1.23.2/charts/istiod/templates/revision-tags.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/revision-tags.yaml rename to resources/v1.23.2/charts/istiod/templates/revision-tags.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/role.yaml b/resources/v1.23.2/charts/istiod/templates/role.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/role.yaml rename to resources/v1.23.2/charts/istiod/templates/role.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/rolebinding.yaml b/resources/v1.23.2/charts/istiod/templates/rolebinding.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/rolebinding.yaml rename to resources/v1.23.2/charts/istiod/templates/rolebinding.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/service.yaml b/resources/v1.23.2/charts/istiod/templates/service.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/service.yaml rename to resources/v1.23.2/charts/istiod/templates/service.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/serviceaccount.yaml b/resources/v1.23.2/charts/istiod/templates/serviceaccount.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/serviceaccount.yaml rename to resources/v1.23.2/charts/istiod/templates/serviceaccount.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/validatingadmissionpolicy.yaml b/resources/v1.23.2/charts/istiod/templates/validatingadmissionpolicy.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/validatingadmissionpolicy.yaml rename to resources/v1.23.2/charts/istiod/templates/validatingadmissionpolicy.yaml diff --git a/resources/v1.23.0/charts/istiod/templates/validatingwebhookconfiguration.yaml b/resources/v1.23.2/charts/istiod/templates/validatingwebhookconfiguration.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/templates/validatingwebhookconfiguration.yaml rename to resources/v1.23.2/charts/istiod/templates/validatingwebhookconfiguration.yaml diff --git a/resources/v1.23.2/charts/istiod/templates/zzz_profile.yaml b/resources/v1.23.2/charts/istiod/templates/zzz_profile.yaml new file mode 100644 index 000000000..2d0bd4af7 --- /dev/null +++ b/resources/v1.23.2/charts/istiod/templates/zzz_profile.yaml @@ -0,0 +1,43 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- $globals := $.Values.global | default dict | deepCopy }} +{{- $defaults := $.Values.defaults }} +{{- $_ := unset $.Values "defaults" }} +{{- $profile := dict }} +{{- with .Values.profile }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" $.Values.profile) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults $globals }} +{{- end }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.23.0/charts/istiod/values.yaml b/resources/v1.23.2/charts/istiod/values.yaml similarity index 99% rename from resources/v1.23.0/charts/istiod/values.yaml rename to resources/v1.23.2/charts/istiod/values.yaml index df2cbf842..fbb4d2695 100644 --- a/resources/v1.23.0/charts/istiod/values.yaml +++ b/resources/v1.23.2/charts/istiod/values.yaml @@ -238,7 +238,7 @@ defaults: # Dev builds from prow are on gcr.io hub: docker.io/istio # Default tag for Istio images. - tag: 1.23.0 + tag: 1.23.2 # Variant of the image to use. # Currently supported are: [debug, distroless] variant: "" diff --git a/resources/v1.23.0/charts/ztunnel/Chart.yaml b/resources/v1.23.2/charts/ztunnel/Chart.yaml similarity index 86% rename from resources/v1.23.0/charts/ztunnel/Chart.yaml rename to resources/v1.23.2/charts/ztunnel/Chart.yaml index 94cb4e67d..b811b639a 100644 --- a/resources/v1.23.0/charts/ztunnel/Chart.yaml +++ b/resources/v1.23.2/charts/ztunnel/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.23.0 +appVersion: 1.23.2 description: Helm chart for istio ztunnel components icon: https://istio.io/latest/favicons/android-192x192.png keywords: @@ -8,4 +8,4 @@ keywords: name: ztunnel sources: - https://github.com/istio/istio -version: 1.23.0 +version: 1.23.2 diff --git a/resources/v1.23.0/charts/ztunnel/README.md b/resources/v1.23.2/charts/ztunnel/README.md similarity index 100% rename from resources/v1.23.0/charts/ztunnel/README.md rename to resources/v1.23.2/charts/ztunnel/README.md diff --git a/resources/v1.23.0/charts/ztunnel/files/profile-ambient.yaml b/resources/v1.23.2/charts/ztunnel/files/profile-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/ztunnel/files/profile-ambient.yaml rename to resources/v1.23.2/charts/ztunnel/files/profile-ambient.yaml diff --git a/resources/v1.23.0/charts/ztunnel/files/profile-compatibility-version-1.20.yaml b/resources/v1.23.2/charts/ztunnel/files/profile-compatibility-version-1.20.yaml similarity index 100% rename from resources/v1.23.0/charts/ztunnel/files/profile-compatibility-version-1.20.yaml rename to resources/v1.23.2/charts/ztunnel/files/profile-compatibility-version-1.20.yaml diff --git a/resources/v1.23.2/charts/ztunnel/files/profile-compatibility-version-1.21.yaml b/resources/v1.23.2/charts/ztunnel/files/profile-compatibility-version-1.21.yaml new file mode 100644 index 000000000..d11c242b5 --- /dev/null +++ b/resources/v1.23.2/charts/ztunnel/files/profile-compatibility-version-1.21.yaml @@ -0,0 +1,23 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.22 behavioral changes + ENABLE_ENHANCED_RESOURCE_SCOPING: "false" + ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" + + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + +meshConfig: + # 1.22 behavioral changes + defaultConfig: + proxyMetadata: + ISTIO_DELTA_XDS: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + tracing: + zipkin: + address: zipkin.istio-system:9411 diff --git a/resources/v1.23.2/charts/ztunnel/files/profile-compatibility-version-1.22.yaml b/resources/v1.23.2/charts/ztunnel/files/profile-compatibility-version-1.22.yaml new file mode 100644 index 000000000..b091e2b94 --- /dev/null +++ b/resources/v1.23.2/charts/ztunnel/files/profile-compatibility-version-1.22.yaml @@ -0,0 +1,16 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.22 behavioral changes + ENABLE_DEFERRED_CLUSTER_CREATION: "false" + # 1.23 behavioral changes + ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/resources/v1.23.0/charts/ztunnel/files/profile-demo.yaml b/resources/v1.23.2/charts/ztunnel/files/profile-demo.yaml similarity index 100% rename from resources/v1.23.0/charts/ztunnel/files/profile-demo.yaml rename to resources/v1.23.2/charts/ztunnel/files/profile-demo.yaml diff --git a/resources/v1.23.0/charts/ztunnel/files/profile-openshift-ambient.yaml b/resources/v1.23.2/charts/ztunnel/files/profile-openshift-ambient.yaml similarity index 100% rename from resources/v1.23.0/charts/ztunnel/files/profile-openshift-ambient.yaml rename to resources/v1.23.2/charts/ztunnel/files/profile-openshift-ambient.yaml diff --git a/resources/v1.23.0/charts/ztunnel/files/profile-openshift.yaml b/resources/v1.23.2/charts/ztunnel/files/profile-openshift.yaml similarity index 100% rename from resources/v1.23.0/charts/ztunnel/files/profile-openshift.yaml rename to resources/v1.23.2/charts/ztunnel/files/profile-openshift.yaml diff --git a/resources/v1.23.0/charts/istiod/files/profile-preview.yaml b/resources/v1.23.2/charts/ztunnel/files/profile-preview.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/profile-preview.yaml rename to resources/v1.23.2/charts/ztunnel/files/profile-preview.yaml diff --git a/resources/v1.23.0/charts/istiod/files/profile-stable.yaml b/resources/v1.23.2/charts/ztunnel/files/profile-stable.yaml similarity index 100% rename from resources/v1.23.0/charts/istiod/files/profile-stable.yaml rename to resources/v1.23.2/charts/ztunnel/files/profile-stable.yaml diff --git a/resources/v1.23.0/charts/ztunnel/templates/NOTES.txt b/resources/v1.23.2/charts/ztunnel/templates/NOTES.txt similarity index 100% rename from resources/v1.23.0/charts/ztunnel/templates/NOTES.txt rename to resources/v1.23.2/charts/ztunnel/templates/NOTES.txt diff --git a/resources/v1.23.0/charts/ztunnel/templates/_helpers.tpl b/resources/v1.23.2/charts/ztunnel/templates/_helpers.tpl similarity index 100% rename from resources/v1.23.0/charts/ztunnel/templates/_helpers.tpl rename to resources/v1.23.2/charts/ztunnel/templates/_helpers.tpl diff --git a/resources/v1.23.0/charts/ztunnel/templates/daemonset.yaml b/resources/v1.23.2/charts/ztunnel/templates/daemonset.yaml similarity index 100% rename from resources/v1.23.0/charts/ztunnel/templates/daemonset.yaml rename to resources/v1.23.2/charts/ztunnel/templates/daemonset.yaml diff --git a/resources/v1.23.0/charts/ztunnel/templates/rbac.yaml b/resources/v1.23.2/charts/ztunnel/templates/rbac.yaml similarity index 100% rename from resources/v1.23.0/charts/ztunnel/templates/rbac.yaml rename to resources/v1.23.2/charts/ztunnel/templates/rbac.yaml diff --git a/resources/v1.22.3/charts/cni/templates/zzz_profile.yaml b/resources/v1.23.2/charts/ztunnel/templates/zzz_profile.yaml similarity index 88% rename from resources/v1.22.3/charts/cni/templates/zzz_profile.yaml rename to resources/v1.23.2/charts/ztunnel/templates/zzz_profile.yaml index 6359d435a..752a7f375 100644 --- a/resources/v1.22.3/charts/cni/templates/zzz_profile.yaml +++ b/resources/v1.23.2/charts/ztunnel/templates/zzz_profile.yaml @@ -15,6 +15,7 @@ However, we can workaround this by placing all of (1) under a specific key (.Val We can then merge the profile onto the defaults, then the user settings onto that. Finally, we can set all of that under .Values so the chart behaves without awareness. */}} +{{- $globals := $.Values.global | default dict | deepCopy }} {{- $defaults := $.Values.defaults }} {{- $_ := unset $.Values "defaults" }} {{- $profile := dict }} @@ -35,4 +36,8 @@ Finally, we can set all of that under .Values so the chart behaves without aware {{- if $profile }} {{- $a := mustMergeOverwrite $defaults $profile }} {{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults $globals }} +{{- end }} {{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.23.0/charts/ztunnel/values.yaml b/resources/v1.23.2/charts/ztunnel/values.yaml similarity index 99% rename from resources/v1.23.0/charts/ztunnel/values.yaml rename to resources/v1.23.2/charts/ztunnel/values.yaml index c3220356b..64ebfcaba 100644 --- a/resources/v1.23.0/charts/ztunnel/values.yaml +++ b/resources/v1.23.2/charts/ztunnel/values.yaml @@ -4,7 +4,7 @@ defaults: # Hub to pull from. Image will be `Hub/Image:Tag-Variant` hub: docker.io/istio # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.23.0 + tag: 1.23.2 # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. variant: "" diff --git a/resources/v1.23.0/profiles/ambient.yaml b/resources/v1.23.2/profiles/ambient.yaml similarity index 100% rename from resources/v1.23.0/profiles/ambient.yaml rename to resources/v1.23.2/profiles/ambient.yaml diff --git a/resources/v1.23.0/profiles/default.yaml b/resources/v1.23.2/profiles/default.yaml similarity index 100% rename from resources/v1.23.0/profiles/default.yaml rename to resources/v1.23.2/profiles/default.yaml diff --git a/resources/v1.23.0/profiles/demo.yaml b/resources/v1.23.2/profiles/demo.yaml similarity index 100% rename from resources/v1.23.0/profiles/demo.yaml rename to resources/v1.23.2/profiles/demo.yaml diff --git a/resources/v1.23.0/profiles/empty.yaml b/resources/v1.23.2/profiles/empty.yaml similarity index 100% rename from resources/v1.23.0/profiles/empty.yaml rename to resources/v1.23.2/profiles/empty.yaml diff --git a/resources/v1.23.0/profiles/openshift-ambient.yaml b/resources/v1.23.2/profiles/openshift-ambient.yaml similarity index 100% rename from resources/v1.23.0/profiles/openshift-ambient.yaml rename to resources/v1.23.2/profiles/openshift-ambient.yaml diff --git a/resources/v1.23.0/profiles/openshift.yaml b/resources/v1.23.2/profiles/openshift.yaml similarity index 100% rename from resources/v1.23.0/profiles/openshift.yaml rename to resources/v1.23.2/profiles/openshift.yaml diff --git a/resources/v1.23.0/profiles/preview.yaml b/resources/v1.23.2/profiles/preview.yaml similarity index 100% rename from resources/v1.23.0/profiles/preview.yaml rename to resources/v1.23.2/profiles/preview.yaml diff --git a/resources/v1.23.0/profiles/stable.yaml b/resources/v1.23.2/profiles/stable.yaml similarity index 100% rename from resources/v1.23.0/profiles/stable.yaml rename to resources/v1.23.2/profiles/stable.yaml diff --git a/tests/e2e/common-operator-integ-suite.sh b/tests/e2e/common-operator-integ-suite.sh index dd5625bb8..8ad6b80c5 100755 --- a/tests/e2e/common-operator-integ-suite.sh +++ b/tests/e2e/common-operator-integ-suite.sh @@ -29,6 +29,7 @@ parse_flags() { SKIP_DEPLOY=${SKIP_DEPLOY:-false} OLM=${OLM:-false} DESCRIBE=false + MULTICLUSTER=false while [ $# -gt 0 ]; do case "$1" in --ocp) @@ -39,6 +40,10 @@ parse_flags() { shift OCP=false ;; + --multicluster) + shift + MULTICLUSTER=true + ;; --skip-build) shift SKIP_BUILD=true @@ -80,6 +85,10 @@ parse_flags() { echo "Running on kind" fi + if [ "${MULTICLUSTER}" == "true" ]; then + echo "Running on multicluster" + fi + if [ "${SKIP_BUILD}" == "true" ]; then echo "Skipping build" fi @@ -108,8 +117,10 @@ initialize_variables() { COMMAND="kubectl" ARTIFACTS="${ARTIFACTS:-$(mktemp -d)}" KUBECONFIG="${KUBECONFIG:-"${ARTIFACTS}/config"}" + ISTIOCTL="${ISTIOCTL:-"istioctl"}" LOCALBIN="${LOCALBIN:-${HOME}/bin}" OPERATOR_SDK=${LOCALBIN}/operator-sdk + IP_FAMILY=${IP_FAMILY:-ipv4} if [ "${OCP}" == "true" ]; then COMMAND="oc" @@ -234,10 +245,27 @@ if [ "${SKIP_BUILD}" == "false" ]; then # Install OLM in the cluster because it's not available by default in kind. ${OPERATOR_SDK} olm install + # Wait for for the CatalogSource to be CatalogSource.status.connectionState.lastObservedState == READY + ${COMMAND} wait catalogsource operatorhubio-catalog -n olm --for 'jsonpath={.status.connectionState.lastObservedState}=READY' --timeout=5m + # Create operator namespace ${COMMAND} create ns "${NAMESPACE}" || echo "Creation of namespace ${NAMESPACE} failed with the message: $?" # Deploy the operator using OLM - ${OPERATOR_SDK} run bundle "${BUNDLE_IMG}" -n "${NAMESPACE}" --skip-tls + ${OPERATOR_SDK} run bundle "${BUNDLE_IMG}" -n "${NAMESPACE}" --skip-tls --timeout 5m || { + echo "****** run bundle failed, running debug information" + # Get all the pods in the namespace + ${COMMAND} get pods -n "${NAMESPACE}" + + # Get all the pods in olm namespace + ${COMMAND} get pods -n olm + + # Describe all the olm pods by iterating over the pods + for pod in $(${COMMAND} get pods -n olm -o name); do + echo "*** Describing pod: ${pod}" + ${COMMAND} describe "${pod}" + done + exit 1 + } # Wait for the operator to be ready ${COMMAND} wait --for=condition=available deployment/"${DEPLOYMENT_NAME}" -n "${NAMESPACE}" --timeout=5m @@ -257,7 +285,7 @@ fi # Run the go test passing the env variables defined that are going to be used in the operator tests # shellcheck disable=SC2086 -IMAGE="${HUB}/${IMAGE_BASE}:${TAG}" SKIP_DEPLOY="${SKIP_DEPLOY}" OCP="${OCP}" ISTIO_MANIFEST="${ISTIO_MANIFEST}" \ -NAMESPACE="${NAMESPACE}" CONTROL_PLANE_NS="${CONTROL_PLANE_NS}" DEPLOYMENT_NAME="${DEPLOYMENT_NAME}" \ -ISTIO_NAME="${ISTIO_NAME}" COMMAND="${COMMAND}" VERSIONS_YAML_FILE="${VERSIONS_YAML_FILE}" KUBECONFIG="${KUBECONFIG}" \ +IMAGE="${HUB}/${IMAGE_BASE}:${TAG}" SKIP_DEPLOY="${SKIP_DEPLOY}" OCP="${OCP}" IP_FAMILY="${IP_FAMILY}" ISTIO_MANIFEST="${ISTIO_MANIFEST}" \ +NAMESPACE="${NAMESPACE}" CONTROL_PLANE_NS="${CONTROL_PLANE_NS}" DEPLOYMENT_NAME="${DEPLOYMENT_NAME}" MULTICLUSTER="${MULTICLUSTER}" ARTIFACTS="${ARTIFACTS}" \ +ISTIO_NAME="${ISTIO_NAME}" COMMAND="${COMMAND}" VERSIONS_YAML_FILE="${VERSIONS_YAML_FILE}" KUBECONFIG="${KUBECONFIG}" ISTIOCTL_PATH="${ISTIOCTL}" \ go run github.com/onsi/ginkgo/v2/ginkgo -tags e2e --timeout 30m --junit-report=report.xml ${GINKGO_FLAGS} "${WD}"/... diff --git a/tests/e2e/config/default.yaml b/tests/e2e/config/default.yaml index 58c947c9e..9f160497d 100644 --- a/tests/e2e/config/default.yaml +++ b/tests/e2e/config/default.yaml @@ -27,9 +27,4 @@ containerdConfigPatches: - |- [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5000"] endpoint = ["http://kind-registry:5000"] -networking: - # MAISTRA specific: - # our prow cluster uses serviceSubnet 10.96.0.0/12, so the kind cluster must use other subnet to correctly route traffic; - # in this case, address 10.224.0.0 is chosen randomly from available set of subnets. - serviceSubnet: "10.224.0.0/12" - ipFamily: ipv4 + diff --git a/tests/e2e/config/multicluster.json b/tests/e2e/config/multicluster.json new file mode 100644 index 000000000..247824a37 --- /dev/null +++ b/tests/e2e/config/multicluster.json @@ -0,0 +1,14 @@ +[ + { + "cluster_name": "primary", + "pod_subnet": "10.10.0.0/16", + "svc_subnet": "10.255.10.0/24", + "network_id": "0" + }, + { + "cluster_name": "remote", + "pod_subnet": "10.20.0.0/16", + "svc_subnet": "10.255.20.0/24", + "network_id": "1" + } +] \ No newline at end of file diff --git a/tests/e2e/controlplane/control_plane_suite_test.go b/tests/e2e/controlplane/control_plane_suite_test.go index 1603b380e..a494a16d8 100644 --- a/tests/e2e/controlplane/control_plane_suite_test.go +++ b/tests/e2e/controlplane/control_plane_suite_test.go @@ -20,7 +20,8 @@ import ( "testing" k8sclient "github.com/istio-ecosystem/sail-operator/tests/e2e/util/client" - env "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "sigs.k8s.io/controller-runtime/pkg/client" @@ -40,9 +41,15 @@ var ( skipDeploy = env.GetBool("SKIP_DEPLOY", false) expectedRegistry = env.Get("EXPECTED_REGISTRY", "^docker\\.io|^gcr\\.io") bookinfoNamespace = env.Get("BOOKINFO_NAMESPACE", "bookinfo") + multicluster = env.GetBool("MULTICLUSTER", false) + + k kubectl.Kubectl ) func TestInstall(t *testing.T) { + if multicluster { + t.Skip("Skipping test for multicluster") + } RegisterFailHandler(Fail) setup() RunSpecs(t, "Control Plane Suite") @@ -52,6 +59,8 @@ func setup() { GinkgoWriter.Println("************ Running Setup ************") GinkgoWriter.Println("Initializing k8s client") - cl, err = k8sclient.InitK8sClient() + cl, err = k8sclient.InitK8sClient("") Expect(err).NotTo(HaveOccurred()) + + k = kubectl.New() } diff --git a/tests/e2e/controlplane/control_plane_test.go b/tests/e2e/controlplane/control_plane_test.go index ab3007e2f..eafcc9a01 100644 --- a/tests/e2e/controlplane/control_plane_test.go +++ b/tests/e2e/controlplane/control_plane_test.go @@ -19,19 +19,18 @@ package controlplane import ( "fmt" "path/filepath" - "regexp" "strings" "time" + "github.com/Masterminds/semver/v3" "github.com/istio-ecosystem/sail-operator/api/v1alpha1" "github.com/istio-ecosystem/sail-operator/pkg/kube" "github.com/istio-ecosystem/sail-operator/pkg/test/project" . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo" "github.com/istio-ecosystem/sail-operator/pkg/test/util/supportedversion" - common "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm" - "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "github.com/onsi/gomega/types" @@ -43,20 +42,13 @@ import ( "istio.io/istio/pkg/ptr" ) -// version can have one of the following formats: -// - 1.22.2 -// - 1.23.0-rc.1 -// - 1.24-alpha -var istiodVersionRegex = regexp.MustCompile(`Version:"(\d+\.\d+(\.\d+)?(-\w+(\.\d+)?)?)`) - var _ = Describe("Control Plane Installation", Ordered, func() { SetDefaultEventuallyTimeout(180 * time.Second) SetDefaultEventuallyPollingInterval(time.Second) - debugInfoLogged := false BeforeAll(func(ctx SpecContext) { - Expect(kubectl.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created") + Expect(k.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created") extraArg := "" if ocp { @@ -86,7 +78,7 @@ kind: IstioCNI metadata: name: default ` + spec - Expect(kubectl.CreateFromString(yaml)).To(Succeed(), "IstioCNI creation failed") + Expect(k.CreateFromString(yaml)).To(Succeed(), "IstioCNI creation failed") Success("IstioCNI created") cni := &v1alpha1.IstioCNI{} @@ -110,7 +102,7 @@ kind: Istio metadata: name: default ` + spec - Expect(kubectl.CreateFromString(yaml)).To(Succeed(), "Istio creation failed") + Expect(k.CreateFromString(yaml)).To(Succeed(), "Istio creation failed") Success("Istio created") istio := &v1alpha1.Istio{} @@ -133,8 +125,8 @@ metadata: Context(version.Name, func() { BeforeAll(func() { - Expect(kubectl.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Istio namespace failed to be created") - Expect(kubectl.CreateNamespace(istioCniNamespace)).To(Succeed(), "IstioCNI namespace failed to be created") + Expect(k.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Istio namespace failed to be created") + Expect(k.CreateNamespace(istioCniNamespace)).To(Succeed(), "IstioCNI namespace failed to be created") }) When("the IstioCNI CR is created", func() { @@ -149,7 +141,7 @@ spec: namespace: %s` yaml = fmt.Sprintf(yaml, version.Name, istioCniNamespace) Log("IstioCNI YAML:", indent(2, yaml)) - Expect(kubectl.CreateFromString(yaml)).To(Succeed(), "IstioCNI creation failed") + Expect(k.CreateFromString(yaml)).To(Succeed(), "IstioCNI creation failed") Success("IstioCNI created") }) @@ -181,9 +173,9 @@ spec: }) It("doesn't continuously reconcile the IstioCNI CR", func() { - Eventually(kubectl.Logs).WithArguments(namespace, "deploy/"+deploymentName, ptr.Of(30*time.Second)). - ShouldNot(ContainSubstring("Reconciliation done"), "Istio Operator is continuously reconciling") - Success("Istio Operator stopped reconciling") + Eventually(k.WithNamespace(namespace).Logs).WithArguments("deploy/"+deploymentName, ptr.Of(30*time.Second)). + ShouldNot(ContainSubstring("Reconciliation done"), "IstioCNI is continuously reconciling") + Success("IstioCNI stopped reconciling") }) }) @@ -199,7 +191,7 @@ spec: namespace: %s` istioYAML = fmt.Sprintf(istioYAML, version.Name, controlPlaneNamespace) Log("Istio YAML:", indent(2, istioYAML)) - Expect(kubectl.CreateFromString(istioYAML)). + Expect(k.CreateFromString(istioYAML)). To(Succeed(), "Istio CR failed to be created") Success("Istio CR created") }) @@ -219,7 +211,7 @@ spec: It("deploys istiod", func(ctx SpecContext) { Eventually(common.GetObject).WithArguments(ctx, cl, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}). Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Istiod is not Available; unexpected Condition") - Expect(getVersionFromIstiod()).To(Equal(version.Version), "Unexpected istiod version") + Expect(common.GetVersionFromIstiod()).To(Equal(version.Version), "Unexpected istiod version") Success("Istiod is deployed in the namespace and Running") }) @@ -229,16 +221,16 @@ spec: }) It("doesn't continuously reconcile the Istio CR", func() { - Eventually(kubectl.Logs).WithArguments(namespace, "deploy/"+deploymentName, ptr.Of(30*time.Second)). - ShouldNot(ContainSubstring("Reconciliation done"), "Istio Operator is continuously reconciling") - Success("Istio Operator stopped reconciling") + Eventually(k.WithNamespace(namespace).Logs).WithArguments("deploy/"+deploymentName, ptr.Of(30*time.Second)). + ShouldNot(ContainSubstring("Reconciliation done"), "Istio CR is continuously reconciling") + Success("Istio CR stopped reconciling") }) }) When("bookinfo is deployed", func() { BeforeAll(func() { - Expect(kubectl.CreateNamespace(bookinfoNamespace)).To(Succeed(), "Bookinfo namespace failed to be created") - Expect(kubectl.Patch("", "namespace", bookinfoNamespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). + Expect(k.CreateNamespace(bookinfoNamespace)).To(Succeed(), "Bookinfo namespace failed to be created") + Expect(k.Patch("namespace", bookinfoNamespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). To(Succeed(), "Error patching bookinfo namespace") Expect(deployBookinfo(version)).To(Succeed(), "Error deploying bookinfo") Success("Bookinfo deployed") @@ -247,7 +239,7 @@ spec: bookinfoPods := &corev1.PodList{} It("updates the pods status to Running", func(ctx SpecContext) { - cl.List(ctx, bookinfoPods, client.InNamespace(bookinfoNamespace)) + Expect(cl.List(ctx, bookinfoPods, client.InNamespace(bookinfoNamespace))).To(Succeed()) Expect(bookinfoPods.Items).ToNot(BeEmpty(), "No pods found in bookinfo namespace") for _, pod := range bookinfoPods.Items { @@ -260,22 +252,22 @@ spec: It("has sidecars with the correct istio version", func(ctx SpecContext) { for _, pod := range bookinfoPods.Items { sidecarVersion, err := getProxyVersion(pod.Name, bookinfoNamespace) - Expect(err).To(Succeed(), "Error getting sidecar version") - Expect(sidecarVersion).To(ContainSubstring(version.Version), "Sidecar Istio version does not match the expected version") + Expect(err).NotTo(HaveOccurred(), "Error getting sidecar version") + Expect(sidecarVersion).To(Equal(version.Version), "Sidecar Istio version does not match the expected version") } Success("Istio sidecar version matches the expected Istio version") }) AfterAll(func(ctx SpecContext) { By("Deleting bookinfo") - Expect(kubectl.DeleteNamespace(bookinfoNamespace)).To(Succeed(), "Bookinfo namespace failed to be deleted") + Expect(k.DeleteNamespace(bookinfoNamespace)).To(Succeed(), "Bookinfo namespace failed to be deleted") Success("Bookinfo deleted") }) }) When("the Istio CR is deleted", func() { BeforeEach(func() { - Expect(kubectl.Delete(controlPlaneNamespace, "istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") + Expect(k.WithNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") Success("Istio CR deleted") }) @@ -289,7 +281,7 @@ spec: When("the IstioCNI CR is deleted", func() { BeforeEach(func() { - Expect(kubectl.Delete(istioCniNamespace, "istiocni", istioCniName)).To(Succeed(), "IstioCNI CR failed to be deleted") + Expect(k.WithNamespace(istioCniNamespace).Delete("istiocni", istioCniName)).To(Succeed(), "IstioCNI CR failed to be deleted") Success("IstioCNI deleted") }) @@ -343,7 +335,7 @@ spec: Success("Skipping deletion of operator namespace to avoid removal of operator container image from internal registry") return } - Expect(kubectl.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted") + Expect(k.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted") Success("Namespace deleted") }) }) @@ -356,19 +348,6 @@ func ImageFromRegistry(regexp string) types.GomegaMatcher { return HaveField("Image", MatchRegexp(regexp)) } -func getVersionFromIstiod() (string, error) { - output, err := kubectl.Exec(controlPlaneNamespace, "deploy/istiod", "", "pilot-discovery version") - if err != nil { - return "", fmt.Errorf("error getting version from istiod: %w", err) - } - - matches := istiodVersionRegex.FindStringSubmatch(output) - if len(matches) > 1 && matches[1] != "" { - return matches[1], nil - } - return "", fmt.Errorf("error getting version from istiod: version not found in output: %s", output) -} - func indent(level int, str string) string { indent := strings.Repeat(" ", level) return indent + strings.ReplaceAll(str, "\n", "\n"+indent) @@ -377,17 +356,17 @@ func indent(level int, str string) string { func forceDeleteIstioResources() error { // This is a workaround to delete the Istio CRs that are left in the cluster // This will be improved by splitting the tests into different Nodes with their independent setups and cleanups - err := kubectl.ForceDelete("", "istio", istioName) + err := k.ForceDelete("istio", istioName) if err != nil && !strings.Contains(err.Error(), "not found") { return fmt.Errorf("failed to delete %s CR: %w", "istio", err) } - err = kubectl.ForceDelete("", "istiorevision", "default") + err = k.ForceDelete("istiorevision", "default") if err != nil && !strings.Contains(err.Error(), "not found") { return fmt.Errorf("failed to delete %s CR: %w", "istiorevision", err) } - err = kubectl.Delete("", "istiocni", istioCniName) + err = k.Delete("istiocni", istioCniName) if err != nil && !strings.Contains(err.Error(), "not found") { return fmt.Errorf("failed to delete %s CR: %w", "istiocni", err) } @@ -408,7 +387,7 @@ func getBookinfoURL(version supportedversion.VersionInfo) string { func deployBookinfo(version supportedversion.VersionInfo) error { bookinfoURL := getBookinfoURL(version) - kubectl.Apply(bookinfoNamespace, bookinfoURL) + err := k.WithNamespace(bookinfoNamespace).Apply(bookinfoURL) if err != nil { return fmt.Errorf("error deploying bookinfo: %w", err) } @@ -416,14 +395,19 @@ func deployBookinfo(version supportedversion.VersionInfo) error { return nil } -func getProxyVersion(podName, namespace string) (string, error) { - proxyVersion, err := kubectl.Exec(namespace, +func getProxyVersion(podName, namespace string) (*semver.Version, error) { + output, err := k.WithNamespace(namespace).Exec( podName, "istio-proxy", `curl -s http://localhost:15000/server_info | grep "ISTIO_VERSION" | awk -F '"' '{print $4}'`) if err != nil { - return "", fmt.Errorf("error getting sidecar version: %w", err) + return nil, fmt.Errorf("error getting sidecar version: %w", err) } - return proxyVersion, nil + versionStr := strings.TrimSpace(output) + version, err := semver.NewVersion(versionStr) + if err != nil { + return version, fmt.Errorf("error parsing sidecar version %q: %w", versionStr, err) + } + return version, err } diff --git a/tests/e2e/dualstack/dualstack_suite_test.go b/tests/e2e/dualstack/dualstack_suite_test.go new file mode 100644 index 000000000..99f82bab0 --- /dev/null +++ b/tests/e2e/dualstack/dualstack_suite_test.go @@ -0,0 +1,67 @@ +//go:build e2e + +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package dualstack + +import ( + "testing" + + k8sclient "github.com/istio-ecosystem/sail-operator/tests/e2e/util/client" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +var ( + cl client.Client + err error + ocp = env.GetBool("OCP", false) + namespace = env.Get("NAMESPACE", "sail-operator") + deploymentName = env.Get("DEPLOYMENT_NAME", "sail-operator") + controlPlaneNamespace = env.Get("CONTROL_PLANE_NS", "istio-system") + istioName = env.Get("ISTIO_NAME", "default") + istioCniNamespace = env.Get("ISTIOCNI_NAMESPACE", "istio-cni") + istioCniName = env.Get("ISTIOCNI_NAME", "default") + image = env.Get("IMAGE", "quay.io/maistra-dev/sail-operator:latest") + skipDeploy = env.GetBool("SKIP_DEPLOY", false) + expectedRegistry = env.Get("EXPECTED_REGISTRY", "^docker\\.io|^gcr\\.io") + multicluster = env.GetBool("MULTICLUSTER", false) + ipFamily = env.Get("IP_FAMILY", "ipv4") + + k kubectl.Kubectl +) + +func TestDualStack(t *testing.T) { + if ipFamily != "dual" || multicluster { + t.Skip("Skipping the dualStack tests") + } + + RegisterFailHandler(Fail) + setup() + RunSpecs(t, "DualStack test suite") +} + +func setup() { + GinkgoWriter.Println("************ Running Setup ************") + + GinkgoWriter.Println("Initializing k8s client") + cl, err = k8sclient.InitK8sClient("") + Expect(err).NotTo(HaveOccurred()) + + k = kubectl.New() +} diff --git a/tests/e2e/dualstack/dualstack_test.go b/tests/e2e/dualstack/dualstack_test.go new file mode 100644 index 000000000..b4108509b --- /dev/null +++ b/tests/e2e/dualstack/dualstack_test.go @@ -0,0 +1,362 @@ +//go:build e2e + +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR Condition OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package dualstack + +import ( + "fmt" + "path/filepath" + "time" + + "github.com/Masterminds/semver/v3" + "github.com/istio-ecosystem/sail-operator/api/v1alpha1" + "github.com/istio-ecosystem/sail-operator/pkg/kube" + "github.com/istio-ecosystem/sail-operator/pkg/test/project" + . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo" + "github.com/istio-ecosystem/sail-operator/pkg/test/util/supportedversion" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" + . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm" + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + "github.com/onsi/gomega/types" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +const ( + DualStackNamespace = "dual-stack" + IPv4Namespace = "ipv4" + IPv6Namespace = "ipv6" + SleepNamespace = "sleep" +) + +var _ = Describe("DualStack configuration ", Ordered, func() { + SetDefaultEventuallyTimeout(180 * time.Second) + SetDefaultEventuallyPollingInterval(time.Second) + + debugInfoLogged := false + + BeforeAll(func(ctx SpecContext) { + Expect(k.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created") + + extraArg := "" + if ocp { + extraArg = "--set=platform=openshift" + } + + if skipDeploy { + Success("Skipping operator installation because it was deployed externally") + } else { + Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, extraArg)). + To(Succeed(), "Operator failed to be deployed") + } + + Eventually(common.GetObject).WithArguments(ctx, cl, kube.Key(deploymentName, namespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Error getting Istio CRD") + Success("Operator is deployed in the namespace and Running") + }) + + Describe("for supported versions", func() { + for _, version := range supportedversion.List { + // Note: This var version is needed to avoid the closure of the loop + version := version + + // The minimum supported version is 1.23 (and above) + if version.Version.LessThan(semver.MustParse("1.23.0")) { + continue + } + + Context(fmt.Sprintf("Istio version %s", version.Version), func() { + BeforeAll(func() { + Expect(k.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Istio namespace failed to be created") + Expect(k.CreateNamespace(istioCniNamespace)).To(Succeed(), "IstioCNI namespace failed to be created") + }) + + When("the IstioCNI CR is created", func() { + BeforeAll(func() { + cniYAML := ` +apiVersion: sailoperator.io/v1alpha1 +kind: IstioCNI +metadata: + name: default +spec: + version: %s + namespace: %s` + cniYAML = fmt.Sprintf(cniYAML, version.Name, istioCniNamespace) + Log("IstioCNI YAML:", cniYAML) + Expect(k.CreateFromString(cniYAML)).To(Succeed(), "IstioCNI creation failed") + Success("IstioCNI created") + }) + + It("deploys the CNI DaemonSet", func(ctx SpecContext) { + Eventually(func(g Gomega) { + daemonset := &appsv1.DaemonSet{} + g.Expect(cl.Get(ctx, kube.Key("istio-cni-node", istioCniNamespace), daemonset)).To(Succeed(), "Error getting IstioCNI DaemonSet") + g.Expect(daemonset.Status.NumberAvailable). + To(Equal(daemonset.Status.CurrentNumberScheduled), "CNI DaemonSet Pods not Available; expected numberAvailable to be equal to currentNumberScheduled") + }).Should(Succeed(), "CNI DaemonSet Pods are not Available") + Success("CNI DaemonSet is deployed in the namespace and Running") + }) + }) + + When("the Istio CR is created with DualStack configuration", func() { + BeforeAll(func() { + istioYAML := ` +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +metadata: + name: default +spec: + values: + meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_DUAL_STACK: "true" + pilot: + ipFamilyPolicy: %s + env: + ISTIO_DUAL_STACK: "true" + version: %s + namespace: %s` + istioYAML = fmt.Sprintf(istioYAML, corev1.IPFamilyPolicyRequireDualStack, version.Name, controlPlaneNamespace) + Log("Istio YAML:", istioYAML) + Expect(k.CreateFromString(istioYAML)). + To(Succeed(), "Istio CR failed to be created") + Success("Istio CR created") + }) + + It("updates the Istio CR status to Reconciled", func(ctx SpecContext) { + Eventually(common.GetObject).WithArguments(ctx, cl, kube.Key(istioName), &v1alpha1.Istio{}). + Should(HaveCondition(v1alpha1.IstioConditionReconciled, metav1.ConditionTrue), "Istio is not Reconciled; unexpected Condition") + Success("Istio CR is Reconciled") + }) + + It("updates the Istio CR status to Ready", func(ctx SpecContext) { + Eventually(common.GetObject).WithArguments(ctx, cl, kube.Key(istioName), &v1alpha1.Istio{}). + Should(HaveCondition(v1alpha1.IstioConditionReady, metav1.ConditionTrue), "Istio is not Ready; unexpected Condition") + Success("Istio CR is Ready") + }) + + It("deploys istiod", func(ctx SpecContext) { + Eventually(common.GetObject).WithArguments(ctx, cl, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Istiod is not Available; unexpected Condition") + Expect(common.GetVersionFromIstiod()).To(Equal(version.Version), "Unexpected istiod version") + Success("Istiod is deployed in the namespace and Running") + }) + + It("uses the correct image", func(ctx SpecContext) { + Expect(common.GetObject(ctx, cl, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{})). + To(HaveContainersThat(HaveEach(ImageFromRegistry(expectedRegistry)))) + }) + + It("has ISTIO_DUAL_STACK env variable set", func(ctx SpecContext) { + Expect(common.GetObject(ctx, cl, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{})). + To(HaveContainersThat(ContainElement(WithTransform(getEnvVars, ContainElement(corev1.EnvVar{Name: "ISTIO_DUAL_STACK", Value: "true"})))), + "Expected ISTIO_DUAL_STACK to be set to true, but not found") + }) + + It("deploys istiod service in dualStack mode", func(ctx SpecContext) { + var istiodSvcObj corev1.Service + + Eventually(func() error { + _, err := common.GetObject(ctx, cl, kube.Key("istiod", controlPlaneNamespace), &istiodSvcObj) + return err + }).Should(Succeed(), "Expected to retrieve the 'istiod' service") + + Expect(istiodSvcObj.Spec.IPFamilyPolicy).ToNot(BeNil(), "Expected IPFamilyPolicy to be set") + Expect(*istiodSvcObj.Spec.IPFamilyPolicy).To(Equal(corev1.IPFamilyPolicyRequireDualStack), "Expected ipFamilyPolicy to be 'RequireDualStack'") + Success("Istio Service is deployed in the namespace and Running") + }) + }) + + // We spawn the following pods to verify the data-path connectivity. + // 1. a dualStack service in dual-stack namespace which listens on both IPv4 and IPv6 addresses + // 2. an ipv4 only service in ipv4 namespace which listens only on IPv4 address + // 3. an ipv6 only service in ipv6 namespace which listens only on IPv6 address + // Using a sleep pod from the sleep namespace, we try to connect to all the three services to verify that connectivity is successful. + When("sample apps are deployed in the cluster", func() { + BeforeAll(func(ctx SpecContext) { + Expect(k.CreateNamespace(DualStackNamespace)).To(Succeed(), "Failed to create dual-stack namespace") + Expect(k.CreateNamespace(IPv4Namespace)).To(Succeed(), "Failed to create ipv4 namespace") + Expect(k.CreateNamespace(IPv6Namespace)).To(Succeed(), "Failed to create ipv6 namespace") + Expect(k.CreateNamespace(SleepNamespace)).To(Succeed(), "Failed to create sleep namespace") + + Expect(k.Patch("namespace", DualStackNamespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). + To(Succeed(), "Error patching dual-stack namespace") + Expect(k.Patch("namespace", IPv4Namespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). + To(Succeed(), "Error patching ipv4 namespace") + Expect(k.Patch("namespace", IPv6Namespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). + To(Succeed(), "Error patching ipv6 namespace") + Expect(k.Patch("namespace", SleepNamespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). + To(Succeed(), "Error patching sleep namespace") + + Expect(k.WithNamespace(DualStackNamespace).Apply(getYAMLPodURL(version, DualStackNamespace))).To(Succeed(), "error deploying tcpDualStack pod") + Expect(k.WithNamespace(IPv4Namespace).Apply(getYAMLPodURL(version, IPv4Namespace))).To(Succeed(), "error deploying ipv4 pod") + Expect(k.WithNamespace(IPv6Namespace).Apply(getYAMLPodURL(version, IPv6Namespace))).To(Succeed(), "error deploying ipv6 pod") + Expect(k.WithNamespace(SleepNamespace).Apply(getYAMLPodURL(version, SleepNamespace))).To(Succeed(), "error deploying sleep pod") + + Success("dualStack validation pods deployed") + }) + + sleepPod := &corev1.PodList{} + It("updates the status of pods to Running", func(ctx SpecContext) { + _, err = common.CheckPodsReady(ctx, cl, DualStackNamespace) + Expect(err).ToNot(HaveOccurred(), fmt.Sprintf("Error checking status of dual-stack pods: %v", err)) + + _, err = common.CheckPodsReady(ctx, cl, IPv4Namespace) + Expect(err).ToNot(HaveOccurred(), fmt.Sprintf("Error checking status of ipv4 pods: %v", err)) + + _, err = common.CheckPodsReady(ctx, cl, IPv6Namespace) + Expect(err).ToNot(HaveOccurred(), fmt.Sprintf("Error checking status of ipv6 pods: %v", err)) + + sleepPod, err = common.CheckPodsReady(ctx, cl, SleepNamespace) + Expect(err).ToNot(HaveOccurred(), fmt.Sprintf("Error checking status of sleep pods: %v", err)) + + Success("Pods are ready") + }) + + It("can access the dual-stack service from the sleep pod", func(ctx SpecContext) { + checkPodConnectivity(sleepPod.Items[0].Name, SleepNamespace, DualStackNamespace) + }) + + It("can access the ipv4 only service from the sleep pod", func(ctx SpecContext) { + checkPodConnectivity(sleepPod.Items[0].Name, SleepNamespace, IPv4Namespace) + }) + + It("can access the ipv6 only service from the sleep pod", func(ctx SpecContext) { + checkPodConnectivity(sleepPod.Items[0].Name, SleepNamespace, IPv6Namespace) + }) + + AfterAll(func(ctx SpecContext) { + By("Deleting the pods") + Expect(k.DeleteNamespace(DualStackNamespace)).To(Succeed(), fmt.Sprintf("Failed to delete the %q namespace", DualStackNamespace)) + Expect(k.DeleteNamespace(IPv4Namespace)).To(Succeed(), fmt.Sprintf("Failed to delete the %q namespace", IPv4Namespace)) + Expect(k.DeleteNamespace(IPv6Namespace)).To(Succeed(), fmt.Sprintf("Failed to delete the %q namespace", IPv6Namespace)) + Expect(k.DeleteNamespace(SleepNamespace)).To(Succeed(), fmt.Sprintf("Failed to delete the %q namespace", SleepNamespace)) + Success("DualStack validation pods deleted") + }) + }) + + When("the Istio CR is deleted", func() { + BeforeEach(func() { + Expect(k.WithNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") + Success("Istio CR deleted") + }) + + It("removes everything from the namespace", func(ctx SpecContext) { + Eventually(cl.Get).WithArguments(ctx, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}). + Should(ReturnNotFoundError(), "Istiod should not exist anymore") + common.CheckNamespaceEmpty(ctx, cl, controlPlaneNamespace) + Success("Namespace is empty") + }) + }) + + When("the IstioCNI CR is deleted", func() { + BeforeEach(func() { + Expect(k.WithNamespace(istioCniNamespace).Delete("istiocni", istioCniName)).To(Succeed(), "IstioCNI CR failed to be deleted") + Success("IstioCNI deleted") + }) + + It("removes everything from the CNI namespace", func(ctx SpecContext) { + daemonset := &appsv1.DaemonSet{} + Eventually(cl.Get).WithArguments(ctx, kube.Key("istio-cni-node", istioCniNamespace), daemonset). + Should(ReturnNotFoundError(), "IstioCNI DaemonSet should not exist anymore") + common.CheckNamespaceEmpty(ctx, cl, istioCniNamespace) + Success("CNI namespace is empty") + }) + }) + }) + } + + AfterAll(func(ctx SpecContext) { + if CurrentSpecReport().Failed() { + common.LogDebugInfo() + debugInfoLogged = true + } + + By("Cleaning up the Istio namespace") + Expect(cl.Delete(ctx, &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: controlPlaneNamespace}})).To(Succeed(), "Istio Namespace failed to be deleted") + + By("Deleting any left-over Istio and IstioRevision resources") + Success("Resources deleted") + Success("Cleanup done") + }) + }) + + AfterAll(func() { + if CurrentSpecReport().Failed() && !debugInfoLogged { + common.LogDebugInfo() + debugInfoLogged = true + } + + if skipDeploy { + Success("Skipping operator undeploy because it was deployed externally") + return + } + + By("Deleting operator deployment") + Expect(helm.Uninstall("sail-operator", "--namespace "+namespace)). + To(Succeed(), "Operator failed to be deleted") + GinkgoWriter.Println("Operator uninstalled") + + Expect(k.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted") + Success("Namespace deleted") + }) +}) + +func HaveContainersThat(matcher types.GomegaMatcher) types.GomegaMatcher { + return HaveField("Spec.Template.Spec.Containers", matcher) +} + +func ImageFromRegistry(regexp string) types.GomegaMatcher { + return HaveField("Image", MatchRegexp(regexp)) +} + +func getEnvVars(container corev1.Container) []corev1.EnvVar { + return container.Env +} + +func getYAMLPodURL(version supportedversion.VersionInfo, namespace string) string { + var url string + + switch namespace { + case DualStackNamespace: + url = "samples/tcp-echo/tcp-echo-dual-stack.yaml" + case IPv4Namespace: + url = "samples/tcp-echo/tcp-echo-ipv4.yaml" + case IPv6Namespace: + url = "samples/tcp-echo/tcp-echo-ipv6.yaml" + case SleepNamespace: + url = "samples/sleep/sleep.yaml" + default: + return "" + } + + if version.Name == "latest" { + return fmt.Sprintf("https://raw.githubusercontent.com/istio/istio/master/%s", url) + } + + return fmt.Sprintf("https://raw.githubusercontent.com/istio/istio/%s/%s", version.Version, url) +} + +func checkPodConnectivity(podName, namespace, echoStr string) { + command := fmt.Sprintf(`sh -c 'echo %s | nc tcp-echo.