diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 0b1d2b6d5..15251b657 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -1,6 +1,6 @@
{
"name": "istio build-tools",
- "image": "gcr.io/istio-testing/build-tools:master-0aa2afb4bac9a4fd1bfe50a929c077a643066b3a",
+ "image": "gcr.io/istio-testing/build-tools:master-4759bf88d40172234fc6a0b9e11a4c5f1ea58a90",
"privileged": true,
"remoteEnv": {
"USE_GKE_GCLOUD_AUTH_PLUGIN": "True",
diff --git a/.github/codecov.yml b/.github/codecov.yml
new file mode 100644
index 000000000..73f4c0aae
--- /dev/null
+++ b/.github/codecov.yml
@@ -0,0 +1,4 @@
+ignore:
+ - "api"
+ - "hack"
+ - "tests"
\ No newline at end of file
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 000000000..9a3170f7f
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,40 @@
+
+
+#### What type of PR is this?
+
+
+- [ ] Enhancement / New Feature
+- [ ] Bug Fix
+- [ ] Refactor
+- [ ] Optimization
+- [ ] Test
+- [ ] Documentation Update
+
+#### What this PR does / why we need it:
+
+
+#### Which issue(s) this PR fixes:
+
+Fixes #
+
+Related Issue/PR #
+
+#### Additional information:
diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
new file mode 100644
index 000000000..d81d346a2
--- /dev/null
+++ b/.github/workflows/coverage.yaml
@@ -0,0 +1,21 @@
+name: Code coverage workflow
+
+on: [push, pull_request]
+
+jobs:
+ coverage:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Run coverage
+ run: |
+ make test.unit \
+ -e COVERAGE=true
+
+ - name: Upload to Codecov
+ uses: codecov/codecov-action@v4
+ with:
+ file: out/coverage.out
+ token: ${{ secrets.CODECOV_TOKEN }}
+ fail_ci_if_error: true
\ No newline at end of file
diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml
new file mode 100644
index 000000000..c4772fabd
--- /dev/null
+++ b/.github/workflows/helm.yaml
@@ -0,0 +1,32 @@
+name: Publish Helm artifact
+
+on:
+ workflow_dispatch:
+ inputs:
+ release_version:
+ description: "Release version"
+ required: true
+
+run-name: Publish Helm artifact ${{ inputs.release_version }}
+
+env:
+ GIT_USER: ${{ secrets.GIT_USER }}
+ GITHUB_TOKEN: ${{ secrets.GIT_TOKEN }}
+ VERSION: ${{ inputs.release_version }}
+
+jobs:
+ helm:
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Publish Helm artifact to "gh-pages" branch
+ run: |
+ make helm-artifacts-publish \
+ -e GIT_CONFIG_USER_NAME="$GIT_CONFIG_USER_NAME" \
+ -e GIT_CONFIG_USER_EMAIL="$GIT_CONFIG_USER_EMAIL" \
+ -e OPERATOR_VERSION=$VERSION
+ env:
+ GIT_CONFIG_USER_NAME: "${{ github.actor }}"
+ GIT_CONFIG_USER_EMAIL: "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
new file mode 100644
index 000000000..d9d684443
--- /dev/null
+++ b/.github/workflows/release.yaml
@@ -0,0 +1,89 @@
+name: Release workflow
+
+on:
+ workflow_dispatch:
+ inputs:
+ release_version:
+ description: "Release version"
+ required: true
+ bundle_channels:
+ description: "Bundle channels"
+ required: true
+ default: candidates
+ is_draft_release:
+ description: "Draft release"
+ type: boolean
+ required: false
+ default: true
+ is_pre_release:
+ description: "Pre-release"
+ type: boolean
+ required: false
+ default: false
+
+run-name: Release ${{ inputs.release_version }}
+
+env:
+ GIT_USER: ${{ secrets.GIT_USER }}
+ GITHUB_TOKEN: ${{ secrets.GIT_TOKEN }}
+ VERSION: ${{ inputs.release_version }}
+
+jobs:
+ release:
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: Login to quay.io
+ uses: docker/login-action@v3
+ with:
+ registry: quay.io
+ username: ${{ secrets.QUAY_USER }}
+ password: ${{ secrets.QUAY_PWD }}
+
+ - uses: actions/checkout@v4
+
+ - name: Build and push operator image
+ run: |
+ make docker-buildx \
+ -e TAG=$VERSION
+
+ - name: Generate bundle metadata
+ run: |
+ make bundle \
+ -e CHANNELS=$CHANNELS
+ env:
+ CHANNELS: ${{ inputs.bundle_channels }}
+
+ - name: Publish bundle in operatorhub.io
+ run: |
+ make bundle-publish \
+ -e GIT_CONFIG_USER_NAME="$GIT_CONFIG_USER_NAME" \
+ -e GIT_CONFIG_USER_EMAIL="$GIT_CONFIG_USER_EMAIL" \
+ -e OPERATOR_VERSION=$VERSION \
+ -e OPERATOR_HUB=community-operators \
+ -e OWNER=k8s-operatorhub \
+ -e FORK=maistra
+ env:
+ GIT_CONFIG_USER_NAME: "${{ github.actor }}"
+ GIT_CONFIG_USER_EMAIL: "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
+
+ - name: Publish bundle in OpenShift OperatorHub
+ run: |
+ make bundle-publish \
+ -e GIT_CONFIG_USER_NAME="$GIT_CONFIG_USER_NAME" \
+ -e GIT_CONFIG_USER_EMAIL="$GIT_CONFIG_USER_EMAIL" \
+ -e OPERATOR_VERSION=$VERSION \
+ -e OWNER=redhat-openshift-ecosystem \
+ -e FORK=maistra
+ env:
+ GIT_CONFIG_USER_NAME: "${{ github.actor }}"
+ GIT_CONFIG_USER_EMAIL: "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
+
+ - name: Create GitHub release
+ run: |
+ make create-gh-release \
+ -e GH_PRE_RELEASE=$GH_PRE_RELEASE \
+ -e GH_RELEASE_DRAFT=$GH_RELEASE_DRAFT
+ env:
+ GH_PRE_RELEASE: ${{ github.event.inputs.is_pre_release == 'true' }}
+ GH_RELEASE_DRAFT: ${{ github.event.inputs.is_draft_release == 'true' }}
\ No newline at end of file
diff --git a/.github/workflows/update-deps.yaml b/.github/workflows/update-deps.yaml
new file mode 100644
index 000000000..335c3f7a9
--- /dev/null
+++ b/.github/workflows/update-deps.yaml
@@ -0,0 +1,50 @@
+name: Update-deps workflow
+
+on:
+ schedule:
+ - cron: "0 5 * * *" # everyday at 5AM UTC
+ workflow_dispatch:
+ inputs:
+ branch:
+ description: "Branch to update"
+ default: "main"
+ required: true
+
+run-name: update-deps
+
+env:
+ GIT_USER: ${{ secrets.GIT_USER }}
+ GH_TOKEN: ${{ secrets.GIT_TOKEN }}
+ AUTOMATOR_ORG: istio-ecosystem
+ AUTOMATOR_REPO: sail-operator
+ AUTOMATOR_BRANCH: ${{ inputs.branch || 'main' }}
+
+jobs:
+ update-deps:
+ runs-on: ubuntu-latest
+ container:
+ image: gcr.io/istio-testing/build-tools:master-4759bf88d40172234fc6a0b9e11a4c5f1ea58a90
+ options: --entrypoint ''
+
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ repository: istio/test-infra
+ ref: master
+
+ # this is a workaround for a permissions issue when using the istio build container
+ - run: git config --system --add safe.directory /__w/sail-operator/sail-operator
+
+ - name: Run Automator
+ run: |
+ ./tools/automator/automator.sh \
+ --org=$AUTOMATOR_ORG \
+ --repo=sail-operator \
+ --branch=$AUTOMATOR_BRANCH \
+ '--title=Automator: Update dependencies in $AUTOMATOR_ORG/$AUTOMATOR_REPO@$AUTOMATOR_BRANCH' \
+ --labels=auto-merge \
+ --email=openshiftservicemeshbot@gmail.com \
+ --modifier=update_deps \
+ --token-env \
+ --cmd='BUILD_WITH_CONTAINER=0 ./tools/update_deps.sh' \
+ --signoff
diff --git a/CODE-OF-CONDUCT.md b/CODE-OF-CONDUCT.md
new file mode 100644
index 000000000..880f0a278
--- /dev/null
+++ b/CODE-OF-CONDUCT.md
@@ -0,0 +1,7 @@
+# Sail Operator Community Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of fostering an open and welcoming community, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities.
+
+All members of the Sail Operator community must abide by the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).
+Only by respecting each other can we develop a productive, collaborative community.
+
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index d71a391ea..8d6421f53 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -25,20 +25,10 @@ If you want to contribute to the Sail Operator project, you can follow some rule
- Discuss your changes before you start working on them. You can open a new issue in the [Sail Operator GitHub repository](https://github.com/istio-ecosystem/sail-operator/issues) or start a discussion in the [Sail Operator Discussion](https://github.com/istio-ecosystem/sail-operator/discussions). By this way, you can get feedback from the community and ensure that your changes are aligned with the project goals.
- Use of Labels: We use labels in the issues to help us track the progress of the issues. You can use the labels to help you understand the status of the issue and what is needed to move forward. Those labels are:
- `backport/backport-handled`: Use this label to indicate that the issue has been backported to the appropriate branches.
- - `testing`: Use this label to indicate that the issue is related to testing. Can be used in combination with other labels to mark the proper testing type, for example: `testing/e2e`, `testing/unit`, `testing/integration`.
+ - `test`: Use this label to indicate that the issue is related to test or add `test-needed` when a issue needs a test to be added related. Can be used in combination with other labels to mark the proper test type, for example: `test-e2e`, `test-unit`, `test-integration`.
- `good first issue`: Use this label to indicate that the issue is a good first issue for new contributors.
- `help wanted`: Use this label to indicate that the issue needs help from the community.
- `enhancement`: Use this label to indicate that the issue is an enhancement related to a new feature or improvement.
-- Pull Requests: When you open a pull request, you can follow this template to help you provide the necessary information to the maintainers:
- - **What type of PR is this?**
- - **What this PR does / why we need it:**
- - **Which issue(s) this PR fixes:** (Mark with Fixes #12345, with this the issue will be autoclosed when the PR is merged)
- - **Special notes for your reviewer:**
- - **Does this PR introduce a user-facing change?**
- - **Additional documentation:**
- - **Does this PR introduce a breaking change?**
- - **Other information:**
- - Labels: You can use the labels to help you track the status of the PR. The labels are the same as the issue labels. Additionally, you can use the `cleanup/refactor` to indicate that the PR is a cleanup or refactor of the codebase. Having the label just helps with filtering pull requests. It also is a hint that this work does not need an entry in the changelog
## Community meetings
@@ -46,4 +36,4 @@ This is not defined yet. We are working on defining the community meetings and h
## Security Issues
-If you find a security issue in the Sail Operator project, please refer to the [Security Policy](https://github.com/istio-ecosystem/sail-operator/security/policy) for more information on how to report security issues. Please do not report security issues in the public GitHub repository.
\ No newline at end of file
+If you find a security issue in the Sail Operator project, please refer to the [Security Policy](https://github.com/istio-ecosystem/sail-operator/security/policy) for more information on how to report security issues. Please do not report security issues in the public GitHub repository.
diff --git a/Dockerfile b/Dockerfile
index f4831aa13..7f249db94 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,9 +2,9 @@ FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
ARG TARGETOS TARGETARCH
-ADD out/${TARGETOS:-linux}_${TARGETARCH:-amd64}/manager /manager
+ADD out/${TARGETOS:-linux}_${TARGETARCH:-amd64}/sail-operator /sail-operator
ADD resources /var/lib/sail-operator/resources
USER 65532:65532
WORKDIR /
-ENTRYPOINT ["/manager"]
+ENTRYPOINT ["/sail-operator"]
diff --git a/Makefile.core.mk b/Makefile.core.mk
index 3a3cd3d7f..52c4b5dce 100644
--- a/Makefile.core.mk
+++ b/Makefile.core.mk
@@ -71,7 +71,7 @@ ENVTEST_K8S_VERSION ?= 1.29.0
# Set DOCKER_BUILD_FLAGS to specify flags to pass to 'docker build', default to empty. Example: --platform=linux/arm64
DOCKER_BUILD_FLAGS ?= "--platform=$(TARGET_OS)/$(TARGET_ARCH)"
-GOTEST_FLAGS := $(if $(VERBOSE),-v)
+GOTEST_FLAGS := $(if $(VERBOSE),-v) $(if $(COVERAGE),-coverprofile=$(REPO_ROOT)/out/coverage.out)
GINKGO_FLAGS := $(if $(VERBOSE),-v) $(if $(CI),--no-color)
# CHANNELS define the bundle channels used in the bundle.
@@ -79,7 +79,12 @@ GINKGO_FLAGS := $(if $(VERBOSE),-v) $(if $(CI),--no-color)
# To re-generate a bundle for other specific channels without changing the standard setup, you can:
# - use the CHANNELS as arg of the bundle target (e.g make bundle CHANNELS=candidate,fast,stable)
# - use environment variables to overwrite this value (e.g export CHANNELS="candidate,fast,stable")
-CHANNELS ?= ${MINOR_VERSION}
+CHANNEL_PREFIX := dev
+ifneq (,$(findstring release-,$(shell git rev-parse --abbrev-ref HEAD)))
+CHANNEL_PREFIX = stable
+endif
+
+CHANNELS ?= $(CHANNEL_PREFIX)-$(MINOR_VERSION)
ifneq ($(origin CHANNELS), undefined)
BUNDLE_CHANNELS = --channels=\"$(CHANNELS)\"
endif
@@ -148,6 +153,9 @@ test: test.unit test.integration ## Run both unit tests and integration test.
.PHONY: test.unit
test.unit: envtest ## Run unit tests.
+ifdef COVERAGE
+ if [ ! -d "$(REPO_ROOT)/out" ]; then mkdir $(REPO_ROOT)/out; fi
+endif
KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(LOCALBIN) -p path)" \
go test $(GOTEST_FLAGS) ./...
@@ -165,8 +173,8 @@ test.e2e.ocp: ## Run the end-to-end tests against an existing OCP cluster.
GINKGO_FLAGS="$(GINKGO_FLAGS)" ${SOURCE_DIR}/tests/e2e/integ-suite-ocp.sh
.PHONY: test.e2e.kind
-test.e2e.kind: ## Deploy a KinD cluster and run the end-to-end tests against it.
- GINKGO_FLAGS="$(GINKGO_FLAGS)" ${SOURCE_DIR}/tests/e2e/integ-suite-kind.sh
+test.e2e.kind: istioctl ## Deploy a KinD cluster and run the end-to-end tests against it.
+ GINKGO_FLAGS="$(GINKGO_FLAGS)" ISTIOCTL="$(ISTIOCTL)" ${SOURCE_DIR}/tests/e2e/integ-suite-kind.sh
.PHONY: test.e2e.describe
test.e2e.describe: ## Runs ginkgo outline -format indent over the e2e test to show in BDD style the steps and test structure
@@ -174,7 +182,7 @@ test.e2e.describe: ## Runs ginkgo outline -format indent over the e2e test to sh
##@ Build
.PHONY: build
-build: build-$(TARGET_ARCH) ## Build manager binary.
+build: build-$(TARGET_ARCH) ## Build the sail-operator binary.
.PHONY: run
run: gen ## Run a controller from your host.
@@ -216,7 +224,7 @@ endif
# BUILDX_BUILD_ARGS are the additional --build-arg flags passed to the docker buildx build command.
BUILDX_BUILD_ARGS = --build-arg TARGETOS=$(TARGET_OS)
-# PLATFORMS defines the target platforms for the manager image be build to provide support to multiple
+# PLATFORMS defines the target platforms for the sail-operator image be build to provide support to multiple
# architectures. (i.e. make docker-buildx IMAGE=myregistry/mypoperator:0.0.1). To use this option you need to:
# - able to use docker buildx . More info: https://docs.docker.com/build/buildx/
# - have enable BuildKit, More info: https://docs.docker.com/develop/develop-images/build_enhancements/
@@ -228,8 +236,8 @@ PLATFORM_ARCHITECTURES = $(shell echo ${PLATFORMS} | sed -e 's/,/\ /g' -e 's/lin
ifndef BUILDX
define BUILDX
.PHONY: build-$(1)
-build-$(1): ## Build manager binary for specific architecture.
- GOARCH=$(1) LDFLAGS="$(LD_FLAGS)" common/scripts/gobuild.sh $(REPO_ROOT)/out/$(TARGET_OS)_$(1)/manager cmd/main.go
+build-$(1): ## Build sail-operator binary for specific architecture.
+ GOARCH=$(1) LDFLAGS="$(LD_FLAGS)" common/scripts/gobuild.sh $(REPO_ROOT)/out/$(TARGET_OS)_$(1)/sail-operator cmd/main.go
.PHONY: build-all
build-all: build-$(1)
@@ -249,6 +257,9 @@ docker-buildx: build-all ## Build and push docker image with cross-platform supp
docker buildx rm project-v4-builder
rm Dockerfile.cross
+clean: ## Cleans all the intermediate files and folders previously generated.
+ rm -rf $(REPO_ROOT)/out
+
##@ Deployment
.PHONY: verify-kubeconfig
@@ -381,7 +392,7 @@ gen-charts: ## Pull charts from istio repository.
gen: gen-all-except-bundle bundle ## Generate everything.
.PHONY: gen-all-except-bundle
-gen-all-except-bundle: operator-name operator-chart controller-gen gen-api gen-charts gen-manifests gen-code gen-api-docs
+gen-all-except-bundle: operator-name operator-chart controller-gen gen-api gen-charts gen-manifests gen-code gen-api-docs github-workflow
.PHONY: gen-check
gen-check: gen restore-manifest-dates check-clean-repo ## Verify that changes in generated resources have been checked in.
@@ -390,7 +401,8 @@ gen-check: gen restore-manifest-dates check-clean-repo ## Verify that changes in
CRD_PATH := ./api
OUTPUT_DOCS_PATH := ./docs/api-reference
CONFIG_API_DOCS_GEN_PATH := ./hack/api-docs/config.yaml
-TEMPLATES_DIR := ./hack/api-docs/templates/markdown
+DOCS_RENDERER := markdown
+TEMPLATES_DIR := ./hack/api-docs/templates/$(DOCS_RENDERER)
gen-api-docs: ## Generate API documentation. Known issues: go fmt does not properly handle tabs and add new line empty. Workaround is applied to the generated markdown files. The crd-ref-docs tool add br tags to the generated markdown files. Workaround is applied to the generated markdown files.
@echo "Generating API documentation..."
@@ -400,12 +412,12 @@ gen-api-docs: ## Generate API documentation. Known issues: go fmt does not prope
--source-path=$(CRD_PATH) \
--templates-dir=$(TEMPLATES_DIR) \
--config=$(CONFIG_API_DOCS_GEN_PATH) \
- --renderer=markdown \
+ --renderer=$(DOCS_RENDERER) \
--output-path=$(OUTPUT_DOCS_PATH) \
--output-mode=group
@find $(OUTPUT_DOCS_PATH) -type f -name "*.md" -exec sed -i 's/
/ /g' {} \;
- @find $(OUTPUT_DOCS_PATH) -type f -name "*.md" -exec sed -i 's/\t/ /g' {} \;
- @find $(OUTPUT_DOCS_PATH) -type f -name "*.md" -exec sed -i '/^```/,/^```/ {/./!d;}' {} \;
+ @find $(OUTPUT_DOCS_PATH) -type f \( -name "*.md" -o -name "*.asciidoc" \) -exec sed -i 's/\t/ /g' {} \;
+ @find $(OUTPUT_DOCS_PATH) -type f \( -name "*.md" -o -name "*.asciidoc" \) -exec sed -i '/^```/,/^```/ {/./!d;}' {} \;
@echo "API reference documentation generated at $(OUTPUT_DOCS_PATH)"
.PHONY: restore-manifest-dates
@@ -425,6 +437,9 @@ operator-chart:
sed -i -e "s|^\(image: \).*$$|\1${IMAGE}|g" \
-e "s/^\( version: \).*$$/\1${VERSION}/g" chart/values.yaml
+github-workflow:
+ sed -i -e '1,/default:/ s/^\(.*default:\).*$$/\1 ${CHANNELS}/' .github/workflows/release.yaml
+
.PHONY: update-istio
update-istio: ## Update the Istio commit hash in the 'latest' entry in versions.yaml to the latest commit in the branch.
@hack/update-istio.sh
@@ -450,13 +465,15 @@ CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
ENVTEST ?= $(LOCALBIN)/setup-envtest
GITLEAKS ?= $(LOCALBIN)/gitleaks
OPM ?= $(LOCALBIN)/opm
+ISTIOCTL ?= $(LOCALBIN)/istioctl
## Tool Versions
-OPERATOR_SDK_VERSION ?= v1.36.1
-HELM_VERSION ?= v3.15.3
-CONTROLLER_TOOLS_VERSION ?= v0.16.0
-OPM_VERSION ?= v1.45.0
-GITLEAKS_VERSION ?= v8.18.4
+OPERATOR_SDK_VERSION ?= v1.37.0
+HELM_VERSION ?= v3.16.2
+CONTROLLER_TOOLS_VERSION ?= v0.16.4
+OPM_VERSION ?= v1.47.0
+GITLEAKS_VERSION ?= v8.21.0
+ISTIOCTL_VERSION ?= 1.23.0
# GENERATE_RELATED_IMAGES defines whether `spec.relatedImages` is going to be generated or not
# To disable set flag to false
@@ -483,6 +500,28 @@ $(OPERATOR_SDK): $(LOCALBIN)
curl -sSLfo $(LOCALBIN)/operator-sdk https://github.com/operator-framework/operator-sdk/releases/download/$(OPERATOR_SDK_VERSION)/operator-sdk_$(OS)_$(ARCH) && \
chmod +x $(LOCALBIN)/operator-sdk;
+.PHONY: istioctl $(ISTIOCTL)
+istioctl: $(ISTIOCTL) ## Download istioctl to bin directory.