%s 9000'`, echoStr, echoStr) + response, err := k.WithNamespace(namespace).Exec(podName, "sleep", command) + Expect(err).NotTo(HaveOccurred(), fmt.Sprintf("error connecting to the %q pod", podName)) + Expect(response).To(ContainSubstring(fmt.Sprintf("hello %s", echoStr)), fmt.Sprintf("Unexpected response from %s pod", podName)) +} diff --git a/tests/e2e/integ-suite-kind.sh b/tests/e2e/integ-suite-kind.sh index 39a5b415e..e4442e278 100755 --- a/tests/e2e/integ-suite-kind.sh +++ b/tests/e2e/integ-suite-kind.sh @@ -29,9 +29,19 @@ export KIND_REGISTRY="localhost:${KIND_REGISTRY_PORT}" export DEFAULT_CLUSTER_YAML="${SCRIPTPATH}/config/default.yaml" export IP_FAMILY="${IP_FAMILY:-ipv4}" export ARTIFACTS="${ARTIFACTS:-$(mktemp -d)}" +export MULTICLUSTER="${MULTICLUSTER:-false}" +# Set variable to exclude kind clusters from kubectl annotations. +# You need to set kind clusters names separated by comma +export KIND_EXCLUDE_CLUSTERS="${KIND_EXCLUDE_CLUSTERS:-}" +export ISTIOCTL="${ISTIOCTL:-${ROOT}/bin/istioctl}" + # Set variable for cluster kind name export KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME:-operator-integration-tests}" +if [ "${MULTICLUSTER}" == "true" ]; then + export KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME}-1" + export KIND_CLUSTER_NAME_2="${KIND_CLUSTER_NAME}-2" +fi # Use the local registry instead of the default HUB export HUB="${KIND_REGISTRY}" @@ -52,16 +62,44 @@ function setup_kind_registry() { fi # https://docs.tilt.dev/choosing_clusters.html#discovering-the-registry - # TODO get context/config from existing variables - kind export kubeconfig --name="${KIND_CLUSTER_NAME}" - for node in $(kind get nodes --name="${KIND_CLUSTER_NAME}"); do - kubectl annotate node "${node}" "kind.x-k8s.io/registry=localhost:${KIND_REGISTRY_PORT}" --overwrite; + for cluster in $(kind get clusters); do + # TODO get context/config from existing variables + # Avoid adding the registry to excluded clusters. Use when you have multiple clusters running. + if [[ "${KIND_EXCLUDE_CLUSTERS}" == *"${cluster}"* ]]; then + continue + fi + + kind export kubeconfig --name="${cluster}" + for node in $(kind get nodes --name="${cluster}"); do + kubectl annotate node "${node}" "kind.x-k8s.io/registry=localhost:${KIND_REGISTRY_PORT}" --overwrite; + done done } -KUBECONFIG="${ARTIFACTS}/config" setup_kind_cluster "${KIND_CLUSTER_NAME}" "" "" "true" "true" -setup_kind_registry +if [ "${MULTICLUSTER}" == "true" ]; then + CLUSTER_TOPOLOGY_CONFIG_FILE="${SCRIPTPATH}/config/multicluster.json" + load_cluster_topology "${CLUSTER_TOPOLOGY_CONFIG_FILE}" + setup_kind_clusters "" "" + setup_kind_registry + + export KUBECONFIG="${KUBECONFIGS[0]}" + export KUBECONFIG2="${KUBECONFIGS[1]}" +else + KUBECONFIG="${ARTIFACTS}/config" setup_kind_cluster "${KIND_CLUSTER_NAME}" "" "" "true" "true" + setup_kind_registry +fi + + +# Check that istioctl is present using ${ISTIOCTL} +if ! command -v "${ISTIOCTL}" &> /dev/null; then + echo "istioctl not found. Please set the ISTIOCTL environment variable to the path of the istioctl binary" + exit 1 +fi # Run the integration tests echo "Running integration tests" -ARTIFACTS="${ARTIFACTS}" ./tests/e2e/common-operator-integ-suite.sh --kind +if [ "${MULTICLUSTER}" == "true" ]; then + ARTIFACTS="${ARTIFACTS}" ISTIOCTL="${ISTIOCTL}" ./tests/e2e/common-operator-integ-suite.sh --kind --multicluster +else +ARTIFACTS="${ARTIFACTS}" IP_FAMILY="${IP_FAMILY}" ./tests/e2e/common-operator-integ-suite.sh --kind +fi \ No newline at end of file diff --git a/tests/e2e/multicluster/multicluster_multiprimary_test.go b/tests/e2e/multicluster/multicluster_multiprimary_test.go new file mode 100644 index 000000000..8cee0948e --- /dev/null +++ b/tests/e2e/multicluster/multicluster_multiprimary_test.go @@ -0,0 +1,343 @@ +//go:build e2e + +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package multicluster + +import ( + "context" + "fmt" + "path/filepath" + "strings" + "time" + + "github.com/istio-ecosystem/sail-operator/api/v1alpha1" + "github.com/istio-ecosystem/sail-operator/pkg/kube" + "github.com/istio-ecosystem/sail-operator/pkg/test/project" + . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo" + "github.com/istio-ecosystem/sail-operator/pkg/test/util/supportedversion" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/certs" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" + . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/istioctl" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +var _ = Describe("Multicluster deployment models", Ordered, func() { + SetDefaultEventuallyTimeout(180 * time.Second) + SetDefaultEventuallyPollingInterval(time.Second) + + BeforeAll(func(ctx SpecContext) { + if !skipDeploy { + // Deploy the Sail Operator on both clusters + Expect(k1.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Cluster #1") + Expect(k2.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Cluster #2") + + Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, "--kubeconfig "+kubeconfig)). + To(Succeed(), "Operator failed to be deployed in Cluster #1") + + Eventually(common.GetObject). + WithArguments(ctx, clPrimary, kube.Key(deploymentName, namespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Error getting Istio CRD") + Success("Operator is deployed in the Cluster #1 namespace and Running") + + Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, "--kubeconfig "+kubeconfig2)). + To(Succeed(), "Operator failed to be deployed in Cluster #2") + + Eventually(common.GetObject). + WithArguments(ctx, clRemote, kube.Key(deploymentName, namespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Error getting Istio CRD") + Success("Operator is deployed in the Cluster #2 namespace and Running") + } + }) + + Describe("Multi-Primary Multi-Network configuration", func() { + // Test the Multi-Primary Multi-Network configuration for each supported Istio version + for _, version := range supportedversion.List { + Context(fmt.Sprintf("Istio version %s", version.Version), func() { + When("Istio resources are created in both clusters", func() { + BeforeAll(func(ctx SpecContext) { + Expect(k1.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created") + Expect(k2.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created") + + // Push the intermediate CA to both clusters + Expect(certs.PushIntermediateCA(k1, controlPlaneNamespace, "east", "network1", artifacts, clPrimary)).To(Succeed()) + Expect(certs.PushIntermediateCA(k2, controlPlaneNamespace, "west", "network2", artifacts, clRemote)).To(Succeed()) + + // Wait for the secret to be created in both clusters + Eventually(func() error { + _, err := common.GetObject(context.Background(), clPrimary, kube.Key("cacerts", controlPlaneNamespace), &corev1.Secret{}) + return err + }).ShouldNot(HaveOccurred(), "Secret is not created on Cluster #1") + + Eventually(func() error { + _, err := common.GetObject(context.Background(), clRemote, kube.Key("cacerts", controlPlaneNamespace), &corev1.Secret{}) + return err + }).ShouldNot(HaveOccurred(), "Secret is not created on Cluster #1") + + multiclusterYAML := ` +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +metadata: + name: default +spec: + version: %s + namespace: %s + values: + global: + meshID: %s + multiCluster: + clusterName: %s + network: %s` + multiclusterCluster1YAML := fmt.Sprintf(multiclusterYAML, version.Name, controlPlaneNamespace, "mesh1", "cluster1", "network1") + Log("Istio CR Cluster #1: ", multiclusterCluster1YAML) + Expect(k1.CreateFromString(multiclusterCluster1YAML)).To(Succeed(), "Istio Resource creation failed on Cluster #1") + + multiclusterCluster2YAML := fmt.Sprintf(multiclusterYAML, version.Name, controlPlaneNamespace, "mesh1", "cluster2", "network2") + Log("Istio CR Cluster #2: ", multiclusterCluster2YAML) + Expect(k2.CreateFromString(multiclusterCluster2YAML)).To(Succeed(), "Istio Resource creation failed on Cluster #2") + }) + + It("updates both Istio CR status to Ready", func(ctx SpecContext) { + Eventually(common.GetObject). + WithArguments(ctx, clPrimary, kube.Key(istioName), &v1alpha1.Istio{}). + Should(HaveCondition(v1alpha1.IstioConditionReady, metav1.ConditionTrue), "Istio is not Ready on Cluster #1; unexpected Condition") + Success("Istio CR is Ready on Cluster #1") + + Eventually(common.GetObject). + WithArguments(ctx, clRemote, kube.Key(istioName), &v1alpha1.Istio{}). + Should(HaveCondition(v1alpha1.IstioConditionReady, metav1.ConditionTrue), "Istio is not Ready on Cluster #2; unexpected Condition") + Success("Istio CR is Ready on Cluster #1") + }) + + It("deploys istiod", func(ctx SpecContext) { + Eventually(common.GetObject). + WithArguments(ctx, clPrimary, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Istiod is not Available on Cluster #1; unexpected Condition") + Expect(common.GetVersionFromIstiod()).To(Equal(version.Version), "Unexpected istiod version") + Success("Istiod is deployed in the namespace and Running on Cluster #1") + + Eventually(common.GetObject). + WithArguments(ctx, clRemote, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Istiod is not Available on Cluster #2; unexpected Condition") + Expect(common.GetVersionFromIstiod()).To(Equal(version.Version), "Unexpected istiod version") + Success("Istiod is deployed in the namespace and Running on Cluster #2") + }) + }) + + When("Gateway is created in both clusters", func() { + BeforeAll(func(ctx SpecContext) { + Expect(k1.WithNamespace(controlPlaneNamespace).Apply(eastGatewayYAML)).To(Succeed(), "Gateway creation failed on Cluster #1") + Expect(k2.WithNamespace(controlPlaneNamespace).Apply(westGatewayYAML)).To(Succeed(), "Gateway creation failed on Cluster #2") + + // Expose the Gateway service in both clusters + Expect(k1.WithNamespace(controlPlaneNamespace).Apply(exposeServiceYAML)).To(Succeed(), "Expose Service creation failed on Cluster #1") + Expect(k2.WithNamespace(controlPlaneNamespace).Apply(exposeServiceYAML)).To(Succeed(), "Expose Service creation failed on Cluster #2") + }) + + It("updates both Gateway status to Available", func(ctx SpecContext) { + Eventually(common.GetObject). + WithArguments(ctx, clPrimary, kube.Key("istio-eastwestgateway", controlPlaneNamespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Gateway is not Ready on Cluster #1; unexpected Condition") + + Eventually(common.GetObject). + WithArguments(ctx, clRemote, kube.Key("istio-eastwestgateway", controlPlaneNamespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Gateway is not Ready on Cluster #2; unexpected Condition") + Success("Gateway is created and available in both clusters") + }) + }) + + When("are installed remote secrets on each cluster", func() { + BeforeAll(func(ctx SpecContext) { + // Get the internal IP of the control plane node in both clusters + internalIPCluster1, err := k1.GetInternalIP("node-role.kubernetes.io/control-plane") + Expect(err).NotTo(HaveOccurred()) + Expect(internalIPCluster1).NotTo(BeEmpty(), "Internal IP is empty for Cluster #1") + + internalIPCluster2, err := k2.GetInternalIP("node-role.kubernetes.io/control-plane") + Expect(internalIPCluster2).NotTo(BeEmpty(), "Internal IP is empty for Cluster #2") + Expect(err).NotTo(HaveOccurred()) + + // Install a remote secret in Cluster #1 that provides access to the Cluster #2 API server. + secret, err := istioctl.CreateRemoteSecret(kubeconfig2, "cluster2", internalIPCluster2) + Expect(err).NotTo(HaveOccurred()) + Expect(k1.ApplyString(secret)).To(Succeed(), "Remote secret creation failed on Cluster #1") + + // Install a remote secret in Cluster #2 that provides access to the Cluster #1 API server. + secret, err = istioctl.CreateRemoteSecret(kubeconfig, "cluster1", internalIPCluster1) + Expect(err).NotTo(HaveOccurred()) + Expect(k2.ApplyString(secret)).To(Succeed(), "Remote secret creation failed on Cluster #1") + }) + + It("remote secrets are created", func(ctx SpecContext) { + secret, err := common.GetObject(ctx, clPrimary, kube.Key("istio-remote-secret-cluster2", controlPlaneNamespace), &corev1.Secret{}) + Expect(err).NotTo(HaveOccurred()) + Expect(secret).NotTo(BeNil(), "Secret is not created on Cluster #1") + + secret, err = common.GetObject(ctx, clRemote, kube.Key("istio-remote-secret-cluster1", controlPlaneNamespace), &corev1.Secret{}) + Expect(err).NotTo(HaveOccurred()) + Expect(secret).NotTo(BeNil(), "Secret is not created on Cluster #2") + Success("Remote secrets are created in both clusters") + }) + }) + + When("sample apps are deployed in both clusters", func() { + BeforeAll(func(ctx SpecContext) { + // Deploy the sample app in both clusters + deploySampleApp("sample", version) + Success("Sample app is deployed in both clusters") + }) + + It("updates the pods status to Ready", func(ctx SpecContext) { + samplePodsCluster1 := &corev1.PodList{} + + Expect(clPrimary.List(ctx, samplePodsCluster1, client.InNamespace("sample"))).To(Succeed()) + Expect(samplePodsCluster1.Items).ToNot(BeEmpty(), "No pods found in bookinfo namespace") + + for _, pod := range samplePodsCluster1.Items { + Eventually(common.GetObject). + WithArguments(ctx, clPrimary, kube.Key(pod.Name, "sample"), &corev1.Pod{}). + Should(HaveCondition(corev1.PodReady, metav1.ConditionTrue), "Pod is not Ready on Cluster #1; unexpected Condition") + } + + samplePodsCluster2 := &corev1.PodList{} + Expect(clRemote.List(ctx, samplePodsCluster2, client.InNamespace("sample"))).To(Succeed()) + Expect(samplePodsCluster2.Items).ToNot(BeEmpty(), "No pods found in bookinfo namespace") + + for _, pod := range samplePodsCluster2.Items { + Eventually(common.GetObject). + WithArguments(ctx, clRemote, kube.Key(pod.Name, "sample"), &corev1.Pod{}). + Should(HaveCondition(corev1.PodReady, metav1.ConditionTrue), "Pod is not Ready on Cluster #2; unexpected Condition") + } + Success("Sample app is created in both clusters and Running") + }) + + It("can access the sample app from both clusters", func(ctx SpecContext) { + sleepPodNameCluster1, err := common.GetPodNameByLabel(ctx, clPrimary, "sample", "app", "sleep") + Expect(sleepPodNameCluster1).NotTo(BeEmpty(), "Sleep pod not found on Cluster #1") + Expect(err).NotTo(HaveOccurred(), "Error getting sleep pod name on Cluster #1") + + sleepPodNameCluster2, err := common.GetPodNameByLabel(ctx, clRemote, "sample", "app", "sleep") + Expect(sleepPodNameCluster2).NotTo(BeEmpty(), "Sleep pod not found on Cluster #2") + Expect(err).NotTo(HaveOccurred(), "Error getting sleep pod name on Cluster #2") + + // Run the curl command from the sleep pod in the Cluster #2 and get response list to validate that we get responses from both clusters + Cluster2Responses := strings.Join(getListCurlResponses(k2, sleepPodNameCluster2), "\n") + Expect(Cluster2Responses).To(ContainSubstring("Hello version: v1"), "Responses from Cluster #2 are not the expected") + Expect(Cluster2Responses).To(ContainSubstring("Hello version: v2"), "Responses from Cluster #2 are not the expected") + + // Run the curl command from the sleep pod in the Cluster #1 and get response list to validate that we get responses from both clusters + Cluster1Responses := strings.Join(getListCurlResponses(k1, sleepPodNameCluster1), "\n") + Expect(Cluster1Responses).To(ContainSubstring("Hello version: v1"), "Responses from Cluster #1 are not the expected") + Expect(Cluster1Responses).To(ContainSubstring("Hello version: v2"), "Responses from Cluster #1 are not the expected") + Success("Sample app is accessible from both clusters") + }) + }) + + When("istio CR is deleted in both clusters", func() { + BeforeEach(func() { + // Delete the Istio CR in both clusters + Expect(k1.WithNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") + Expect(k2.WithNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") + Success("Istio CR is deleted in both clusters") + }) + + It("removes istiod pod", func(ctx SpecContext) { + // Check istiod pod is deleted in both clusters + Eventually(clPrimary.Get).WithArguments(ctx, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}). + Should(ReturnNotFoundError(), "Istiod should not exist anymore on Cluster #1") + Eventually(clRemote.Get).WithArguments(ctx, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}). + Should(ReturnNotFoundError(), "Istiod should not exist anymore on Cluster #2") + }) + }) + + AfterAll(func(ctx SpecContext) { + // Delete namespace to ensure clean up for new tests iteration + Expect(k1.DeleteNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #1") + Expect(k2.DeleteNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #2") + + common.CheckNamespaceEmpty(ctx, clPrimary, controlPlaneNamespace) + common.CheckNamespaceEmpty(ctx, clRemote, controlPlaneNamespace) + Success("ControlPlane Namespaces are empty") + + // Delete the entire sample namespace in both clusters + Expect(k1.DeleteNamespace("sample")).To(Succeed(), "Namespace failed to be deleted on Cluster #1") + Expect(k2.DeleteNamespace("sample")).To(Succeed(), "Namespace failed to be deleted on Cluster #2") + + common.CheckNamespaceEmpty(ctx, clPrimary, "sample") + common.CheckNamespaceEmpty(ctx, clRemote, "sample") + Success("Sample app is deleted in both clusters") + }) + }) + } + }) + + AfterAll(func(ctx SpecContext) { + // Delete the Sail Operator from both clusters + Expect(k1.