+istioctl: TARGET_OS=$(shell go env GOOS)
+istioctl: TARGET_ARCH=$(shell go env GOARCH)
+$(ISTIOCTL): $(LOCALBIN)
+ @test -s $(LOCALBIN)/istioctl || { \
+ OSEXT=$(if $(filter $(TARGET_OS),Darwin),osx,linux); \
+ URL="https://github.com/istio/istio/releases/download/$(ISTIOCTL_VERSION)/istioctl-$(ISTIOCTL_VERSION)-$$OSEXT-$(TARGET_ARCH).tar.gz"; \
+ echo "Fetching istioctl from $$URL"; \
+ curl -fsL $$URL -o /tmp/istioctl.tar.gz || { \
+ echo "Download failed! Please check the URL and ISTIO_VERSION."; \
+ exit 1; \
+ }; \
+ tar -xzf /tmp/istioctl.tar.gz -C /tmp || { \
+ echo "Extraction failed!"; \
+ exit 1; \
+ }; \
+ mv /tmp/istioctl $(LOCALBIN)/istioctl; \
+ rm -f /tmp/istioctl.tar.gz; \
+ echo "istioctl has been downloaded and placed in $(LOCALBIN)"; \
+ }
+
.PHONY: controller-gen
controller-gen: $(LOCALBIN) ## Download controller-gen to bin directory. If wrong version is installed, it will be overwritten.
@test -s $(LOCALBIN)/controller-gen && $(LOCALBIN)/controller-gen --version | grep -q $(CONTROLLER_TOOLS_VERSION) || \
@@ -560,6 +599,13 @@ bundle-publish-nightly: OPERATOR_VERSION=$(VERSION)-nightly-$(TODAY) ## Publish
bundle-publish-nightly: TAG=$(MINOR_VERSION)-nightly-$(TODAY)
bundle-publish-nightly: bundle-nightly bundle-publish
+.PHONY: helm-artifacts-publish
+helm-artifacts-publish: helm ## Publish Helm artifacts to be available for "Helm repo add"
+ @export GIT_USER=$(GITHUB_USER); \
+ export GITHUB_TOKEN=$(GITHUB_TOKEN); \
+ export OPERATOR_VERSION=$(OPERATOR_VERSION); \
+ ./hack/helm-artifacts.sh
+
.PHONY: opm $(OPM)
opm: $(OPM)
opm: OS=$(shell go env GOOS)
@@ -624,7 +670,7 @@ git-hook: gitleaks ## Installs gitleaks as a git pre-commit hook.
chmod +x .git/hooks/pre-commit; \
fi
-.SILENT: helm $(HELM) $(LOCALBIN) deploy-yaml gen-api operator-name operator-chart
+.SILENT: helm $(HELM) $(LOCALBIN) deploy-yaml gen-api operator-name operator-chart github-workflow
COMMON_IMPORTS ?= lint-all lint-scripts lint-copyright-banner lint-go lint-yaml lint-helm format-go tidy-go check-clean-repo update-common
.PHONY: $(COMMON_IMPORTS)
diff --git a/api/v1alpha1/istio_types.go b/api/v1alpha1/istio_types.go
index ae995daee..c1943dc06 100644
--- a/api/v1alpha1/istio_types.go
+++ b/api/v1alpha1/istio_types.go
@@ -57,9 +57,10 @@ type IstioSpec struct {
// +kubebuilder:validation:Enum=ambient;default;demo;empty;openshift-ambient;openshift;preview;stable
Profile string `json:"profile,omitempty"`
- // Namespace to which the Istio components should be installed.
+ // Namespace to which the Istio components should be installed. Note that this field is immutable.
// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:io.kubernetes:Namespace"}
// +kubebuilder:default=istio-system
+ // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
Namespace string `json:"namespace"`
// Defines the values to be passed to the Helm charts when installing Istio.
@@ -114,6 +115,9 @@ type IstioStatus struct {
// Reports the current state of the object.
State IstioConditionReason `json:"state,omitempty"`
+ // The name of the active revision.
+ ActiveRevisionName string `json:"activeRevisionName,omitempty"`
+
// Reports information about the underlying IstioRevisions.
Revisions RevisionSummary `json:"revisions,omitempty"`
}
@@ -238,7 +242,8 @@ const (
// +kubebuilder:printcolumn:name="Revisions",type="string",JSONPath=".status.revisions.total",description="Total number of IstioRevision objects currently associated with this object."
// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.revisions.ready",description="Number of revisions that are ready."
// +kubebuilder:printcolumn:name="In use",type="string",JSONPath=".status.revisions.inUse",description="Number of revisions that are currently being used by workloads."
-// +kubebuilder:printcolumn:name="Active Revision",type="string",JSONPath=".status.state",description="The current state of the active revision."
+// +kubebuilder:printcolumn:name="Active Revision",type="string",JSONPath=".status.activeRevisionName",description="The name of the currently active revision."
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.state",description="The current state of the active revision."
// +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.version",description="The version of the control plane installation."
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="The age of the object"
diff --git a/api/v1alpha1/istiorevision_types.go b/api/v1alpha1/istiorevision_types.go
index 2ede45762..e6c3b4061 100644
--- a/api/v1alpha1/istiorevision_types.go
+++ b/api/v1alpha1/istiorevision_types.go
@@ -42,6 +42,7 @@ type IstioRevisionSpec struct {
// Namespace to which the Istio components should be installed.
// +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:io.kubernetes:Namespace"}
+ // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value is immutable"
Namespace string `json:"namespace"`
// Defines the values to be passed to the Helm charts when installing Istio.
diff --git a/api/v1alpha1/remoteistio_types.go b/api/v1alpha1/remoteistio_types.go
index 599a6be67..174d60730 100644
--- a/api/v1alpha1/remoteistio_types.go
+++ b/api/v1alpha1/remoteistio_types.go
@@ -71,6 +71,9 @@ type RemoteIstioStatus struct {
// Reports the current state of the object.
State RemoteIstioConditionReason `json:"state,omitempty"`
+ // The name of the active revision.
+ ActiveRevisionName string `json:"activeRevisionName,omitempty"`
+
// Reports information about the underlying IstioRevisions.
Revisions RevisionSummary `json:"revisions,omitempty"`
}
@@ -183,7 +186,8 @@ const (
// +kubebuilder:printcolumn:name="Revisions",type="string",JSONPath=".status.revisions.total",description="Total number of IstioRevision objects currently associated with this object."
// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.revisions.ready",description="Number of revisions that are ready."
// +kubebuilder:printcolumn:name="In use",type="string",JSONPath=".status.revisions.inUse",description="Number of revisions that are currently being used by workloads."
-// +kubebuilder:printcolumn:name="Active Revision",type="string",JSONPath=".status.state",description="The current state of the active revision."
+// +kubebuilder:printcolumn:name="Active Revision",type="string",JSONPath=".status.activeRevisionName",description="The name of the currently active revision."
+// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.state",description="The current state of the active revision."
// +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.version",description="The version of the control plane installation."
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="The age of the object"
diff --git a/api/v1alpha1/values_types.gen.go b/api/v1alpha1/values_types.gen.go
index 76ded79ff..8911f556a 100644
--- a/api/v1alpha1/values_types.gen.go
+++ b/api/v1alpha1/values_types.gen.go
@@ -108,7 +108,7 @@ type CNIConfig struct {
Affinity *k8sv1.Affinity `json:"affinity,omitempty"`
// Additional annotations to apply to the istio-cni Pods.
//
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
PodAnnotations map[string]string `json:"podAnnotations,omitempty"`
// PodSecurityPolicy cluster role. No longer used anywhere.
PspClusterRole string `json:"psp_cluster_role,omitempty"`
@@ -126,7 +126,7 @@ type CNIConfig struct {
Resources *k8sv1.ResourceRequirements `json:"resources,omitempty"`
// No longer used for CNI. See: https://github.com/istio/istio/issues/49004
//
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
Privileged *bool `json:"privileged,omitempty"`
// The Container seccompProfile
//
@@ -190,7 +190,7 @@ type CNIRepairConfig struct {
RepairPods bool `json:"repairPods,omitempty"`
// No longer used.
//
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
CreateEvents string `json:"createEvents,omitempty"`
// The Repair controller has 3 modes (labelPods, deletePods, and repairPods). Pick which one meets your use cases. Note only one may be used.
// The mode defines the action the controller will take when a pod is detected as broken.
@@ -240,7 +240,7 @@ type GlobalConfig struct {
//
// Deprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior.
//
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
Arch *ArchConfig `json:"arch,omitempty"`
// List of certSigners to allow "approve" action in the ClusterRole
CertSigners []string `json:"certSigners,omitempty"`
@@ -250,17 +250,15 @@ type GlobalConfig struct {
//
// See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
//
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
DefaultNodeSelector map[string]string `json:"defaultNodeSelector,omitempty"`
// Specifies the default pod disruption budget configuration.
- //
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
DefaultPodDisruptionBudget *DefaultPodDisruptionBudgetConfig `json:"defaultPodDisruptionBudget,omitempty"`
// Default k8s resources settings for all Istio control plane components.
//
// See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
//
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
DefaultResources *k8sv1.ResourceRequirements `json:"defaultResources,omitempty"`
// Default node tolerations to be applied to all deployments so that all pods can be
// scheduled to nodes with matching taints. Each component can overwrite
@@ -269,7 +267,7 @@ type GlobalConfig struct {
// Configure this field in case that all pods of Istio control plane are expected to
// be scheduled to particular nodes with specified taints.
//
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
DefaultTolerations []k8sv1.Toleration `json:"defaultTolerations,omitempty"`
// Specifies the docker hub for Istio images.
Hub string `json:"hub,omitempty"`
@@ -363,7 +361,7 @@ type GlobalConfig struct {
//
// See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
//
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
PriorityClassName string `json:"priorityClassName,omitempty"`
// Specifies how proxies are configured within Istio.
Proxy *ProxyConfig `json:"proxy,omitempty"`
@@ -387,7 +385,7 @@ type GlobalConfig struct {
// Configure the policy for validating JWT.
// This is deprecated and has no effect.
//
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
JwtPolicy string `json:"jwtPolicy,omitempty"`
// Specifies the configuration for Security Token Service.
Sts *STSConfig `json:"sts,omitempty"`
@@ -476,7 +474,7 @@ type PilotConfig struct {
AutoscaleBehavior *autoscalingv2.HorizontalPodAutoscalerBehavior `json:"autoscaleBehavior,omitempty"`
// Number of replicas in the Pilot Deployment.
//
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
ReplicaCount uint32 `json:"replicaCount,omitempty"`
// Image name used for Pilot.
//
@@ -494,19 +492,19 @@ type PilotConfig struct {
//
// See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
//
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
Resources *k8sv1.ResourceRequirements `json:"resources,omitempty"`
// Target CPU utilization used in HorizontalPodAutoscaler.
//
// See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
//
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
Cpu *TargetUtilizationConfig `json:"cpu,omitempty"`
// K8s node selector.
//
// See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
//
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
NodeSelector map[string]string `json:"nodeSelector,omitempty"`
// Maximum duration that a sidecar can be connected to a pilot.
//
@@ -539,7 +537,7 @@ type PilotConfig struct {
Affinity *k8sv1.Affinity `json:"affinity,omitempty"`
// K8s rolling update strategy
//
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
// +kubebuilder:validation:XIntOrString
RollingMaxSurge *intstr.IntOrString `json:"rollingMaxSurge,omitempty"`
// The number of pods that can be unavailable during a rolling update (see
@@ -548,20 +546,20 @@ type PilotConfig struct {
// May be specified as a number of pods or as a percent of the total number
// of pods at the start of the update.
//
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
// +kubebuilder:validation:XIntOrString
RollingMaxUnavailable *intstr.IntOrString `json:"rollingMaxUnavailable,omitempty"`
// The node tolerations to be applied to the Pilot deployment so that it can be
// scheduled to particular nodes with matching taints.
// More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
//
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
Tolerations []k8sv1.Toleration `json:"tolerations,omitempty"`
// K8s annotations for pods.
//
// See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
//
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
PodAnnotations map[string]string `json:"podAnnotations,omitempty"`
// K8s annotations for the Service.
//
@@ -602,7 +600,7 @@ type PilotConfig struct {
//
// See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
//
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
Memory *TargetUtilizationConfig `json:"memory,omitempty"`
// Configures whether to use an existing CNI installation for workloads
Cni *CNIUsageConfig `json:"cni,omitempty"`
@@ -610,6 +608,8 @@ type PilotConfig struct {
// If set, `istiod` will allow connections from trusted node proxy ztunnels
// in the provided namespace.
TrustedZtunnelNamespace string `json:"trustedZtunnelNamespace,omitempty"`
+ // Configuration for the istio-discovery chart when istiod is running in a remote cluster (e.g. "remote control plane").
+ IstiodRemote *IstiodRemoteConfig `json:"istiodRemote,omitempty"`
}
type PilotTaintControllerConfig struct {
@@ -685,6 +685,8 @@ type ProxyConfig struct {
// Enables core dumps for newly injected sidecars.
//
// If set, newly injected sidecars will have core dumps enabled.
+ //
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
EnableCoreDump *bool `json:"enableCoreDump,omitempty"`
// Specifies the Istio ingress ports not to capture.
ExcludeInboundPorts string `json:"excludeInboundPorts,omitempty"`
@@ -726,7 +728,7 @@ type ProxyConfig struct {
//
// See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
//
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
Resources *k8sv1.ResourceRequirements `json:"resources,omitempty"`
// Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver.
// If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
@@ -740,7 +742,7 @@ type ProxyConfig struct {
//
// Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior.
//
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
HoldApplicationUntilProxyStarts *bool `json:"holdApplicationUntilProxyStarts,omitempty"`
// A comma separated list of inbound ports for which traffic is to be redirected to Envoy.
// The wildcard character '*' can be used to configure redirection for all ports.
@@ -772,7 +774,7 @@ type ProxyInitConfig struct {
//
// See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
//
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
Resources *k8sv1.ResourceRequirements `json:"resources,omitempty"`
}
@@ -786,7 +788,7 @@ type ResourcesRequestsConfig struct {
// Configuration for the SecretDiscoveryService instead of using K8S secrets to mount the certificates.
type SDSConfig struct {
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
Token *SDSConfigToken `json:"token,omitempty"`
}
@@ -884,6 +886,8 @@ type TracerStackdriverConfig struct {
}
type BaseConfig struct {
+ // CRDs to exclude. Requires `enableCRDTemplates`
+ ExcludedCRDs []string `json:"excludedCRDs,omitempty"`
// URL to use for validating webhook.
ValidationURL string `json:"validationURL,omitempty"`
@@ -898,6 +902,8 @@ type IstiodRemoteConfig struct {
InjectionPath string `json:"injectionPath,omitempty"`
// injector ca bundle
InjectionCABundle string `json:"injectionCABundle,omitempty"`
+ // Indicates if this cluster/install should consume a "remote" istiod instance,
+ Enabled *bool `json:"enabled,omitempty"`
}
type Values struct {
@@ -921,6 +927,10 @@ type Values struct {
// Configuration for the base component.
Base *BaseConfig `json:"base,omitempty"`
// Configuration for istiod-remote.
+ // DEPRECATED - istiod-remote chart is removed and replaced with
+ // `istio-discovery --set values.istiodRemote.enabled=true`
+ //
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
IstiodRemote *IstiodRemoteConfig `json:"istiodRemote,omitempty"`
// Specifies the aliases for the Istio control plane revision. A MutatingWebhookConfiguration
// is created for each alias.
@@ -957,6 +967,22 @@ type WaypointConfig struct {
//
// See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
Resources *k8sv1.ResourceRequirements `json:"resources,omitempty"`
+ // K8s affinity settings for waypoint pods.
+ //
+ // See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+ Affinity *k8sv1.Affinity `json:"affinity,omitempty"`
+ // K8s topology spread constraints settings.
+ //
+ // See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+ TopologySpreadConstraints []*k8sv1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"`
+ // K8s node labels settings.
+ //
+ // See https://kubernetes.io/docs/user-guide/node-selection/
+ NodeSelector *k8sv1.NodeSelector `json:"nodeSelector,omitempty"`
+ // K8s tolerations settings.
+ //
+ // See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+ Toleration []*k8sv1.Toleration `json:"toleration,omitempty"`
}
// CNIGlobalConfig is a subset of the Global Configuration used in the Istio CNI chart.
@@ -964,7 +990,7 @@ type CNIGlobalConfig struct { // Default k8s resources settings for all Istio co
//
// See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
//
- // Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ // Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
DefaultResources *k8sv1.ResourceRequirements `json:"defaultResources,omitempty"`
// Specifies the docker hub for Istio images.
@@ -1012,12 +1038,12 @@ const (
MeshConfigIngressControllerModeOff MeshConfigIngressControllerMode = "OFF"
// Istio ingress controller will act on ingress resources that do not
// contain any annotation or whose annotations match the value
- // specified in the ingress_class parameter described earlier. Use this
+ // specified in the ingressClass parameter described earlier. Use this
// mode if Istio ingress controller will be the default ingress
// controller for the entire Kubernetes cluster.
MeshConfigIngressControllerModeDefault MeshConfigIngressControllerMode = "DEFAULT"
// Istio ingress controller will only act on ingress resources whose
- // annotations match the value specified in the ingress_class parameter
+ // annotations match the value specified in the ingressClass parameter
// described earlier. Use this mode if Istio ingress controller will be
// a secondary ingress controller (e.g., in addition to a
// cloud-provided ingress controller).
@@ -1190,7 +1216,7 @@ type MeshConfig struct {
// the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`.
// By default, `ingressgateway` is used, which will select the default IngressGateway as it has the
// `istio: ingressgateway` labels.
- // It is recommended that this is the same value as ingress_service.
+ // It is recommended that this is the same value as ingressService.
IngressSelector string `json:"ingressSelector,omitempty"`
// Flag to control generation of trace spans and request IDs.
// Requires a trace span collector defined in the proxy configuration.
@@ -1251,7 +1277,7 @@ type MeshConfig struct {
// The trust domain corresponds to the trust root of a system.
// Refer to [SPIFFE-ID](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain)
TrustDomain string `json:"trustDomain,omitempty"`
- // The trust domain aliases represent the aliases of `trust_domain`.
+ // The trust domain aliases represent the aliases of `trustDomain`.
// For example, if we have
// ```yaml
// trustDomain: td1
@@ -1265,7 +1291,7 @@ type MeshConfig struct {
// are automatically added by Istiod.
// The CA certificate that signs the workload certificates is automatically added by Istio Agent.
CaCertificates []*MeshConfigCertificateData `json:"caCertificates,omitempty"`
- // The default value for the ServiceEntry.export_to field and services
+ // The default value for the ServiceEntry.exportTo field and services
// imported through container registry integrations, e.g. this applies to
// Kubernetes Service resources. The value is a list of namespace names and
// reserved namespace aliases. The allowed namespace aliases are:
@@ -1290,14 +1316,14 @@ type MeshConfig struct {
// For further discussion see the reference documentation for `ServiceEntry`,
// `Sidecar`, and `Gateway`.
DefaultServiceExportTo []string `json:"defaultServiceExportTo,omitempty"`
- // The default value for the VirtualService.export_to field. Has the same
- // syntax as `default_service_export_to`.
+ // The default value for the VirtualService.exportTo field. Has the same
+ // syntax as `defaultServiceExportTo`.
//
// If not set the system will use "*" as the default value which implies that
// virtual services are exported to all namespaces
DefaultVirtualServiceExportTo []string `json:"defaultVirtualServiceExportTo,omitempty"`
- // The default value for the `DestinationRule.export_to` field. Has the same
- // syntax as `default_service_export_to`.
+ // The default value for the `DestinationRule.exportTo` field. Has the same
+ // syntax as `defaultServiceExportTo`.
//
// If not set the system will use "*" as the default value which implies that
// destination rules are exported to all namespaces
@@ -1478,7 +1504,7 @@ type MeshConfig struct {
// Note: Mesh mTLS does not respect ECDH curves.
MeshMTLS *MeshConfigTLSConfig `json:"meshMTLS,omitempty"`
// Configuration of TLS for all traffic except for ISTIO_MUTUAL mode.
- // Currently, this supports configuration of ecdh_curves and cipher_suites only.
+ // Currently, this supports configuration of ecdhCurves and cipherSuites only.
// For ISTIO_MUTUAL TLS settings, use meshMTLS configuration.
TlsDefaults *MeshConfigTLSConfig `json:"tlsDefaults,omitempty"`
}
@@ -1492,7 +1518,7 @@ type ConfigSource struct {
// Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or
// fs:/// to specify a file-based backend with absolute path to the directory.
Address string `json:"address,omitempty"`
- // Use the tls_settings to specify the tls mode to use. If the MCP server
+ // Use the tlsSettings to specify the tls mode to use. If the MCP server
// uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
// mode as `ISTIO_MUTUAL`.
TlsSettings *ClientTLSSettings `json:"tlsSettings,omitempty"`
@@ -1559,12 +1585,12 @@ type MeshConfigCertificateData struct {
// Optional. Specify the list of trust domains to which this trustAnchor data belongs.
// If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain
// and its aliases.
- // Note that we can have multiple trustAnchor data for a same trust_domain.
+ // Note that we can have multiple trustAnchor data for a same trustDomain.
// In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates.
- // If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers.
- // If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers.
- // If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains.
- // If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains.
+ // If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers.
+ // If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers.
+ // If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains.
+ // If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains.
TrustDomains []string `json:"trustDomains,omitempty"`
}
@@ -1577,7 +1603,7 @@ type MeshConfigCertificateData struct {
// ```yaml
// serviceSettings:
// - settings:
-// cluster_local: true
+// clusterLocal: true
// hosts:
// - "*.foo.svc.cluster.local"
// - "bar.baz.svc.cluster.local"
@@ -1599,8 +1625,8 @@ type MeshConfigCA struct {
// Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000
// +kubebuilder:validation:Required
Address string `json:"address"`
- // Use the tls_settings to specify the tls mode to use.
- // Regarding tls_settings:
+ // Use the tlsSettings to specify the tls mode to use.