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #1") + Expect(k2.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #2") + + // Delete the intermediate CA from both clusters + common.CheckNamespaceEmpty(ctx, clPrimary, namespace) + common.CheckNamespaceEmpty(ctx, clRemote, namespace) + }) +}) + +// deploySampleApp deploys the sample app in the given cluster +func deploySampleApp(ns string, istioVersion supportedversion.VersionInfo) { + // Create the namespace + Expect(k1.CreateNamespace(ns)).To(Succeed(), "Namespace failed to be created") + Expect(k2.CreateNamespace(ns)).To(Succeed(), "Namespace failed to be created") + + // Label the namespace + Expect(k1.Patch("namespace", ns, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). + To(Succeed(), "Error patching sample namespace") + Expect(k2.Patch("namespace", ns, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)). + To(Succeed(), "Error patching sample namespace") + + version := istioVersion.Version.String() + // Deploy the sample app from upstream URL in both clusters + if istioVersion.Name == "latest" { + version = "master" + } + helloWorldURL := fmt.Sprintf("https://raw.githubusercontent.com/istio/istio/%s/samples/helloworld/helloworld.yaml", version) + Expect(k1.WithNamespace(ns).ApplyWithLabels(helloWorldURL, "service=helloworld")).To(Succeed(), "Sample service deploy failed on Cluster #1") + Expect(k2.WithNamespace(ns).ApplyWithLabels(helloWorldURL, "service=helloworld")).To(Succeed(), "Sample service deploy failed on Cluster #2") + + Expect(k1.WithNamespace(ns).ApplyWithLabels(helloWorldURL, "version=v1")).To(Succeed(), "Sample service deploy failed on Cluster #1") + Expect(k2.WithNamespace(ns).ApplyWithLabels(helloWorldURL, "version=v2")).To(Succeed(), "Sample service deploy failed on Cluster #2") + + sleepURL := fmt.Sprintf("https://raw.githubusercontent.com/istio/istio/%s/samples/sleep/sleep.yaml", version) + Expect(k1.WithNamespace(ns).Apply(sleepURL)).To(Succeed(), "Sample sleep deploy failed on Cluster #1") + Expect(k2.WithNamespace(ns).Apply(sleepURL)).To(Succeed(), "Sample sleep deploy failed on Cluster #2") +} + +// getListCurlResponses runs the curl command 10 times from the sleep pod in the given cluster and get response list +func getListCurlResponses(k kubectl.Kubectl, podName string) []string { + var responses []string + for i := 0; i < 10; i++ { + response, err := k.WithNamespace("sample").Exec(podName, "sleep", "curl -sS helloworld.sample:5000/hello") + Expect(err).NotTo(HaveOccurred()) + responses = append(responses, response) + } + return responses +} diff --git a/tests/e2e/multicluster/multicluster_primaryremote_test.go b/tests/e2e/multicluster/multicluster_primaryremote_test.go new file mode 100644 index 000000000..35c6fb240 --- /dev/null +++ b/tests/e2e/multicluster/multicluster_primaryremote_test.go @@ -0,0 +1,344 @@ +//go:build e2e + +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package multicluster + +import ( + "context" + "fmt" + "path/filepath" + "strings" + "time" + + "github.com/istio-ecosystem/sail-operator/api/v1alpha1" + "github.com/istio-ecosystem/sail-operator/pkg/kube" + "github.com/istio-ecosystem/sail-operator/pkg/test/project" + . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo" + "github.com/istio-ecosystem/sail-operator/pkg/test/util/supportedversion" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/certs" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" + . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/istioctl" + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +var _ = Describe("Multicluster deployment models", Ordered, func() { + SetDefaultEventuallyTimeout(180 * time.Second) + SetDefaultEventuallyPollingInterval(time.Second) + + BeforeAll(func(ctx SpecContext) { + if !skipDeploy { + // Deploy the Sail Operator on both clusters + Expect(k1.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Primary Cluster") + Expect(k2.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Remote Cluster") + + Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, "--kubeconfig "+kubeconfig)). + To(Succeed(), "Operator failed to be deployed in Primary Cluster") + + Eventually(common.GetObject). + WithArguments(ctx, clPrimary, kube.Key(deploymentName, namespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Error getting Istio CRD") + Success("Operator is deployed in the Primary namespace and Running") + + Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, "--kubeconfig "+kubeconfig2)). + To(Succeed(), "Operator failed to be deployed in Remote Cluster") + + Eventually(common.GetObject). + WithArguments(ctx, clRemote, kube.Key(deploymentName, namespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Error getting Istio CRD") + Success("Operator is deployed in the Remote namespace and Running") + } + }) + + Describe("Primary-Remote - Multi-Network configuration", func() { + // Test the Primary-Remote - Multi-Network configuration for each supported Istio version + for _, version := range supportedversion.List { + // The Primary-Remote - Multi-Network configuration is only supported in Istio 1.23, because that's the only + // version that has the istiod-remote chart. For 1.24, we need to rewrite the support for RemoteIstio. + if !(version.Version.Major() == 1 && version.Version.Minor() == 23) { + continue + } + + Context(fmt.Sprintf("Istio version %s", version.Version), func() { + When("Istio resources are created in both clusters", func() { + BeforeAll(func(ctx SpecContext) { + Expect(k1.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created") + Expect(k2.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created") + + // Push the intermediate CA to both clusters + Expect(certs.PushIntermediateCA(k1, controlPlaneNamespace, "east", "network1", artifacts, clPrimary)). + To(Succeed(), "Error pushing intermediate CA to Primary Cluster") + Expect(certs.PushIntermediateCA(k2, controlPlaneNamespace, "west", "network2", artifacts, clRemote)). + To(Succeed(), "Error pushing intermediate CA to Remote Cluster") + + // Wait for the secret to be created in both clusters + Eventually(func() error { + _, err := common.GetObject(context.Background(), clPrimary, kube.Key("cacerts", controlPlaneNamespace), &corev1.Secret{}) + return err + }).ShouldNot(HaveOccurred(), "Secret is not created on Primary Cluster") + + Eventually(func() error { + _, err := common.GetObject(context.Background(), clRemote, kube.Key("cacerts", controlPlaneNamespace), &corev1.Secret{}) + return err + }).ShouldNot(HaveOccurred(), "Secret is not created on Primary Cluster") + + PrimaryYAML := ` +apiVersion: sailoperator.io/v1alpha1 +kind: Istio +metadata: + name: default +spec: + version: %s + namespace: %s + values: + pilot: + env: + EXTERNAL_ISTIOD: "true" + global: + meshID: %s + multiCluster: + clusterName: %s + network: %s` + multiclusterPrimaryYAML := fmt.Sprintf(PrimaryYAML, version.Name, controlPlaneNamespace, "mesh1", "cluster1", "network1") + Log("Istio CR Primary: ", multiclusterPrimaryYAML) + Expect(k1.CreateFromString(multiclusterPrimaryYAML)).To(Succeed(), "Istio Resource creation failed on Primary Cluster") + }) + + It("updates Istio CR on Primary cluster status to Ready", func(ctx SpecContext) { + Eventually(common.GetObject). + WithArguments(ctx, clPrimary, kube.Key(istioName), &v1alpha1.Istio{}). + Should(HaveCondition(v1alpha1.IstioConditionReady, metav1.ConditionTrue), "Istio is not Ready on Primary; unexpected Condition") + Success("Istio CR is Ready on Primary Cluster") + }) + + It("deploys istiod", func(ctx SpecContext) { + Eventually(common.GetObject). + WithArguments(ctx, clPrimary, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Istiod is not Available on Primary; unexpected Condition") + Expect(common.GetVersionFromIstiod()).To(Equal(version.Version), "Unexpected istiod version") + Success("Istiod is deployed in the namespace and Running on Primary Cluster") + }) + }) + + When("Gateway is created on Primary cluster ", func() { + BeforeAll(func(ctx SpecContext) { + Expect(k1.WithNamespace(controlPlaneNamespace).Apply(eastGatewayYAML)).To(Succeed(), "Gateway creation failed on Primary Cluster") + + // Expose istiod service in Primary cluster + Expect(k1.WithNamespace(controlPlaneNamespace).Apply(exposeIstiodYAML)).To(Succeed(), "Expose Istiod creation failed on Primary Cluster") + + // Expose the Gateway service in both clusters + Expect(k1.WithNamespace(controlPlaneNamespace).Apply(exposeServiceYAML)).To(Succeed(), "Expose Service creation failed on Primary Cluster") + }) + + It("updates Gateway status to Available", func(ctx SpecContext) { + Eventually(common.GetObject). + WithArguments(ctx, clPrimary, kube.Key("istio-eastwestgateway", controlPlaneNamespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Gateway is not Ready on Primary; unexpected Condition") + }) + }) + + When("RemoteIstio is created in Remote cluster", func() { + BeforeAll(func(ctx SpecContext) { + RemoteYAML := ` +apiVersion: sailoperator.io/v1alpha1 +kind: RemoteIstio +metadata: + name: default +spec: + version: %s + namespace: istio-system + values: + istiodRemote: + injectionPath: /inject/cluster/remote/net/network2 + global: + remotePilotAddress: %s` + + remotePilotAddress, err := common.GetSVCLoadBalancerAddress(ctx, clPrimary, controlPlaneNamespace, "istio-eastwestgateway") + Expect(remotePilotAddress).NotTo(BeEmpty(), "Remote Pilot Address is empty") + Expect(err).NotTo(HaveOccurred(), "Error getting Remote Pilot Address") + remoteIstioYAML := fmt.Sprintf(RemoteYAML, version.Name, remotePilotAddress) + Log("RemoteIstio CR: ", remoteIstioYAML) + By("Creating RemoteIstio CR on Remote Cluster") + Expect(k2.CreateFromString(remoteIstioYAML)).To(Succeed(), "RemoteIstio Resource creation failed on Remote Cluster") + + // Set the controlplane cluster and network for Remote namespace + By("Patching the istio-system namespace on Remote Cluster") + Expect( + k2.Patch( + "namespace", + controlPlaneNamespace, + "merge", + `{"metadata":{"annotations":{"topology.istio.io/controlPlaneClusters":"cluster1"}}}`)). + To(Succeed(), "Error patching istio-system namespace") + Expect( + k2.Patch( + "namespace", + controlPlaneNamespace, + "merge", + `{"metadata":{"labels":{"topology.istio.io/network":"network2"}}}`)). + To(Succeed(), "Error patching istio-system namespace") + + // To be able to access the remote cluster from the primary cluster, we need to create a secret in the primary cluster + // RemoteIstio resource will not be Ready until the secret is created + // Get the internal IP of the control plane node in Remote cluster + internalIPRemote, err := k2.GetInternalIP("node-role.kubernetes.io/control-plane") + Expect(internalIPRemote).NotTo(BeEmpty(), "Internal IP is empty for Remote Cluster") + Expect(err).NotTo(HaveOccurred()) + + // Wait for the RemoteIstio CR to be created, this can be moved to a condition verification, but the resource it not will be Ready at this point + time.Sleep(5 * time.Second) + + // Install a remote secret in Primary cluster that provides access to the Remote cluster API server. + By("Creating Remote Secret on Primary Cluster") + secret, err := istioctl.CreateRemoteSecret(kubeconfig2, "remote", internalIPRemote) + Expect(err).NotTo(HaveOccurred()) + Expect(k1.WithNamespace(controlPlaneNamespace).ApplyString(secret)).To(Succeed(), "Remote secret creation failed on Primary Cluster") + }) + + It("secret is created", func(ctx SpecContext) { + secret, err := common.GetObject(ctx, clPrimary, kube.Key("istio-remote-secret-remote", controlPlaneNamespace), &corev1.Secret{}) + Expect(err).NotTo(HaveOccurred()) + Expect(secret).NotTo(BeNil(), "Secret is not created on Primary Cluster") + Success("Remote secret is created in Primary cluster") + }) + + It("updates RemoteIstio CR status to Ready", func(ctx SpecContext) { + Eventually(common.GetObject). + WithArguments(ctx, clRemote, kube.Key(istioName), &v1alpha1.RemoteIstio{}). + Should(HaveCondition(v1alpha1.IstioConditionReady, metav1.ConditionTrue), "Istio is not Ready on Remote; unexpected Condition") + Success("RemoteIstio CR is Ready on Remote Cluster") + }) + }) + + When("gateway is created in Remote cluster", func() { + BeforeAll(func(ctx SpecContext) { + Expect(k2.WithNamespace(controlPlaneNamespace).Apply(westGatewayYAML)).To(Succeed(), "Gateway creation failed on Remote Cluster") + Success("Gateway is created in Remote cluster") + }) + + It("updates Gateway status to Available", func(ctx SpecContext) { + Eventually(common.GetObject). + WithArguments(ctx, clRemote, kube.Key("istio-eastwestgateway", controlPlaneNamespace), &appsv1.Deployment{}). + Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Gateway is not Ready on Remote; unexpected Condition") + Success("Gateway is created and available in Remote cluster") + }) + }) + + When("sample apps are deployed in both clusters", func() { + BeforeAll(func(ctx SpecContext) { + // Deploy the sample app in both clusters + deploySampleApp("sample", version) + Success("Sample app is deployed in both clusters") + }) + + It("updates the pods status to Ready", func(ctx SpecContext) { + samplePodsPrimary := &corev1.PodList{} + + Expect(clPrimary.List(ctx, samplePodsPrimary, client.InNamespace("sample"))).To(Succeed()) + Expect(samplePodsPrimary.Items).ToNot(BeEmpty(), "No pods found in bookinfo namespace") + + for _, pod := range samplePodsPrimary.Items { + Eventually(common.GetObject). + WithArguments(ctx, clPrimary, kube.Key(pod.Name, "sample"), &corev1.Pod{}). + Should(HaveCondition(corev1.PodReady, metav1.ConditionTrue), "Pod is not Ready on Primary; unexpected Condition") + } + + samplePodsRemote := &corev1.PodList{} + Expect(clRemote.List(ctx, samplePodsRemote, client.InNamespace("sample"))).To(Succeed()) + Expect(samplePodsRemote.Items).ToNot(BeEmpty(), "No pods found in bookinfo namespace") + + for _, pod := range samplePodsRemote.Items { + Eventually(common.GetObject). + WithArguments(ctx, clRemote, kube.Key(pod.Name, "sample"), &corev1.Pod{}). + Should(HaveCondition(corev1.PodReady, metav1.ConditionTrue), "Pod is not Ready on Remote; unexpected Condition") + } + Success("Sample app is created in both clusters and Running") + }) + + It("can access the sample app from both clusters", func(ctx SpecContext) { + sleepPodNamePrimary, err := common.GetPodNameByLabel(ctx, clPrimary, "sample", "app", "sleep") + Expect(sleepPodNamePrimary).NotTo(BeEmpty(), "Sleep pod not found on Primary