+ // Regarding tlsSettings:
// - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
// DISABLE MODE can also be used for testing
// - TLS MUTUAL MODE be on by default. If the CA certificates
@@ -1610,7 +1636,7 @@ type MeshConfigCA struct {
// timeout for forward CSR requests from Istiod to External CA
// Default: 10s
RequestTimeout *metav1.Duration `json:"requestTimeout,omitempty"`
- // Use istiod_side to specify CA Server integrate to Istiod side or Agent side
+ // Use istiodSide to specify CA Server integrate to Istiod side or Agent side
// Default: true
IstiodSide bool `json:"istiodSide,omitempty"`
}
@@ -1675,7 +1701,7 @@ type MeshConfigExtensionProvider struct {
// Holds the name references to the providers that will be used by default
// in other Istio configuration resources if the provider is not specified.
//
-// These names must match a provider defined in `extension_providers` that is
+// These names must match a provider defined in `extensionProviders` that is
// one of the supported tracing providers.
type MeshConfigDefaultProviders struct {
// Name of the default provider(s) for tracing.
@@ -1739,12 +1765,12 @@ type MeshConfigServiceSettingsSettings struct {
type MeshConfigExtensionProviderEnvoyExternalAuthorizationRequestBody struct {
// Sets the maximum size of a message body that the ext-authz filter will hold in memory.
- // If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
+ // If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large).
// Otherwise the request will be sent to the provider with a partial message.
- // Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
- // fail_open is set to true.
+ // Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the
+ // failOpen is set to true.
MaxRequestBytes uint32 `json:"maxRequestBytes,omitempty"`
- // When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
+ // When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached.
// The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
// A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
// indicating if the body data is partial.
@@ -1752,7 +1778,7 @@ type MeshConfigExtensionProviderEnvoyExternalAuthorizationRequestBody struct {
// If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
// in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
// Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
- // This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.
+ // This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.
PackAsBytes bool `json:"packAsBytes,omitempty"`
}
@@ -1770,7 +1796,7 @@ type MeshConfigExtensionProviderEnvoyExternalAuthorizationHttpProvider struct {
Port uint32 `json:"port"`
// The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s).
// When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
- // In this situation, the response sent back to the client will depend on the configured `fail_open` field.
+ // In this situation, the response sent back to the client will depend on the configured `failOpen` field.
Timeout *metav1.Duration `json:"timeout,omitempty"`
// Sets a prefix to the value of authorization request header *Path*.
// For example, setting this to "/check" for an original user request at path "/admin" will cause the
@@ -1783,7 +1809,7 @@ type MeshConfigExtensionProviderEnvoyExternalAuthorizationHttpProvider struct {
// Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
// The default status is "403" (HTTP Forbidden).
StatusOnError string `json:"statusOnError,omitempty"`
- // DEPRECATED. Use include_request_headers_in_check instead.
+ // DEPRECATED. Use includeRequestHeadersInCheck instead.
//
// Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
IncludeHeadersInCheck []string `json:"includeHeadersInCheck,omitempty"`
@@ -1791,7 +1817,7 @@ type MeshConfigExtensionProviderEnvoyExternalAuthorizationHttpProvider struct {
// Note that in addition to the headers specified here following headers are included by default:
// 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent.
// 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization
- // request can include the buffered client request body (controlled by include_request_body_in_check setting),
+ // request can include the buffered client request body (controlled by includeRequestBodyInCheck setting),
// consequently the value of Content-Length of the authorization request reflects the size of its payload size.
//
// Exact, prefix and suffix matches are supported (similar to the
@@ -1803,7 +1829,7 @@ type MeshConfigExtensionProviderEnvoyExternalAuthorizationHttpProvider struct {
IncludeRequestHeadersInCheck []string `json:"includeRequestHeadersInCheck,omitempty"`
// Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
// Key is the header name and value is the header value.
- // Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden.
+ // Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden.
IncludeAdditionalHeadersInCheck map[string]string `json:"includeAdditionalHeadersInCheck,omitempty"`
// If set, the client request body will be included in the authorization request sent to the authorization service.
IncludeRequestBodyInCheck *MeshConfigExtensionProviderEnvoyExternalAuthorizationRequestBody `json:"includeRequestBodyInCheck,omitempty"`
@@ -1862,7 +1888,7 @@ type MeshConfigExtensionProviderEnvoyExternalAuthorizationGrpcProvider struct {
Port uint32 `json:"port"`
// The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s).
// When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
- // In this situation, the response sent back to the client will depend on the configured `fail_open` field.
+ // In this situation, the response sent back to the client will depend on the configured `failOpen` field.
Timeout *metav1.Duration `json:"timeout,omitempty"`
// If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed,
// or if the authorization service has returned a HTTP 5xx error.
@@ -1894,6 +1920,9 @@ type MeshConfigExtensionProviderZipkinTracingProvider struct {
// Optional. A 128 bit trace id will be used in Istio.
// If true, will result in a 64 bit trace id being used.
Enable64BitTraceId bool `json:"enable64bitTraceId,omitempty"`
+ // Optional. Specifies the endpoint of Zipkin API.
+ // The default value is "/api/v2/spans".
+ Path string `json:"path,omitempty"`
}
// Defines configuration for a Lightstep tracer.
@@ -2184,6 +2213,47 @@ type MeshConfigExtensionProviderOpenTelemetryTracingProvider struct {
//
// ```
Http *MeshConfigExtensionProviderHttpService `json:"http,omitempty"`
+ // Optional. Specifies the configuration for exporting OTLP traces via GRPC.
+ // When empty, traces will check whether HTTP is set.
+ // If not, traces will use default GRPC configurations.
+ //
+ // The following example shows how to configure the OpenTelemetry ExtensionProvider to export via GRPC:
+ //
+ // 1. Add/change the OpenTelemetry extension provider in `MeshConfig`
+ // ```yaml
+ // - name: opentelemetry
+ // opentelemetry:
+ // port: 8090
+ // service: tracing.example.com
+ // grpc:
+ // timeout: 10s
+ // initialMetadata:
+ // - name: "Authentication"
+ // value: "token-xxxxx"
+ //
+ // ```
+ //
+ // 2. Deploy a `ServiceEntry` for the observability back-end
+ // ```yaml
+ // apiVersion: networking.istio.io/v1alpha3
+ // kind: ServiceEntry
+ // metadata:
+ //
+ // name: tracing-grpc
+ //
+ // spec:
+ //
+ // hosts:
+ // - tracing.example.com
+ // ports:
+ // - number: 8090
+ // name: grpc-port
+ // protocol: GRPC
+ // resolution: DNS
+ // location: MESH_EXTERNAL
+ //
+ // ```
+ Grpc *MeshConfigExtensionProviderGrpcService `json:"grpc,omitempty"`
// Optional. Specifies [Resource Detectors](https://opentelemetry.io/docs/specs/otel/resource/sdk/)
// to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged
// according to the OpenTelemetry [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#merge).
@@ -2196,7 +2266,7 @@ type MeshConfigExtensionProviderOpenTelemetryTracingProvider struct {
// opentelemetry:
// port: 443
// service: my.olly-backend.com
- // resource_detectors:
+ // resourceDetectors:
// environment: {}
//
// ```
@@ -2217,11 +2287,11 @@ type MeshConfigExtensionProviderOpenTelemetryTracingProvider struct {
// headers:
// - name: "Authorization"
// value: "Api-Token dt0c01."
- // resource_detectors:
+ // resourceDetectors:
// dynatrace: {}
- // dynatrace_sampler:
+ // dynatraceSampler:
// tenant: "{your-environment-id}"
- // cluster_id: 1234
+ // clusterId: 1234
DynatraceSampler *MeshConfigExtensionProviderOpenTelemetryTracingProviderDynatraceSampler `json:"dynatraceSampler,omitempty"`
}
@@ -2253,6 +2323,17 @@ type MeshConfigExtensionProviderResourceDetectors struct {
Dynatrace *MeshConfigExtensionProviderResourceDetectorsDynatraceResourceDetector `json:"dynatrace,omitempty"`
}
+// Defines configuration for an GRPC service that can be used by an Extension Provider.
+// that does communication via GRPC.
+type MeshConfigExtensionProviderGrpcService struct {
+ // Optional. Specifies the timeout for the GRPC request.
+ Timeout *metav1.Duration `json:"timeout,omitempty"`
+ // Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for
+ // scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to
+ // be injected.
+ InitialMetadata []*MeshConfigExtensionProviderHttpHeader `json:"initialMetadata,omitempty"`
+}
+
type MeshConfigExtensionProviderStackdriverProviderLogging struct {
// Collection of tag names and tag expressions to include in the log
// entry. Conflicts are resolved by the tag name by overriding previously
@@ -2299,7 +2380,7 @@ type MeshConfigExtensionProviderEnvoyOpenTelemetryLogProviderLogFormat struct {
// Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be
// used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings)
// provides more information.
- // Alias to `body` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
+ // Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
// Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"`
Text string `json:"text,omitempty"`
// Optional. Additional attributes that describe the specific event occurrence.
@@ -2308,7 +2389,7 @@ type MeshConfigExtensionProviderEnvoyOpenTelemetryLogProviderLogFormat struct {
// as strings, numbers, or boolean values, as appropriate
// (see: [format dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). Nested JSON is
// supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
- // Alias to `attributes` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
+ // Alias to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
//
// Example:
// ```
@@ -2338,8 +2419,8 @@ type MeshConfigExtensionProviderOpenTelemetryTracingProviderDynatraceSampler str
//
// A default value of `1000` is used when:
//
- // - `root_spans_per_minute` is unset
- // - `root_spans_per_minute` is set to 0
+ // - `rootSpansPerMinute` is unset
+ // - `rootSpansPerMinute` is set to 0
RootSpansPerMinute uint32 `json:"rootSpansPerMinute,omitempty"`
// Optional. Dynatrace HTTP API to obtain sampling configuration.
//
@@ -2434,7 +2515,7 @@ type MeshNetworks struct {
// 2. Explicitly:
//
// a. By matching the registry name with one of the "fromRegistry"
-// in the mesh config. A "from_registry" can only be assigned to a
+// in the mesh config. A "fromRegistry" can only be assigned to a
// single network.
//
// b. By matching the IP against one of the CIDR ranges in a mesh
@@ -2493,7 +2574,7 @@ const (
)
// ForwardClientCertDetails controls how the x-forwarded-client-cert (XFCC)
-// header is handled by the gateway proxy.
+// header is handled by a proxy.
// See [Envoy XFCC](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html#enum-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-forwardclientcertdetails)
// header handling for more details.
// +kubebuilder:validation:Enum=UNDEFINED;SANITIZE;FORWARD_ONLY;APPEND_FORWARD;SANITIZE_SET;ALWAYS_FORWARD_ONLY
@@ -2502,16 +2583,16 @@ type ForwardClientCertDetails string
const (
// Field is not set
ForwardClientCertDetailsUndefined ForwardClientCertDetails = "UNDEFINED"
- // Do not send the XFCC header to the next hop. This is the default value.
+ // Do not send the XFCC header to the next hop.
ForwardClientCertDetailsSanitize ForwardClientCertDetails = "SANITIZE"
// When the client connection is mTLS (Mutual TLS), forward the XFCC header
// in the request.
ForwardClientCertDetailsForwardOnly ForwardClientCertDetails = "FORWARD_ONLY"
// When the client connection is mTLS, append the client certificate
- // information to the request’s XFCC header and forward it.
+ // information to the request’s XFCC header and forward it. This is the default value for sidecar proxies.
ForwardClientCertDetailsAppendForward ForwardClientCertDetails = "APPEND_FORWARD"
// When the client connection is mTLS, reset the XFCC header with the client
- // certificate information and send it to the next hop.