Cluster") + Expect(err).NotTo(HaveOccurred(), "Error getting sleep pod name on Primary Cluster") + + sleepPodNameRemote, err := common.GetPodNameByLabel(ctx, clRemote, "sample", "app", "sleep") + Expect(sleepPodNameRemote).NotTo(BeEmpty(), "Sleep pod not found on Remote Cluster") + Expect(err).NotTo(HaveOccurred(), "Error getting sleep pod name on Remote Cluster") + + // Run the curl command from the sleep pod in the Remote Cluster and get response list to validate that we get responses from both clusters + remoteResponses := strings.Join(getListCurlResponses(k2, sleepPodNameRemote), "\n") + Expect(remoteResponses).To(ContainSubstring("Hello version: v1"), "Responses from Remote Cluster are not the expected") + Expect(remoteResponses).To(ContainSubstring("Hello version: v2"), "Responses from Remote Cluster are not the expected") + + // Run the curl command from the sleep pod in the Primary Cluster and get response list to validate that we get responses from both clusters + primaryResponses := strings.Join(getListCurlResponses(k1, sleepPodNamePrimary), "\n") + Expect(primaryResponses).To(ContainSubstring("Hello version: v1"), "Responses from Primary Cluster are not the expected") + Expect(primaryResponses).To(ContainSubstring("Hello version: v2"), "Responses from Primary Cluster are not the expected") + Success("Sample app is accessible from both clusters") + }) + }) + + When("Istio CR and RemoteIstio CR are deleted in both clusters", func() { + BeforeEach(func() { + Expect(k1.WithNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted") + Expect(k2.WithNamespace(controlPlaneNamespace).Delete("remoteistio", istioName)).To(Succeed(), "RemoteIstio CR failed to be deleted") + Success("Istio and RemoteIstio are deleted") + }) + + It("removes istiod on Primary", func(ctx SpecContext) { + Eventually(clPrimary.Get).WithArguments(ctx, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}). + Should(ReturnNotFoundError(), "Istiod should not exist anymore") + Success("Istiod is deleted on Primary Cluster") + }) + }) + + AfterAll(func(ctx SpecContext) { + // Delete namespace to ensure clean up for new tests iteration + Expect(k1.DeleteNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") + Expect(k2.DeleteNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") + + common.CheckNamespaceEmpty(ctx, clPrimary, controlPlaneNamespace) + common.CheckNamespaceEmpty(ctx, clRemote, controlPlaneNamespace) + Success("ControlPlane Namespaces are empty") + + // Delete the entire sample namespace in both clusters + Expect(k1.DeleteNamespace("sample")).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") + Expect(k2.DeleteNamespace("sample")).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") + + common.CheckNamespaceEmpty(ctx, clPrimary, "sample") + common.CheckNamespaceEmpty(ctx, clRemote, "sample") + Success("Sample app is deleted in both clusters") + }) + }) + } + }) + + AfterAll(func(ctx SpecContext) { + // Delete the Sail Operator from both clusters + Expect(k1.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted on Primary Cluster") + Expect(k2.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted on Remote Cluster") + + // Check that the namespace is empty + common.CheckNamespaceEmpty(ctx, clPrimary, namespace) + common.CheckNamespaceEmpty(ctx, clRemote, namespace) + }) +}) diff --git a/tests/e2e/multicluster/multicluster_suite_test.go b/tests/e2e/multicluster/multicluster_suite_test.go new file mode 100644 index 000000000..09ca73fde --- /dev/null +++ b/tests/e2e/multicluster/multicluster_suite_test.go @@ -0,0 +1,104 @@ +//go:build e2e + +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package multicluster + +import ( + "fmt" + "os" + "path/filepath" + "testing" + + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/certs" + k8sclient "github.com/istio-ecosystem/sail-operator/tests/e2e/util/client" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +var ( + clPrimary client.Client + clRemote client.Client + err error + ocp = env.GetBool("OCP", false) + namespace = env.Get("NAMESPACE", "sail-operator") + deploymentName = env.Get("DEPLOYMENT_NAME", "sail-operator") + controlPlaneNamespace = env.Get("CONTROL_PLANE_NS", "istio-system") + istioName = env.Get("ISTIO_NAME", "default") + image = env.Get("IMAGE", "quay.io/maistra-dev/sail-operator:latest") + skipDeploy = env.GetBool("SKIP_DEPLOY", false) + multicluster = env.GetBool("MULTICLUSTER", false) + kubeconfig = env.Get("KUBECONFIG", "") + kubeconfig2 = env.Get("KUBECONFIG2", "") + artifacts = env.Get("ARTIFACTS", "/tmp/artifacts") + + eastGatewayYAML string + westGatewayYAML string + exposeServiceYAML string + exposeIstiodYAML string + + k1 kubectl.Kubectl + k2 kubectl.Kubectl +) + +func TestInstall(t *testing.T) { + if !multicluster { + t.Skip("Skipping test. Only valid for multicluster") + } + if ocp { + t.Skip("Skipping test. Not valid for OCP") + // TODO: Implement the steps to run the test on OCP + // https://github.com/istio-ecosystem/sail-operator/issues/365 + } + RegisterFailHandler(Fail) + setup(t) + RunSpecs(t, "Control Plane Suite") +} + +func setup(t *testing.T) { + GinkgoWriter.Println("************ Running Setup ************") + + GinkgoWriter.Println("Initializing k8s client") + clPrimary, err = k8sclient.InitK8sClient(kubeconfig) + clRemote, err = k8sclient.InitK8sClient(kubeconfig2) + if err != nil { + t.Fatalf("Error initializing k8s client: %v", err) + } + + err := certs.CreateIntermediateCA(artifacts) + if err != nil { + t.Fatalf("Error creating intermediate CA: %v", err) + } + + // Set the path for the multicluster YAML files to be used + workDir, err := os.Getwd() + if err != nil { + t.Fatalf("Error getting working directory: %v", err) + } + + // Set base path + baseRepoDir := filepath.Join(workDir, "../../..") + eastGatewayYAML = fmt.Sprintf("%s/docs/multicluster/east-west-gateway-net1.yaml", baseRepoDir) + westGatewayYAML = fmt.Sprintf("%s/docs/multicluster/east-west-gateway-net2.yaml", baseRepoDir) + exposeServiceYAML = fmt.Sprintf("%s/docs/multicluster/expose-services.yaml", baseRepoDir) + exposeIstiodYAML = fmt.Sprintf("%s/docs/multicluster/expose-istiod.yaml", baseRepoDir) + + // Initialize kubectl utilities, one for each cluster + k1 = kubectl.New().WithKubeconfig(kubeconfig) + k2 = kubectl.New().WithKubeconfig(kubeconfig2) +} diff --git a/tests/e2e/operator/operator_install_test.go b/tests/e2e/operator/operator_install_test.go index cc6777d6c..28b760ad9 100644 --- a/tests/e2e/operator/operator_install_test.go +++ b/tests/e2e/operator/operator_install_test.go @@ -23,10 +23,9 @@ import ( "github.com/istio-ecosystem/sail-operator/pkg/kube" "github.com/istio-ecosystem/sail-operator/pkg/test/project" . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo" - common "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm" - "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" appsv1 "k8s.io/api/apps/v1" @@ -60,7 +59,7 @@ var _ = Describe("Operator", Ordered, func() { Describe("installation", func() { BeforeAll(func() { - Expect(kubectl.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created") + Expect(k.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created") extraArg := "" if ocp { @@ -125,7 +124,7 @@ var _ = Describe("Operator", Ordered, func() { Success("Operator uninstalled") By("Deleting the CRDs") - Expect(kubectl.DeleteCRDs(sailCRDs)).To(Succeed(), "CRDs failed to be deleted") + Expect(k.DeleteCRDs(sailCRDs)).To(Succeed(), "CRDs failed to be deleted") Success("CRDs deleted") }) }) diff --git a/tests/e2e/operator/operator_suite_test.go b/tests/e2e/operator/operator_suite_test.go index ebe1c972d..952d7cd8e 100644 --- a/tests/e2e/operator/operator_suite_test.go +++ b/tests/e2e/operator/operator_suite_test.go @@ -20,7 +20,8 @@ import ( "testing" k8sclient "github.com/istio-ecosystem/sail-operator/tests/e2e/util/client" - env "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "sigs.k8s.io/controller-runtime/pkg/client" @@ -33,9 +34,15 @@ var ( image = env.Get("IMAGE", "quay.io/maistra-dev/sail-operator:latest") namespace = env.Get("NAMESPACE", "sail-operator") deploymentName = env.Get("DEPLOYMENT_NAME", "sail-operator") + multicluster = env.GetBool("MULTICLUSTER", false) + + k kubectl.Kubectl ) func TestInstall(t *testing.T) { + if multicluster { + t.Skip("Skipping test for multicluster") + } RegisterFailHandler(Fail) setup() RunSpecs(t, "Install Operator Suite") @@ -46,7 +53,7 @@ func setup() { GinkgoWriter.Println("Initializing k8s client") var err error - cl, err = k8sclient.InitK8sClient() + cl, err = k8sclient.InitK8sClient("") Expect(err).NotTo(HaveOccurred()) if ocp { @@ -54,4 +61,6 @@ func setup() { } else { GinkgoWriter.Println("Running on Kubernetes") } + + k = kubectl.New() } diff --git a/tests/e2e/util/certs/certs.go b/tests/e2e/util/certs/certs.go new file mode 100644 index 000000000..505eebe6f --- /dev/null +++ b/tests/e2e/util/certs/certs.go @@ -0,0 +1,280 @@ +//go:build e2e + +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package certs + +import ( + "context" + "fmt" + "os" + "path/filepath" + + "github.com/istio-ecosystem/sail-operator/pkg/kube" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/shell" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +// CreateIntermediateCA creates the intermediate CA +func CreateIntermediateCA(basePath string) error { + certsDir := filepath.Join(basePath, "certs") + + // Create the certs directory + err := os.MkdirAll(certsDir, 0o755) + if err != nil { + return fmt.Errorf("failed to create certs directory: %w", err) + } + + // Create the root CA configuration file + err = createRootCAConf(certsDir) + if err != nil { + return fmt.Errorf("failed to create root-ca.conf: %w", err) + } + + // Step 1: Generate root-key.pem + rootKey := filepath.Join(certsDir, "root-key.pem") + _, err = shell.ExecuteCommand(fmt.Sprintf("openssl genrsa -out %s 4096", rootKey)) + if err != nil { + return fmt.Errorf("failed to generate root-key.pem: %w", err) + } + + // Step 2: Generate root-cert.csr using root-key.pem and root-ca.conf + rootCSR := filepath.Join(certsDir, "root-cert.csr") + rootConf := filepath.Join(certsDir, "root-ca.conf") // You'll need to ensure root-ca.conf exists + _, err = shell.ExecuteCommand(fmt.Sprintf("openssl req -sha256 -new -key %s -config %s -out %s", rootKey, rootConf, rootCSR)) + if err != nil { + return fmt.Errorf("failed to generate root-cert.csr: %w", err) + } + + // Step 3: Generate root-cert.pem + rootCert := filepath.Join(certsDir, "root-cert.pem") + _, err = shell.ExecuteCommand( + fmt.Sprintf("openssl x509 -req -sha256 -days 3650 -signkey %s -extensions req_ext -extfile %s -in %s -out %s", + rootKey, rootConf, rootCSR, rootCert)) + if err != nil { + return fmt.Errorf("failed to generate root-cert.pem: %w", err) + } + + // Step 4: Generate east-cacerts (self-signed intermediate certificates) + // Create directories for east and west if needed + eastDir := filepath.Join(certsDir, "east") + westDir := filepath.Join(certsDir, "west") + + // Create the east and west directories + err = os.MkdirAll(eastDir, 0o755) + if err != nil { + return fmt.Errorf("failed to create east directory: %w", err) + } + err = os.MkdirAll(westDir, 0o755) + if err != nil { + return fmt.Errorf("failed to create west directory: %w", err) + } + + // Create the intermediate CA configuration file + err = createIntermediateCAConf(eastDir) + if err != nil { + return fmt.Errorf("failed to create ca.conf on east dir: %w", err) + } + + err = createIntermediateCAConf(westDir) + if err != nil { + return fmt.Errorf("failed to create ca.conf on west dir: %w", err) + } + + err = generateIntermediateCACertificates(eastDir, rootCert, rootKey) + if err != nil { + return fmt.Errorf("failed to generate east intermediate CA certificates: %w", err) + } + + err = generateIntermediateCACertificates(westDir, rootCert, rootKey) + if err != nil { + return fmt.Errorf("failed to generate west intermediate CA certificates: %w", err) + } + + return nil +} + +func generateIntermediateCACertificates(dir string, rootCert string, rootKey string) error { + caKey := filepath.Join(dir, "ca-key.pem") + _, err := shell.ExecuteCommand(fmt.Sprintf("openssl genrsa -out %s 4096", caKey)) + if err != nil { + return fmt.Errorf("failed to generate east-ca-key.pem: %w", err) + } + + caCSR := filepath.Join(dir, "ca-cert.csr") + caConf := filepath.Join(dir, "ca.conf") + _, err = shell.ExecuteCommand(fmt.Sprintf("openssl req -sha256 -new -config %s -key %s -out %s", caConf, caKey, caCSR)) + if err != nil { + return fmt.Errorf("failed to generate east-ca-cert.csr: %w", err) + } + + caCert := filepath.Join(dir, "ca-cert.pem") + _, err = shell.ExecuteCommand( + fmt.Sprintf("openssl x509 -req -sha256 -days 3650 -CA %s -CAkey %s -CAcreateserial -extensions req_ext -extfile %s -in %s -out %s", + rootCert, rootKey, caConf, caCSR, caCert)) + if err != nil { + return fmt.Errorf("failed to generate east-ca-cert.pem: %w", err) + } + + certChain := filepath.Join(dir, "cert-chain.pem") + _, err = shell.ExecuteCommand(fmt.Sprintf("cat %s %s > %s", caCert, rootCert, certChain)) + if err != nil { + return fmt.Errorf("failed to generate east-cert-chain.pem: %w", err) + } + + return nil +} + +// createRootCAConf creates the root CA configuration file +func createRootCAConf(certsDir string) error { + confPath := filepath.Join(certsDir, "root-ca.conf") + confContent := ` +[ req ] +encrypt_key = no +prompt = no +utf8 = yes +default_md = sha256 +default_bits = 4096 +req_extensions = req_ext +x509_extensions = req_ext +distinguished_name = req_dn + +[ req_ext ] +subjectKeyIdentifier = hash +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign + +[ req_dn ] +O = Istio +CN = Root CA +` + + // Write the configuration file to the directory + return writeFile(confPath, confContent) +} + +// createIntermediateCAConf creates the intermediate CA configuration file +func createIntermediateCAConf(certsDir string) error { + confPath := filepath.Join(certsDir, "ca.conf") + confContent := fmt.Sprintf(` +[ req ] +encrypt_key = no +prompt = no +utf8 = yes +default_md = sha256 +default_bits = 4096 +req_extensions = req_ext +x509_extensions = req_ext +distinguished_name = req_dn + +[ req_ext ] +subjectKeyIdentifier = hash +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign +subjectAltName=@san + +[ san ] +DNS.1 = istiod.istio-system.svc + +[ req_dn ] +O = Istio +CN = Intermediate CA +L = %s +`, confPath) + + // Write the configuration file to the directory + return writeFile(confPath, confContent) +} + +// writeFile writes the content to the file +func writeFile(confPath string, confContent string) error { + file, err := os.Create(confPath) + if err != nil { + return fmt.Errorf("failed to create %s: %v", confPath, err) + } + defer file.Close() + + _, err = file.WriteString(confContent) + if err != nil { + return fmt.Errorf("failed to write to %s: %v", confPath, err) + } + + return nil +} + +// PushIntermediateCA pushes the intermediate CA to the cluster +func PushIntermediateCA(k kubectl.Kubectl, ns, zone, network, basePath string, cl client.Client) error { + // Set cert dir + certDir := filepath.Join(basePath, "certs") + + // Check if the secret exists in the cluster + _, err := common.GetObject(context.Background(), cl, kube.Key("cacerts", ns), &corev1.Secret{}) + if err != nil { + // Label the namespace with the network + err = k.Patch("namespace", ns, "merge", `{"metadata":{"labels":{"topology.istio.io/network":"`+network+`"}}}`) + if err != nil { + return fmt.Errorf("failed to label namespace: %w", err) + } + + // Read the pem content from the files + caCertPath := filepath.Join(certDir, zone, "ca-cert.pem") + caKeyPath := filepath.Join(certDir, zone, "ca-key.pem") + rootCertPath := filepath.Join(certDir, "root-cert.pem") + certChainPath := filepath.Join(certDir, zone, "cert-chain.pem") + + // Read the pem content from the files to create the secret + caCert, err := os.ReadFile(caCertPath) + if err != nil { + return fmt.Errorf("failed to read ca-cert.pem: %w", err) + } + caKey, err := os.ReadFile(caKeyPath) + if err != nil { + return fmt.Errorf("failed to read ca-key.pem: %w", err) + } + rootCert, err := os.ReadFile(rootCertPath) + if err != nil { + return fmt.Errorf("failed to read root-cert.pem: %w", err) + } + certChain, err := os.ReadFile(certChainPath) + if err != nil { + return fmt.Errorf("failed to read cert-chain.pem: %w", err) + } + + // Create the secret by using the client in the cluster and the files created in the setup + secret := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "cacerts", + Namespace: ns, + }, + Data: map[string][]byte{ + "ca-cert.pem": caCert, + "ca-key.pem": caKey, + "root-cert.pem": rootCert, + "cert-chain.pem": certChain, + }, + } + + err = cl.Create(context.Background(), secret) + if err != nil { + return fmt.Errorf("failed to create secret: %w", err) + } + } + + return nil +} diff --git a/tests/e2e/util/client/client.go b/tests/e2e/util/client/client.go index 9ab45ee74..efebdad0f 100644 --- a/tests/e2e/util/client/client.go +++ b/tests/e2e/util/client/client.go @@ -27,8 +27,17 @@ import ( ) // getConfig returns the configuration of the kubernetes go-client -func getConfig() (*rest.Config, error) { - // use the current context in kubeconfig +func getConfig(kubeconfig string) (*rest.Config, error) { + // If kubeconfig is provided, use it + if kubeconfig != "" { + config, err := clientcmd.BuildConfigFromFlags("", kubeconfig) + if err != nil { + return nil, fmt.Errorf("error building config: %w", err) + } + + return config, nil + } + // If not kubeconfig is provided use the current context in kubeconfig config, err := clientcmd.BuildConfigFromFlags("", os.Getenv("KUBECONFIG")) if err != nil { return nil, fmt.Errorf("error building config: %w", err) @@ -38,8 +47,11 @@ func getConfig() (*rest.Config, error) { } // InitK8sClient returns the kubernetes clientset -func InitK8sClient() (client.Client, error) { - config, err := getConfig() +// Arguments: +// Kubeconfig: string +// Set kubeconfig to "" to use the current context in kubeconfig +func InitK8sClient(kubeconfig string) (client.Client, error) { + config, err := getConfig(kubeconfig) if err != nil { return nil, fmt.Errorf("error getting config for k8s client: %w", err) } diff --git a/tests/e2e/util/common/e2e_utils.go b/tests/e2e/util/common/e2e_utils.go index a787a4b49..4ccbe570a 100644 --- a/tests/e2e/util/common/e2e_utils.go +++ b/tests/e2e/util/common/e2e_utils.go @@ -18,15 +18,21 @@ package common import ( "context" + "fmt" + "regexp" "strings" "time" - env "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" + "github.com/Masterminds/semver/v3" + "github.com/istio-ecosystem/sail-operator/pkg/kube" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" + . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega" "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/controller-runtime/pkg/client" "istio.io/istio/pkg/ptr" @@ -39,21 +45,59 @@ var ( istioName = env.Get("ISTIO_NAME", "default") istioCniName = env.Get("ISTIOCNI_NAME", "default") istioCniNamespace = env.Get("ISTIOCNI_NAMESPACE", "istio-cni") + + // version can have one of the following formats: + // - 1.22.2 + // - 1.23.0-rc.1 + // - 1.24-alpha.feabc1234 + istiodVersionRegex = regexp.MustCompile(`Version:"([^"]*)"`) + + k = kubectl.New() ) -// getObject returns the object with the given key +// GetObject returns the object with the given key func GetObject(ctx context.Context, cl client.Client, key client.ObjectKey, obj client.Object) (client.Object, error) { err := cl.Get(ctx, key, obj) return obj, err } -// getList invokes client.List and returns the list +// GetList invokes client.List and returns the list func GetList(ctx context.Context, cl client.Client, list client.ObjectList, opts ...client.ListOption) (client.ObjectList, error) { err := cl.List(ctx, list, opts...) return list, err } -// checkNamespaceEmpty checks if the given namespace is empty +// GetPodNameByLabel returns the name of the pod with the given label +func GetPodNameByLabel(ctx context.Context, cl client.Client, ns, labelKey, labelValue string) (string, error) { + podList := &corev1.PodList{} + err := cl.List(ctx, podList, client.InNamespace(ns), client.MatchingLabels{labelKey: labelValue}) + if err != nil { + return "", err + } + if len(podList.Items) == 0 { + return "", fmt.Errorf("no pod found with label %s=%s", labelKey, labelValue) + } + return podList.Items[0].Name, nil +} + +// GetSVCLoadBalancerAddress returns the address of the service with the given name +func GetSVCLoadBalancerAddress(ctx context.Context, cl client.Client, ns, svcName string) (string, error) { + svc := &corev1.Service{} + err := cl.Get(ctx, client.ObjectKey{Namespace: ns, Name: svcName}, svc) + if err != nil { + return "", err + } + + // To avoid flakiness, wait for the LoadBalancer to be ready + Eventually(func() ([]corev1.LoadBalancerIngress, error) { + err := cl.Get(ctx, client.ObjectKey{Namespace: ns, Name: svcName}, svc) + return svc.Status.LoadBalancer.Ingress, err + }, "1m", "1s").ShouldNot(BeEmpty(), "LoadBalancer should be ready") + + return svc.Status.LoadBalancer.Ingress[0].IP, nil +} + +// CheckNamespaceEmpty checks if the given namespace is empty func CheckNamespaceEmpty(ctx SpecContext, cl client.Client, ns string) { // TODO: Check to add more validations Eventually(func() ([]corev1.Pod, error) { @@ -97,53 +141,56 @@ func LogDebugInfo() { } func logOperatorDebugInfo() { - operator, err := kubectl.GetYAML(namespace, "deployment", deploymentName) + operator, err := k.WithNamespace(namespace).GetYAML("deployment", deploymentName) logDebugElement("Operator Deployment YAML", operator, err) - logs, err := kubectl.Logs(namespace, "deploy/"+deploymentName, ptr.Of(120*time.Second)) + logs, err := k.WithNamespace(namespace).Logs("deploy/"+deploymentName, ptr.Of(120*time.Second)) logDebugElement("Operator logs", logs, err) - events, err := kubectl.GetEvents(namespace) + events, err := k.WithNamespace(namespace).GetEvents() logDebugElement("Events in "+namespace, events, err) - // Temporaty information to gather more details about failure - pods, err := kubectl.GetPods(namespace, "-o wide") + // Temporary information to gather more details about failure + pods, err := k.WithNamespace(namespace).GetPods("", "-o wide") logDebugElement("Pods in "+namespace, pods, err) - describe, err := kubectl.Describe(namespace, "deployment", deploymentName) + describe, err := k.WithNamespace(namespace).Describe("deployment", deploymentName) logDebugElement("Operator Deployment describe", describe, err) } func logIstioDebugInfo() { - resource, err := kubectl.GetYAML("", "istio", istioName) + resource, err := k.GetYAML("istio", istioName) logDebugElement("Istio YAML", resource, err) - output, err := kubectl.GetPods(controlPlaneNamespace, "-o wide") + output, err := k.WithNamespace(controlPlaneNamespace).GetPods("", "-o wide") logDebugElement("Pods in "+controlPlaneNamespace, output, err) - logs, err := kubectl.Logs(controlPlaneNamespace, "deploy/istiod", ptr.Of(120*time.Second)) + logs, err := k.WithNamespace(controlPlaneNamespace).Logs("deploy/istiod", ptr.Of(120*time.Second)) logDebugElement("Istiod logs", logs, err) - events, err := kubectl.GetEvents(controlPlaneNamespace) + events, err := k.WithNamespace(controlPlaneNamespace).GetEvents() logDebugElement("Events in "+controlPlaneNamespace, events, err) } func logCNIDebugInfo() { - resource, err := kubectl.GetYAML("", "istiocni", istioCniName) + resource, err := k.GetYAML("istiocni", istioCniName) logDebugElement("IstioCNI YAML", resource, err) - ds, err := kubectl.GetYAML(istioCniNamespace, "daemonset", "istio-cni-node") + ds, err := k.WithNamespace(istioCniNamespace).GetYAML("daemonset", "istio-cni-node") logDebugElement("Istio CNI DaemonSet YAML", ds, err) - events, err := kubectl.GetEvents(istioCniNamespace) + events, err := k.WithNamespace(istioCniNamespace).GetEvents() logDebugElement("Events in "+istioCniNamespace, events, err) - // Temporaty information to gather more details about failure - pods, err := kubectl.GetPods(istioCniNamespace, "-o wide") + // Temporary information to gather more details about failure + pods, err := k.WithNamespace(istioCniNamespace).GetPods("", "-o wide") logDebugElement("Pods in "+istioCniNamespace, pods, err) - describe, err := kubectl.Describe(istioCniNamespace, "daemonset", "istio-cni-node") + describe, err := k.WithNamespace(istioCniNamespace).Describe("daemonset", "istio-cni-node") logDebugElement("Istio CNI DaemonSet describe", describe, err) + + logs, err := k.WithNamespace(istioCniNamespace).Logs("daemonset/istio-cni-node", ptr.Of(120*time.Second)) + logDebugElement("Istio CNI logs", logs, err) } func logDebugElement(caption string, info string, err error) { @@ -155,3 +202,35 @@ func logDebugElement(caption string, info string, err error) { GinkgoWriter.Println(indent + strings.ReplaceAll(strings.TrimSpace(info), "\n", "\n"+indent)) } } + +func GetVersionFromIstiod() (*semver.Version, error) { + k := kubectl.New() + output, err := k.WithNamespace(controlPlaneNamespace).Exec("deploy/istiod", "", "pilot-discovery version") + if err != nil { + return nil, fmt.Errorf("error getting version from istiod: %w", err) + } + + matches := istiodVersionRegex.FindStringSubmatch(output) + if len(matches) > 1 && matches[1] != "" { + return semver.NewVersion(matches[1]) + } + return nil, fmt.Errorf("error getting version from istiod: version not found in output: %s", output) +} + +func CheckPodsReady(ctx SpecContext, cl client.Client, namespace string) (*corev1.PodList, error) { + podList := &corev1.PodList{} + + err := cl.List(ctx, podList, client.InNamespace(namespace)) + if err != nil { + return nil, fmt.Errorf("failed to list pods in %s namespace: %w", namespace, err) + } + + Expect(podList.Items).ToNot(BeEmpty(), fmt.Sprintf("No pods found in %s namespace", namespace)) + + for _, pod := range podList.Items { + Eventually(GetObject).WithArguments(ctx, cl, kube.Key(pod.Name, namespace), &corev1.Pod{}). + Should(HaveCondition(corev1.PodReady, metav1.ConditionTrue), fmt.Sprintf("%q Pod in %q namespace is not Ready", pod.Name, namespace)) + } + + return podList, nil +} diff --git a/tests/e2e/util/istioctl/istioctl.go b/tests/e2e/util/istioctl/istioctl.go new file mode 100644 index 000000000..7186ed6b1 --- /dev/null +++ b/tests/e2e/util/istioctl/istioctl.go @@ -0,0 +1,55 @@ +//go:build e2e + +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR Condition OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package istioctl + +import ( + "fmt" + + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env" + "github.com/istio-ecosystem/sail-operator/tests/e2e/util/shell" +) + +var istioctlBinary = env.Get("ISTIOCTL_PATH", "istioctl") + +// Istioctl returns the istioctl command +// If the environment variable COMMAND is set, it will return the value of COMMAND +// Otherwise, it will return the default value "istioctl" as default +// Arguments: +// - format: format of the command without istioctl +// - args: arguments of the command +func istioctl(format string, args ...interface{}) string { + binary := "istioctl" + if istioctlBinary != "" { + binary = istioctlBinary + } + + cmd := fmt.Sprintf(format, args...) + + return fmt.Sprintf("%s %s", binary, cmd) +} + +// CreateRemoteSecret creates a secret in the remote cluster +// Arguments: +// - remoteKubeconfig: kubeconfig of the remote cluster +// - secretName: name of the secret +// - internalIP: internal IP of the remote cluster +func CreateRemoteSecret(remoteKubeconfig string, secretName string, internalIP string) (string, error) { + cmd := istioctl("create-remote-secret --kubeconfig %s --name %s --server=https://%s:6443", remoteKubeconfig, secretName, internalIP) + yaml, err := shell.ExecuteCommand(cmd) + + return yaml, err +} diff --git a/tests/e2e/util/kubectl/kubectl.go b/tests/e2e/util/kubectl/kubectl.go index 7d4e8f054..f1b69576f 100644 --- a/tests/e2e/util/kubectl/kubectl.go +++ b/tests/e2e/util/kubectl/kubectl.go @@ -23,26 +23,85 @@ import ( "github.com/istio-ecosystem/sail-operator/tests/e2e/util/shell" ) -const DefaultBinary = "kubectl" +type Kubectl struct { + binary string + namespace string + kubeconfig string +} + +// New creates a new kubectl.Kubectl +func New() Kubectl { + return Kubectl{}.WithBinary(os.Getenv("COMMAND")) +} + +func (k Kubectl) build(cmd string) string { + args := []string{k.binary} + + // Only append namespace if it's set + if k.namespace != "" { + args = append(args, k.namespace) + } + + // Only append kubeconfig if it's set + if k.kubeconfig != "" { + args = append(args, k.kubeconfig) + } + + args = append(args, cmd) + + // Join all the arguments with a space + return strings.Join(args, " ") +} + +// WithBinary returns a new Kubectl with the binary set to the given value; if the value is "", the binary is set to "kubectl" +func (k Kubectl) WithBinary(binary string) Kubectl { + if binary == "" { + k.binary = "kubectl" + } else { + k.binary = binary + } + return k +} -// kubectl return the kubectl command -// If the environment variable COMMAND is set, it will return the value of COMMAND -// Otherwise, it will return the default value "kubectl" as default -// Arguments: -// - format: format of the command without kubeclt or oc -// - args: arguments of the command -func kubectl(format string, args ...interface{}) string { - binary := DefaultBinary - if cmd := os.Getenv("COMMAND"); cmd != "" { - binary = cmd +// WithNamespace returns a new Kubectl with the namespace set to the given value +func (k Kubectl) WithNamespace(ns string) Kubectl { + if ns == "" { + k.namespace = "--all-namespaces" + } else { + k.namespace = fmt.Sprintf("-n %s", ns) } + return k +} - return binary + " " + fmt.Sprintf(format, args...) +// WithKubeconfig returns a new Kubectl with kubeconfig set to the given value +func (k Kubectl) WithKubeconfig(kubeconfig string) Kubectl { + if kubeconfig == "" { + k.kubeconfig = "" + } else { + k.kubeconfig = fmt.Sprintf("--kubeconfig %s", kubeconfig) + } + return k +} + +// CreateNamespace creates a namespace +// If the namespace already exists, it will return nil +func (k Kubectl) CreateNamespace(ns string) error { + cmd := k.build(" create namespace " + ns) + output, err := k.executeCommand(cmd) + if err != nil { + if strings.Contains(output, "AlreadyExists") { + return nil + } + + return fmt.Errorf("error creating namespace: %w, output: %s", err, output) + } + + return nil } // CreateFromString creates a resource from the given yaml string -func CreateFromString(yamlString string) error { - cmd := kubectl("create -f -") +func (k Kubectl) CreateFromString(yamlString string) error { + cmd := k.build(" create -f -") _, err := shell.ExecuteCommandWithInput(cmd, yamlString) if err != nil { return fmt.Errorf("error creating resource from yaml: %w", err) @@ -50,111 +109,113 @@ func CreateFromString(yamlString string) error { return nil } -// ApplyString applies the given yaml string to the cluster -func ApplyString(ns, yamlString string) error { - cmd := kubectl("apply -n %s --server-side -f -", ns) - _, err := shell.ExecuteCommandWithInput(cmd, yamlString) - if err != nil { - return fmt.Errorf("error applying yaml: %w", err) +// DeleteCRDs deletes the CRDs by given list of crds names +func (k Kubectl) DeleteCRDs(crds []string) error { + for _, crd := range crds { + cmd := k.build(" delete crd " + crd) + _, err := shell.ExecuteCommand(cmd) + if err != nil { + return fmt.Errorf("error deleting crd %s: %w", crd, err) + } } return nil } -// Apply applies the given yaml file to the cluster -func Apply(ns, yamlFile string) error { - cmd := kubectl("apply -n %s -f %s", ns, yamlFile) - _, err := shell.ExecuteCommand(cmd) +// DeleteNamespace deletes a namespace +func (k Kubectl) DeleteNamespace(ns string) error { + cmd := k.build(" delete namespace " + ns) + _, err := k.executeCommand(cmd) if err != nil { - return fmt.Errorf("error applying yaml: %w", err) + return fmt.Errorf("error deleting namespace: %w", err) } return nil } -// CreateNamespace creates a namespace -// If the namespace already exists, it will return nil -func CreateNamespace(ns string) error { - cmd := kubectl("create namespace %s", ns) - output, err := shell.ExecuteCommand(cmd) +// ApplyString applies the given yaml string to the cluster +func (k Kubectl) ApplyString(yamlString string) error { + cmd := k.build(" apply --server-side -f -") + _, err := shell.ExecuteCommandWithInput(cmd, yamlString) if err != nil { - if strings.Contains(output, "AlreadyExists") { - return nil - } - - return fmt.Errorf("error creating namespace: %w, output: %s", err, output) + return fmt.Errorf("error applying yaml: %w", err) } return nil } -// DeleteNamespace deletes a namespace -func DeleteNamespace(ns string) error { - cmd := kubectl("delete namespace %s", ns) - _, err := shell.ExecuteCommand(cmd) +// Apply applies the given yaml file to the cluster +func (k Kubectl) Apply(yamlFile string) error { + err := k.ApplyWithLabels(yamlFile, "") + return err +} + +// ApplyWithLabels applies the given yaml file to the cluster with the given labels +func (k Kubectl) ApplyWithLabels(yamlFile, label string) error { + cmd := k.build(" apply " + labelFlag(label) + " -f " + yamlFile) + _, err := k.executeCommand(cmd) if err != nil { - return fmt.Errorf("error deleting namespace: %w", err) + return fmt.Errorf("error applying yaml: %w", err) } return nil } -// Delete deletes a resource based on the namespace, kind and the name -func Delete(ns, kind, name string) error { - cmd := kubectl("delete %s %s %s", kind, name, nsflag(ns)) - _, err := shell.ExecuteCommand(cmd) +// DeleteFromFile deletes a resource from the given yaml file +func (k Kubectl) DeleteFromFile(yamlFile string) error { + cmd := k.build(" delete -f " + yamlFile) + _, err := k.executeCommand(cmd) if err != nil { - return fmt.Errorf("error deleting deployment: %w", err) + return fmt.Errorf("error deleting resource from yaml: %w", err) } return nil } -// DeleteCRDs deletes the CRDs by given list of crds names -func DeleteCRDs(crds []string) error { - for _, crd := range crds { - cmd := kubectl("delete crd %s", crd) - _, err := shell.ExecuteCommand(cmd) - if err != nil { - return fmt.Errorf("error deleting crd %s: %w", crd, err) - } +// Delete deletes a resource based on the namespace, kind and the name +func (k Kubectl) Delete(kind, name string) error { + cmd := k.build(" delete " + kind + " " + name) + _, err := k.executeCommand(cmd) + if err != nil { + return fmt.Errorf("error deleting deployment: %w", err) } return nil } -// Patch patches a resource. -func Patch(ns, kind, name, patchType, patch string) error { - cmd := kubectl(`patch %s %s %s --type=%s -p=%q`, kind, name, prepend("-n", ns), patchType, patch) - _, err := shell.ExecuteCommand(cmd) +// Patch patches a resource +func (k Kubectl) Patch(kind, name, patchType, patch string) error { + cmd := k.build(fmt.Sprintf(" patch %s %s --type=%s -p=%q", kind, name, patchType, patch)) + _, err := k.executeCommand(cmd) if err != nil { return fmt.Errorf("error patching resource: %w", err) } return nil } -// ForceDelete deletes a resource by removing its finalizers. -func ForceDelete(ns, kind, name string) error { +// ForceDelete deletes a resource by removing its finalizers +func (k Kubectl) ForceDelete(kind, name string) error { // Not all resources have finalizers, trying to remove them returns an error here. // We explicitly ignore the error and attempt to delete the resource anyway. - _ = Patch(ns, kind, name, "json", `[{"op": "remove", "path": "/metadata/finalizers"}]`) - return Delete(ns, kind, name) + _ = k.Patch(kind, name, "json", `[{"op": "remove", "path": "/metadata/finalizers"}]`) + return k.Delete(kind, name) } // GetYAML returns the yaml of a resource -// Arguments: -// - ns: namespace -// - kind: type of the resource -// - name: name of the resource -func GetYAML(ns, kind, name string) (string, error) { - cmd := kubectl("get %s %s %s -o yaml", kind, name, nsflag(ns)) - return shell.ExecuteCommand(cmd) +func (k Kubectl) GetYAML(kind, name string) (string, error) { + cmd := k.build(fmt.Sprintf(" get %s %s -o yaml", kind, name)) + output, err := k.executeCommand(cmd) + if err != nil { + return "", fmt.Errorf("error getting yaml: %w, output: %s", err, output) + } + + return output, nil } // GetPods returns the pods of a namespace -func GetPods(ns string, args ...string) (string, error) { - cmd := kubectl("get pods %s %s", nsflag(ns), strings.Join(args, " ")) - output, err := shell.ExecuteCommand(cmd) +func (k Kubectl) GetPods(args ...string) (string, error) { + cmd := k.build(fmt.Sprintf(" get pods %s", strings.Join(args, " "))) + output, err := k.executeCommand(cmd) if err != nil { return "", fmt.Errorf("error getting pods: %w, output: %s", err, output) } @@ -162,10 +223,31 @@ func GetPods(ns string, args ...string) (string, error) { return output, nil } +// GetInternalIP returns the internal IP of a node +func (k Kubectl) GetInternalIP(label string) (string, error) { + cmd := k.build(fmt.Sprintf(" get nodes -l %s -o jsonpath='{.items[0].status.addresses[?(@.type==\"InternalIP\")].address}'", label)) + output, err := k.executeCommand(cmd) + if err != nil { + return "", fmt.Errorf("error getting internal IP: %w, output: %s", err, output) + } + + return output, nil +} + +// Exec executes a command in the pod or specific container +func (k Kubectl) Exec(pod, container, command string) (string, error) { + cmd := k.build(fmt.Sprintf(" exec %s %s -- %s", pod, containerFlag(container), command)) + output, err := k.executeCommand(cmd) + if err != nil { + return "", err + } + return output, nil +} + // GetEvents returns the events of a namespace -func GetEvents(ns string) (string, error) { - cmd := kubectl("get events %s", nsflag(ns)) - output, err := shell.ExecuteCommand(cmd) +func (k Kubectl) GetEvents() (string, error) { + cmd := k.build(" get events") + output, err := k.executeCommand(cmd) if err != nil { return "", fmt.Errorf("error getting events: %w, output: %s", err, output) } @@ -174,13 +256,9 @@ func GetEvents(ns string) (string, error) { } // Describe returns the description of a resource -// Arguments: -// - ns: namespace -// - kind: type of the resource -// - name: name of the resource -func Describe(ns, kind, name string) (string, error) { - cmd := kubectl("describe %s %s %s", kind, name, nsflag(ns)) - output, err := shell.ExecuteCommand(cmd) +func (k Kubectl) Describe(kind, name string) (string, error) { + cmd := k.build(fmt.Sprintf(" describe %s %s", kind, name)) + output, err := k.executeCommand(cmd) if err != nil { return "", fmt.Errorf("error describing resource: %w, output: %s", err, output) } @@ -189,12 +267,8 @@ func Describe(ns, kind, name string) (string, error) { } // Logs returns the logs of a deployment -// Arguments: -// - ns: namespace -// - pod: the pod name, "kind/name", or "-l labelselector" -// - Since: time range -func Logs(ns, pod string, since *time.Duration) (string, error) { - cmd := kubectl("logs %s %s %s", pod, nsflag(ns), sinceFlag(since)) +func (k Kubectl) Logs(pod string, since *time.Duration) (string, error) { + cmd := k.build(fmt.Sprintf(" logs %s %s", pod, sinceFlag(since))) output, err := shell.ExecuteCommand(cmd) if err != nil { return "", err @@ -202,6 +276,11 @@ func Logs(ns, pod string, since *time.Duration) (string, error) { return output, nil } +// executeCommand handles running the command and then resets the namespace automatically +func (k Kubectl) executeCommand(cmd string) (string, error) { + return shell.ExecuteCommand(cmd) +} + func sinceFlag(since *time.Duration) string { if since == nil { return "" @@ -209,32 +288,14 @@ func sinceFlag(since *time.Duration) string { return "--since=" + since.String() } -// Exec executes a command in the pod or specific container -func Exec(ns, pod, container, command string) (string, error) { - cmd := kubectl("exec %s %s %s -- %s", pod, containerflag(container), nsflag(ns), command) - output, err := shell.ExecuteCommand(cmd) - if err != nil { - return "", err - } - return output, nil -} - -// prepend prepends the prefix, but only if str is not empty -func prepend(prefix, str string) string { - if str == "" { - return str - } - return prefix + str -} - -func nsflag(ns string) string { - if ns == "" { - return "--all-namespaces" +func labelFlag(label string) string { + if label == "" { + return "" } - return "-n " + ns + return "-l " + label } -func containerflag(container string) string { +func containerFlag(container string) string { if container == "" { return "" } diff --git a/tools/update_deps.sh b/tools/update_deps.sh index f544bbaff..6677af3de 100755 --- a/tools/update_deps.sh +++ b/tools/update_deps.sh @@ -58,7 +58,7 @@ sed -i "s|OPM_VERSION ?= .*|OPM_VERSION ?= ${OPM_LATEST_VERSION}|" "${ROOTDIR}/M RBAC_PROXY_LATEST_VERSION=$(getLatestVersion brancz/kube-rbac-proxy | cut -d/ -f1) # Only update it if the newer image is available in the registry if docker manifest inspect "gcr.io/kubebuilder/kube-rbac-proxy:${RBAC_PROXY_LATEST_VERSION}" >/dev/null 2>/dev/null; then - sed -i "s|gcr.io/kubebuilder/kube-rbac-proxy:.*|gcr.io/kubebuilder/kube-rbac-proxy:${RBAC_PROXY_LATEST_VERSION}|" "${ROOTDIR}/chart/templates/deployment.yaml" + sed -i "s|gcr.io/kubebuilder/kube-rbac-proxy:.*|gcr.io/kubebuilder/kube-rbac-proxy:${RBAC_PROXY_LATEST_VERSION}|" "${ROOTDIR}/chart/values.yaml" fi # Update gitleaks diff --git a/versions.yaml b/versions.yaml index 116ad15ac..6f4a4e74a 100644 --- a/versions.yaml +++ b/versions.yaml @@ -11,46 +11,45 @@ # go.mod affect the generated API schema for the Sail CRDs (e.g. IstioRevision), # as well as all the Istio CRDs (e.g. VirtualService). versions: - - name: v1.23.0 - version: 1.23.0 + - name: v1.23.2 + version: 1.23.2 repo: https://github.com/istio/istio - commit: 1.23.0 + commit: 1.23.2 charts: - - https://istio-release.storage.googleapis.com/charts/base-1.23.0.tgz - - https://istio-release.storage.googleapis.com/charts/istiod-1.23.0.tgz - - https://istio-release.storage.googleapis.com/charts/istiod-remote-1.23.0.tgz - - https://istio-release.storage.googleapis.com/charts/gateway-1.23.0.tgz - - https://istio-release.storage.googleapis.com/charts/cni-1.23.0.tgz - - https://istio-release.storage.googleapis.com/charts/ztunnel-1.23.0.tgz - - name: v1.22.3 - version: 1.22.3 + - https://istio-release.storage.googleapis.com/charts/base-1.23.2.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.23.2.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-remote-1.23.2.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.23.2.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.23.2.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.23.2.tgz + - name: v1.22.5 + version: 1.22.5 repo: https://github.com/istio/istio - commit: 1.22.3 + commit: 1.22.5 charts: - - https://istio-release.storage.googleapis.com/charts/base-1.22.3.tgz - - https://istio-release.storage.googleapis.com/charts/istiod-1.22.3.tgz - - https://istio-release.storage.googleapis.com/charts/gateway-1.22.3.tgz - - https://istio-release.storage.googleapis.com/charts/cni-1.22.3.tgz - - https://istio-release.storage.googleapis.com/charts/ztunnel-1.22.3.tgz - - name: v1.21.5 - version: 1.21.5 + - https://istio-release.storage.googleapis.com/charts/base-1.22.5.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.22.5.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.22.5.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.22.5.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.22.5.tgz + - name: v1.21.6 + version: 1.21.6 repo: https://github.com/istio/istio - commit: 1.21.5 + commit: 1.21.6 charts: - - https://istio-release.storage.googleapis.com/charts/base-1.21.5.tgz - - https://istio-release.storage.googleapis.com/charts/istiod-1.21.5.tgz - - https://istio-release.storage.googleapis.com/charts/gateway-1.21.5.tgz - - https://istio-release.storage.googleapis.com/charts/cni-1.21.5.tgz - - https://istio-release.storage.googleapis.com/charts/ztunnel-1.21.5.tgz + - https://istio-release.storage.googleapis.com/charts/base-1.21.6.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.21.6.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.21.6.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.21.6.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.21.6.tgz - name: latest - version: 1.24-alpha + version: 1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1 repo: https://github.com/istio/istio branch: master - commit: b28bdd77da4c7f0f4f3631db514f1c4f79a90289 + commit: 6f95f8c912c44489b4f78568207337bd907f46c1 charts: - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289/helm/base-1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289/helm/cni-1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289/helm/gateway-1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289/helm/istiod-1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289/helm/istiod-remote-1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289.tgz - - https://storage.googleapis.com/istio-build/dev/1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289/helm/ztunnel-1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1/helm/base-1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1/helm/cni-1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1/helm/gateway-1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1/helm/istiod-1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1.tgz + - https://storage.googleapis.com/istio-build/dev/1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1/helm/ztunnel-1.24-alpha.6f95f8c912c44489b4f78568207337bd907f46c1.tgz