+ // certificate information and send it to the next hop. This is the default value for gateway proxies.
ForwardClientCertDetailsSanitizeSet ForwardClientCertDetails = "SANITIZE_SET"
// Always forward the XFCC header in the request, regardless of whether the
// client connection is mTLS.
@@ -2545,7 +2626,7 @@ const (
)
// Allows specification of various Istio-supported naming schemes for the
-// Envoy `service_cluster` value. The `servce_cluster` value is primarily used
+// Envoy `service_cluster` value. The `service_cluster` value is primarily used
// by Envoys to provide service names for tracing spans.
// +kubebuilder:validation:Enum=APP_LABEL_AND_NAMESPACE;CANONICAL_NAME_ONLY;CANONICAL_NAME_AND_NAMESPACE
type ProxyConfigTracingServiceName string
@@ -2632,7 +2713,7 @@ type Tracing struct {
// The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation,
// if not requested by the client or not forced. Default is 1.0.
Sampling float64 `json:"sampling,omitempty"`
- // Use the tls_settings to specify the tls mode to use. If the remote tracing service
+ // Use the tlsSettings to specify the tls mode to use. If the remote tracing service
// uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
// mode as `ISTIO_MUTUAL`.
TlsSettings *ClientTLSSettings `json:"tlsSettings,omitempty"`
@@ -2665,7 +2746,7 @@ type Topology struct {
// address to the X-Forwarded-For (XFF) address and set the
// X-Envoy-External-Address header to the trusted client address before
// forwarding it to the upstream services in the cluster.
- // The default value of num_trusted_proxies is 0.
+ // The default value of numTrustedProxies is 0.
// See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for)
// header handling for more details.
NumTrustedProxies uint32 `json:"numTrustedProxies,omitempty"`
@@ -2831,7 +2912,7 @@ type MeshConfigProxyConfig struct {
// The amount of time allowed for connections to complete on proxy shutdown.
// On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining,
// discouraging any new connections and allowing existing connections to complete. It then
- // sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes.
+ // sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes.
// If not set, a default of `5s` will be applied.
TerminationDrainDuration *metav1.Duration `json:"terminationDrainDuration,omitempty"`
// The unique identifier for the [service mesh](https://istio.io/docs/reference/glossary/#service-mesh)
@@ -2926,7 +3007,7 @@ type RemoteService struct {
// receiver, metrics receiver, etc.). Can be IP address or a fully
// qualified DNS name.
Address string `json:"address,omitempty"`
- // Use the `tls_settings` to specify the tls mode to use. If the remote service
+ // Use the `tlsSettings` to specify the tls mode to use. If the remote service
// uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
// mode as `ISTIO_MUTUAL`.
TlsSettings *ClientTLSSettings `json:"tlsSettings,omitempty"`
@@ -3090,6 +3171,11 @@ type ProxyConfigProxyHeaders struct {
// To disable the header, configure either `SANITIZE` (to always remove the header, if present) or `FORWARD_ONLY` (to leave the header as-is).
// By default, `APPEND_FORWARD` will be used.
ForwardedClientCert ForwardClientCertDetails `json:"forwardedClientCert,omitempty"`
+ // This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET
+ // and the client connection is mTLS. It specifies the fields in
+ // the client certificate to be forwarded. Note that `Hash` is always set, and
+ // `By` is always set when the client certificate presents the URI type Subject Alternative Name value.
+ SetCurrentClientCertDetails *ProxyConfigProxyHeadersSetCurrentClientCertDetails `json:"setCurrentClientCertDetails,omitempty"`
// Controls the `X-Request-Id` header. If enabled, a request ID is generated for each request if one is not already set.
// This applies to all types of traffic (inbound, outbound, and gateways).
// If disabled, no request ID will be generate for the request. If it is already present, it will be preserved.
@@ -3138,6 +3224,26 @@ type ProxyConfigProxyHeadersMetadataExchangeHeaders struct {
Mode ProxyConfigProxyHeadersMetadataExchangeMode `json:"mode,omitempty"`
}
+type ProxyConfigProxyHeadersSetCurrentClientCertDetails struct {
+ // Whether to forward the subject of the client cert. Defaults to true.
+ Subject *bool `json:"subject,omitempty"`
+ // Whether to forward the entire client cert in URL encoded PEM format. This will appear in the
+ // XFCC header comma separated from other values with the value Cert="PEM".
+ // Defaults to false.
+ Cert *bool `json:"cert,omitempty"`
+ // Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM
+ // format. This will appear in the XFCC header comma separated from other values with the value
+ // Chain="PEM".
+ // Defaults to false.
+ Chain *bool `json:"chain,omitempty"`
+ // Whether to forward the DNS type Subject Alternative Names of the client cert.
+ // Defaults to true.
+ Dns *bool `json:"dns,omitempty"`
+ // Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to
+ // true.
+ Uri *bool `json:"uri,omitempty"`
+}
+
// The following values are used to construct proxy image url.
// format: `${hub}/${image_name}/${tag}-${image_type}`,
// example: `docker.io/istio/proxyv2:1.11.1` or `docker.io/istio/proxyv2:1.11.1-distroless`.
@@ -3186,8 +3292,8 @@ type WorkloadSelector struct {
// the configuration namespace in which the resource is present.
// +kubebuilder:validation:XValidation:message="wildcard not allowed in label key match",rule="self.all(key, !key.contains('*'))"
// +kubebuilder:validation:XValidation:message="key must not be empty",rule="self.all(key, key.size() != 0)"
- // +kubebuilder:map-value-validation:XValidation:message="wildcard not allowed in label value match",rule="!self.contains('*')"
- // +kubebuilder:map-value-validation:MaxLength=63
+ // +protoc-gen-crd:map-value-validation:XValidation:message="wildcard not allowed in label value match",rule="!self.contains('*')"
+ // +protoc-gen-crd:map-value-validation:MaxLength=63
// +kubebuilder:validation:MaxProperties=4096
MatchLabels map[string]string `json:"matchLabels,omitempty"`
}
@@ -3399,7 +3505,8 @@ type ClientTLSSettings struct {
// to use in verifying a presented server certificate. `CRL` is a list of certificates
// that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
// If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- // If omitted, the proxy will not verify the certificate against the `crl`.
+ // If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ // `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
CaCrl string `json:"caCrl,omitempty"`
}
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index 97e2fda45..516cdd97c 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -45,6 +45,11 @@ func (in *ArchConfig) DeepCopy() *ArchConfig {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *BaseConfig) DeepCopyInto(out *BaseConfig) {
*out = *in
+ if in.ExcludedCRDs != nil {
+ in, out := &in.ExcludedCRDs, &out.ExcludedCRDs
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BaseConfig.
@@ -1000,6 +1005,11 @@ func (in *IstiodConfig) DeepCopy() *IstiodConfig {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *IstiodRemoteConfig) DeepCopyInto(out *IstiodRemoteConfig) {
*out = *in
+ if in.Enabled != nil {
+ in, out := &in.Enabled, &out.Enabled
+ *out = new(bool)
+ **out = **in
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstiodRemoteConfig.
@@ -1698,6 +1708,37 @@ func (in *MeshConfigExtensionProviderEnvoyTcpGrpcV3LogProvider) DeepCopy() *Mesh
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MeshConfigExtensionProviderGrpcService) DeepCopyInto(out *MeshConfigExtensionProviderGrpcService) {
+ *out = *in
+ if in.Timeout != nil {
+ in, out := &in.Timeout, &out.Timeout
+ *out = new(metav1.Duration)
+ **out = **in
+ }
+ if in.InitialMetadata != nil {
+ in, out := &in.InitialMetadata, &out.InitialMetadata
+ *out = make([]*MeshConfigExtensionProviderHttpHeader, len(*in))
+ for i := range *in {
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(MeshConfigExtensionProviderHttpHeader)
+ **out = **in
+ }
+ }
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshConfigExtensionProviderGrpcService.
+func (in *MeshConfigExtensionProviderGrpcService) DeepCopy() *MeshConfigExtensionProviderGrpcService {
+ if in == nil {
+ return nil
+ }
+ out := new(MeshConfigExtensionProviderGrpcService)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *MeshConfigExtensionProviderHttpHeader) DeepCopyInto(out *MeshConfigExtensionProviderHttpHeader) {
*out = *in
@@ -1787,6 +1828,11 @@ func (in *MeshConfigExtensionProviderOpenTelemetryTracingProvider) DeepCopyInto(
*out = new(MeshConfigExtensionProviderHttpService)
(*in).DeepCopyInto(*out)
}
+ if in.Grpc != nil {
+ in, out := &in.Grpc, &out.Grpc
+ *out = new(MeshConfigExtensionProviderGrpcService)
+ (*in).DeepCopyInto(*out)
+ }
if in.ResourceDetectors != nil {
in, out := &in.ResourceDetectors, &out.ResourceDetectors
*out = new(MeshConfigExtensionProviderResourceDetectors)
@@ -2528,6 +2574,11 @@ func (in *PilotConfig) DeepCopyInto(out *PilotConfig) {
*out = new(PilotTaintControllerConfig)
**out = **in
}
+ if in.IstiodRemote != nil {
+ in, out := &in.IstiodRemote, &out.IstiodRemote
+ *out = new(IstiodRemoteConfig)
+ (*in).DeepCopyInto(*out)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PilotConfig.
@@ -2743,6 +2794,11 @@ func (in *ProxyConfig) DeepCopy() *ProxyConfig {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ProxyConfigProxyHeaders) DeepCopyInto(out *ProxyConfigProxyHeaders) {
*out = *in
+ if in.SetCurrentClientCertDetails != nil {
+ in, out := &in.SetCurrentClientCertDetails, &out.SetCurrentClientCertDetails
+ *out = new(ProxyConfigProxyHeadersSetCurrentClientCertDetails)
+ (*in).DeepCopyInto(*out)
+ }
if in.RequestId != nil {
in, out := &in.RequestId, &out.RequestId
*out = new(ProxyConfigProxyHeadersRequestId)
@@ -2875,6 +2931,46 @@ func (in *ProxyConfigProxyHeadersServer) DeepCopy() *ProxyConfigProxyHeadersServ
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ProxyConfigProxyHeadersSetCurrentClientCertDetails) DeepCopyInto(out *ProxyConfigProxyHeadersSetCurrentClientCertDetails) {
+ *out = *in
+ if in.Subject != nil {
+ in, out := &in.Subject, &out.Subject
+ *out = new(bool)
+ **out = **in
+ }
+ if in.Cert != nil {
+ in, out := &in.Cert, &out.Cert
+ *out = new(bool)
+ **out = **in
+ }
+ if in.Chain != nil {
+ in, out := &in.Chain, &out.Chain
+ *out = new(bool)
+ **out = **in
+ }
+ if in.Dns != nil {
+ in, out := &in.Dns, &out.Dns
+ *out = new(bool)
+ **out = **in
+ }
+ if in.Uri != nil {
+ in, out := &in.Uri, &out.Uri
+ *out = new(bool)
+ **out = **in
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyConfigProxyHeadersSetCurrentClientCertDetails.
+func (in *ProxyConfigProxyHeadersSetCurrentClientCertDetails) DeepCopy() *ProxyConfigProxyHeadersSetCurrentClientCertDetails {
+ if in == nil {
+ return nil
+ }
+ out := new(ProxyConfigProxyHeadersSetCurrentClientCertDetails)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ProxyConfigProxyStatsMatcher) DeepCopyInto(out *ProxyConfigProxyStatsMatcher) {
*out = *in
@@ -3803,12 +3899,12 @@ func (in *Values) DeepCopyInto(out *Values) {
if in.Base != nil {
in, out := &in.Base, &out.Base
*out = new(BaseConfig)
- **out = **in
+ (*in).DeepCopyInto(*out)
}
if in.IstiodRemote != nil {
in, out := &in.IstiodRemote, &out.IstiodRemote
*out = new(IstiodRemoteConfig)
- **out = **in
+ (*in).DeepCopyInto(*out)
}
if in.RevisionTags != nil {
in, out := &in.RevisionTags, &out.RevisionTags
@@ -3840,6 +3936,38 @@ func (in *WaypointConfig) DeepCopyInto(out *WaypointConfig) {
*out = new(v1.ResourceRequirements)
(*in).DeepCopyInto(*out)
}
+ if in.Affinity != nil {
+ in, out := &in.Affinity, &out.Affinity
+ *out = new(v1.Affinity)
+ (*in).DeepCopyInto(*out)
+ }
+ if in.TopologySpreadConstraints != nil {
+ in, out := &in.TopologySpreadConstraints, &out.TopologySpreadConstraints
+ *out = make([]*v1.TopologySpreadConstraint, len(*in))
+ for i := range *in {
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(v1.TopologySpreadConstraint)
+ (*in).DeepCopyInto(*out)
+ }
+ }
+ }
+ if in.NodeSelector != nil {
+ in, out := &in.NodeSelector, &out.NodeSelector
+ *out = new(v1.NodeSelector)
+ (*in).DeepCopyInto(*out)
+ }
+ if in.Toleration != nil {
+ in, out := &in.Toleration, &out.Toleration
+ *out = make([]*v1.Toleration, len(*in))
+ for i := range *in {
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(v1.Toleration)
+ (*in).DeepCopyInto(*out)
+ }
+ }
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WaypointConfig.
diff --git a/bundle.Dockerfile b/bundle.Dockerfile
index c95e3e9f0..88d1b7d50 100644
--- a/bundle.Dockerfile
+++ b/bundle.Dockerfile
@@ -6,7 +6,7 @@ LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
LABEL operators.operatorframework.io.bundle.package.v1=servicemeshoperator3
LABEL operators.operatorframework.io.bundle.channels.v1="candidates"
-LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.36.1
+LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.37.0
LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1
LABEL operators.operatorframework.io.metrics.project_layout=go.kubebuilder.io/v4
diff --git a/bundle/README.md b/bundle/README.md
index e2878edf1..078ef4d31 100644
--- a/bundle/README.md
+++ b/bundle/README.md
@@ -88,9 +88,9 @@ drop down menu when creating a new `Istio` with the OpenShift Container Platform
web console. For a list of available versions, see the [versions.yaml](/versions.yaml) file
or use the command:
- ```sh
- $ kubectl explain istio.spec.version
- ```
+```sh
+$ kubectl explain istio.spec.version
+```
### Customizing Istio configuration
@@ -131,9 +131,9 @@ spec:
For a list of available configuration for the `spec.values` field, run the
following command:
- ```sh
- $ kubectl explain istio.spec.values
- ```
+```sh
+$ kubectl explain istio.spec.values
+```
For the `IstioCNI` resource, replace `istio` with `istiocni` in the command above.
@@ -151,53 +151,7 @@ Alternatively, refer to [Istio's artifacthub chart documentation](https://artifa
The `istioctl` tool is a configuration command line utility that allows service
operators to debug and diagnose Istio service mesh deployments.
-
-### Prerequisites
-
-Use an `istioctl` version that is the same version as the Istio control plane
-for the Service Mesh deployment. See [Istio Releases](https://github.com/istio/istio/releases) for a list of valid
-releases, including Beta releases.
-
-
-### Procedure
-
-1. Confirm if you have `istioctl` installed, and if so which version, by running
-the following command at the terminal:
-
- ```sh
- $ istioctl version
- ```
-
-1. Confirm the version of Istio you are using by running the following command
-at the terminal:
-
- ```sh
- $ oc -n istio-system get istio
- ```
-
-1. Install `istioctl` by running the following command at the terminal:
-
- ```sh
- $ curl -sL https://istio.io/downloadIstioctl | ISTIO_VERSION= sh -
- ```
- Replace `` with the version of Istio you are using.
-
-1. Put the `istioctl` directory on path by running the following command at the terminal:
-
- ```sh
- $ export PATH=$HOME/.istioctl/bin:$PATH
- ```
-
-1. Confirm that the `istioctl` client version and the Istio control plane
-version now match (or are within one version) by running the following command
-at the terminal:
-
- ```sh
- $ istioctl version
- ```
-
-
-*Note*: `istioctl install` is not supported. The Sail Operator installs Istio.
+For installation steps, refer to the following [link](../docs/common/install-istioctl-tool.md).
## Installing the Bookinfo Application
@@ -205,30 +159,7 @@ You can use the `bookinfo` example application to explore service mesh features.
Using the `bookinfo` application, you can easily confirm that requests from a
web browser pass through the mesh and reach the application.
-The `bookinfo` application displays information about a book, similar to a
-single catalog entry of an online book store. The application displays a page
-that describes the book, lists book details (ISBN, number of pages, and other
-information), and book reviews.
-
-The `bookinfo` application is exposed through the mesh, and the mesh configuration
-determines how the microservices comprising the application are used to serve
-requests. The review information comes from one of three services: `reviews-v1`,
-`reviews-v2` or `reviews-v3`. If you deploy the `bookinfo` application without
-defining the `reviews` virtual service, then the mesh uses a round-robin rule to
-route requests to a service.
-
-By deploying the `reviews` virtual service, you can specify a different behavior.
-For example, you can specify that if a user logs into the `bookinfo` application,
-then the mesh routes requests to the `reviews-v2` service, and the application
-displays reviews with black stars. If a user does not log into the `bookinfo`
-application, then the mesh routes requests to the `reviews-v3` service, and the
-application displays reviews with red stars.
-
-For more information, see [Bookinfo Application](https://istio.io/latest/docs/examples/bookinfo/) in the upstream Istio documentation.
-
-After following the instructions for [Deploying the application](https://istio.io/latest/docs/examples/bookinfo/#start-the-application-services), **you
-will need to create and configure a gateway** for the `bookinfo` application to
-be accessible outside the cluster.
+For installation steps, refer to the following [link](../docs/common/install-bookinfo-app.md).
## Creating and Configuring Gateways
@@ -240,81 +171,7 @@ contains the control plane.
You can deploy gateways using either the Gateway API or Gateway Injection methods.
-
-### Option 1: Istio Gateway Injection
-
-Gateway Injection uses the same mechanisms as Istio sidecar injection to create
-a gateway from a `Deployment` resource that is paired with a `Service` resource
-that can be made accessible from outside the cluster. For more information, see
-[Installing Gateways](https://preliminary.istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway).
-
-To configure gateway injection with the `bookinfo` application, we have provided
-a [sample gateway configuration](../chart/samples/ingress-gateway.yaml?raw=1) that should be applied in the namespace
-where the application is installed:
-
-1. Create the `istio-ingressgateway` deployment and service:
-
- ```sh
- $ oc apply -f -n ingress-gateway.yaml
- ```
-
-2. Configure the `bookinfo` application with the new gateway:
-
- ```sh
- $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/networking/bookinfo-gateway.yaml
- ```
-
-3. On OpenShift, you can use a [Route](https://docs.openshift.com/container-platform/4.13/networking/routes/route-configuration.html) to expose the gateway externally:
-
- ```sh
- $ oc expose service istio-ingressgateway
- ```
-
-4. Finally, obtain the gateway host name and the URL of the product page:
-
- ```sh
- $ HOST=$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}')
- $ echo http://$HOST/productpage
- ```
-
-Verify that the `productpage` is accessible from a web browser.
-
-
-### Option 2: Kubernetes Gateway API
-
-Istio includes support for Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) and intends to make it
-the default API for [traffic management in the future](https://istio.io/latest/blog/2022/gateway-api-beta/). For more
-information, see Istio's [Kubernetes Gateway API](https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/) page.
-
-As of Kubernetes 1.28 and OpenShift 4.14, the Kubernetes Gateway API CRDs are
-not available by default and must be enabled to be used. This can be done with
-the command:
-
-```sh
-$ oc get crd gateways.gateway.networking.k8s.io &> /dev/null || { oc kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v1.0.0" | oc apply -f -; }
-```
-
-To configure `bookinfo` with a gateway using `Gateway API`:
-
-1. Create and configure a gateway using a `Gateway` and `HTTPRoute` resource:
-
- ```sh
- $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/gateway-api/bookinfo-gateway.yaml
- ```
-
-2. Retrieve the host, port and gateway URL:
-
- ```sh
- $ export INGRESS_HOST=$(oc get gtw bookinfo-gateway -o jsonpath='{.status.addresses[0].value}')
- $ export INGRESS_PORT=$(oc get gtw bookinfo-gateway -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
- $ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
- ```
-
-3. Obtain the `productpage` URL and check that you can visit it from a browser:
-
- ```sh
- $ echo "http://${GATEWAY_URL}/productpage"
- ```
+For installation steps, refer to the following [link](../docs/common/create-and-configure-gateways.md).
## Istio Addons Integrations
@@ -324,118 +181,7 @@ Istio can be integrated with other software to provide additional functionality
The following addons are for demonstration or development purposes only and
should not be used in production environments:
-
-### Prometheus
-
-`Prometheus` is an open-source systems monitoring and alerting toolkit. You can
-use `Prometheus` with the Sail Operator to keep an eye on how healthy Istio and
-the apps in the service mesh are, for more information, see [Prometheus](https://istio.io/latest/docs/ops/integrations/prometheus/).
-
-To install Prometheus, perform the following steps:
-
-1. Deploy `Prometheus`:
-
- ```sh
- $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/prometheus.yaml
- ```
-2. Access to `Prometheus`console:
-
- * Expose the `Prometheus` service externally:
-
- ```sh
- $ oc expose service prometheus -n istio-system
- ```
- * Get the route of the service and open the URL in the web browser
-
- ```sh
- $ oc get route prometheus -o jsonpath='{.spec.host}' -n istio-system
- ```
-
-
-### Grafana
-
-`Grafana` is an open-source platform for monitoring and observability. You can
-use `Grafana` with the Sail Operator to configure dashboards for istio, see
-[Grafana](https://istio.io/latest/docs/ops/integrations/grafana/) for more information.
-
-To install Grafana, perform the following steps:
-
-1. Deploy `Grafana`:
-
- ```sh
- $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/grafana.yaml
- ```
-
-2. Access to `Grafana`console:
-
- * Expose the `Grafana` service externally
-
- ```sh
- $ oc expose service grafana -n istio-system
- ```
- * Get the route of the service and open the URL in the web browser
-
- ```sh
- $ oc get route grafana -o jsonpath='{.spec.host}' -n istio-system
- ```
-
-
-### Jaeger
-
-`Jaeger` is an open-source end-to-end distributed tracing system. You can use
-`Jaeger` with the Sail Operator to monitor and troubleshoot transactions in
-complex distributed systems, see [Jaeger](https://istio.io/latest/docs/ops/integrations/jaeger/) for more information.
-
-To install Jaeger, perform the following steps:
-
-1. Deploy `Jaeger`:
-
- ```sh
- $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/jaeger.yaml
- ```
-2. Access to `Jaeger` console:
-
- * Expose the `Jaeger` service externally:
-
- ```sh
- $ oc expose svc/tracing -n istio-system
- ```
-
- * Get the route of the service and open the URL in the web browser
-
- ```sh
- $ oc get route tracing -o jsonpath='{.spec.host}' -n istio-system
- ```
-*Note*: if you want to see some traces you can refresh several times the product
-page of bookinfo app to start generating traces.
-
-
-### Kiali
-
-`Kiali` is an open-source project that provides a graphical user interface to
-visualize the service mesh topology, see [Kiali](https://istio.io/latest/docs/ops/integrations/kiali/) for more information.
-
-To install Kiali, perform the following steps:
-
-1. Deploy `Kiali`:
-
- ```sh
- $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/kiali.yaml
- ```
-
-2. Access to `Kiali` console:
-
- * Expose the `Kiali` service externally:
-
- ```sh
- $ oc expose service kiali -n istio-system
- ```
-
- * Get the route of the service and open the URL in the web browser
-
- ```sh
- $ oc get route kiali -o jsonpath='{.spec.host}' -n istio-system
- ```
+For installation steps, refer to the following [link](../docs/common/istio-addons-integrations.md).
## Undeploying Istio and the Sail Operator
diff --git a/bundle/manifests/extensions.istio.io_wasmplugins.yaml b/bundle/manifests/extensions.istio.io_wasmplugins.yaml
index 88e2c95aa..22803cb14 100644
--- a/bundle/manifests/extensions.istio.io_wasmplugins.yaml
+++ b/bundle/manifests/extensions.istio.io_wasmplugins.yaml
@@ -217,6 +217,7 @@ spec:
gateway.networking.k8s.io/Gateway
rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''],
[''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]'
+ maxItems: 16
type: array
type:
description: |-
@@ -282,6 +283,9 @@ spec:
required:
- url
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
properties:
conditions:
diff --git a/bundle/manifests/networking.istio.io_envoyfilters.yaml b/bundle/manifests/networking.istio.io_envoyfilters.yaml
index 334adad40..f2181cfc6 100644
--- a/bundle/manifests/networking.istio.io_envoyfilters.yaml
+++ b/bundle/manifests/networking.istio.io_envoyfilters.yaml
@@ -304,6 +304,7 @@ spec:
gateway.networking.k8s.io/Gateway
rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''],
[''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]'
+ maxItems: 16
type: array
workloadSelector:
description: Criteria used to select the specific set of pods/VMs
@@ -311,12 +312,20 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: '!self.contains(''*'')'
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or workloadSelector can be set
+ rule: (has(self.workloadSelector)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
properties:
conditions:
diff --git a/bundle/manifests/networking.istio.io_serviceentries.yaml b/bundle/manifests/networking.istio.io_serviceentries.yaml
index c9bd00434..6fe1824c4 100644
--- a/bundle/manifests/networking.istio.io_serviceentries.yaml
+++ b/bundle/manifests/networking.istio.io_serviceentries.yaml
@@ -57,7 +57,9 @@ spec:
addresses:
description: The virtual IP addresses associated with the service.
items:
+ maxLength: 64
type: string
+ maxItems: 256
type: array
endpoints:
description: One or more endpoints associated with the service.
@@ -132,6 +134,11 @@ spec:
description: The hosts associated with the ServiceEntry.
items:
type: string
+ x-kubernetes-validations:
+ - message: hostname cannot be wildcard
+ rule: self != '*'
+ maxItems: 256
+ minItems: 1
type: array
location:
description: |-
@@ -148,14 +155,19 @@ spec:
properties:
name:
description: Label assigned to the port.
+ maxLength: 256
type: string
number:
description: A valid non-negative integer port number.
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
protocol:
description: The protocol exposed on the port.
+ maxLength: 256
type: string
targetPort:
description: The port number on the endpoint where the traffic
@@ -163,11 +175,21 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- number
- name
type: object
+ maxItems: 256
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: port number cannot be duplicated
+ rule: self.all(l1, self.exists_one(l2, l1.number == l2.number))
resolution:
description: |-
Service resolution mode for the hosts.
@@ -190,14 +212,32 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: '!self.contains(''*'')'
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
required:
- hosts
type: object
+ x-kubernetes-validations:
+ - message: only one of WorkloadSelector or Endpoints can be set
+ rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1
+ - message: CIDR addresses are allowed only for NONE/STATIC resolution
+ types
+ rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/''))
+ && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))'
+ - message: NONE mode cannot set endpoints
+ rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints)
+ : true'
+ - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
+ rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'')
+ ? (!has(self.endpoints) || size(self.endpoints) == 1) : true'
status:
properties:
conditions:
@@ -269,6 +309,8 @@ spec:
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: false
@@ -307,7 +349,9 @@ spec:
addresses:
description: The virtual IP addresses associated with the service.
items:
+ maxLength: 64
type: string
+ maxItems: 256
type: array
endpoints:
description: One or more endpoints associated with the service.
@@ -382,6 +426,11 @@ spec:
description: The hosts associated with the ServiceEntry.
items:
type: string
+ x-kubernetes-validations:
+ - message: hostname cannot be wildcard
+ rule: self != '*'
+ maxItems: 256
+ minItems: 1
type: array
location:
description: |-
@@ -398,14 +447,19 @@ spec:
properties:
name:
description: Label assigned to the port.
+ maxLength: 256
type: string
number:
description: A valid non-negative integer port number.
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
protocol:
description: The protocol exposed on the port.
+ maxLength: 256
type: string
targetPort:
description: The port number on the endpoint where the traffic
@@ -413,11 +467,21 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- number
- name
type: object
+ maxItems: 256
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: port number cannot be duplicated
+ rule: self.all(l1, self.exists_one(l2, l1.number == l2.number))
resolution:
description: |-
Service resolution mode for the hosts.
@@ -440,14 +504,32 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: '!self.contains(''*'')'
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
required:
- hosts
type: object
+ x-kubernetes-validations:
+ - message: only one of WorkloadSelector or Endpoints can be set
+ rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1
+ - message: CIDR addresses are allowed only for NONE/STATIC resolution
+ types
+ rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/''))
+ && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))'
+ - message: NONE mode cannot set endpoints
+ rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints)
+ : true'
+ - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
+ rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'')
+ ? (!has(self.endpoints) || size(self.endpoints) == 1) : true'
status:
properties:
conditions:
@@ -519,6 +601,8 @@ spec:
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: false
@@ -557,7 +641,9 @@ spec:
addresses:
description: The virtual IP addresses associated with the service.
items:
+ maxLength: 64
type: string
+ maxItems: 256
type: array
endpoints:
description: One or more endpoints associated with the service.
@@ -632,6 +718,11 @@ spec:
description: The hosts associated with the ServiceEntry.
items:
type: string
+ x-kubernetes-validations:
+ - message: hostname cannot be wildcard
+ rule: self != '*'
+ maxItems: 256
+ minItems: 1
type: array
location:
description: |-
@@ -648,14 +739,19 @@ spec:
properties:
name:
description: Label assigned to the port.
+ maxLength: 256
type: string
number:
description: A valid non-negative integer port number.
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
protocol:
description: The protocol exposed on the port.
+ maxLength: 256
type: string
targetPort:
description: The port number on the endpoint where the traffic
@@ -663,11 +759,21 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- number
- name
type: object
+ maxItems: 256
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: port number cannot be duplicated
+ rule: self.all(l1, self.exists_one(l2, l1.number == l2.number))
resolution:
description: |-
Service resolution mode for the hosts.
@@ -690,14 +796,32 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: '!self.contains(''*'')'
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
required:
- hosts
type: object
+ x-kubernetes-validations:
+ - message: only one of WorkloadSelector or Endpoints can be set
+ rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1
+ - message: CIDR addresses are allowed only for NONE/STATIC resolution
+ types
+ rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/''))
+ && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))'
+ - message: NONE mode cannot set endpoints
+ rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints)
+ : true'
+ - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
+ rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'')
+ ? (!has(self.endpoints) || size(self.endpoints) == 1) : true'
status:
properties:
conditions:
@@ -769,6 +893,8 @@ spec:
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: true
diff --git a/bundle/manifests/networking.istio.io_sidecars.yaml b/bundle/manifests/networking.istio.io_sidecars.yaml
index 690339869..dd6b32b37 100644
--- a/bundle/manifests/networking.istio.io_sidecars.yaml
+++ b/bundle/manifests/networking.istio.io_sidecars.yaml
@@ -473,9 +473,14 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: '!self.contains(''*'')'
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
type: object
@@ -1006,9 +1011,14 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: '!self.contains(''*'')'
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
type: object
@@ -1539,9 +1549,14 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: '!self.contains(''*'')'
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
type: object
diff --git a/bundle/manifests/networking.istio.io_workloadentries.yaml b/bundle/manifests/networking.istio.io_workloadentries.yaml
index e61d58ac9..8ff93a410 100644
--- a/bundle/manifests/networking.istio.io_workloadentries.yaml
+++ b/bundle/manifests/networking.istio.io_workloadentries.yaml
@@ -175,8 +175,6 @@ spec:
x-kubernetes-preserve-unknown-fields: true
required:
- spec
- - spec
- - spec
type: object
served: true
storage: false
@@ -333,8 +331,6 @@ spec:
x-kubernetes-preserve-unknown-fields: true
required:
- spec
- - spec
- - spec
type: object
served: true
storage: false
@@ -491,8 +487,6 @@ spec:
x-kubernetes-preserve-unknown-fields: true
required:
- spec
- - spec
- - spec
type: object
served: true
storage: true
diff --git a/bundle/manifests/networking.istio.io_workloadgroups.yaml b/bundle/manifests/networking.istio.io_workloadgroups.yaml
index 65e0a1b3f..486c0e689 100644
--- a/bundle/manifests/networking.istio.io_workloadgroups.yaml
+++ b/bundle/manifests/networking.istio.io_workloadgroups.yaml
@@ -45,10 +45,12 @@ spec:
annotations:
additionalProperties:
type: string
+ maxProperties: 256
type: object
labels:
additionalProperties:
type: string
+ maxProperties: 256
type: object
type: object
probe:
@@ -77,13 +79,17 @@ spec:
command:
description: Command to run.
items:
+ minLength: 1
type: string
type: array
+ required:
+ - command
type: object
failureThreshold:
description: Minimum consecutive failures for the probe to be
considered failed after having succeeded.
format: int32
+ minimum: 0
type: integer
httpGet:
description: '`httpGet` is performed to a given endpoint and the
@@ -98,6 +104,7 @@ spec:
items:
properties:
name:
+ pattern: ^[-_A-Za-z0-9]+$
type: string
value:
type: string
@@ -111,8 +118,14 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
scheme:
type: string
+ x-kubernetes-validations:
+ - message: scheme must be one of [HTTP, HTTPS]
+ rule: self in ['', 'HTTP', 'HTTPS']
required:
- port
type: object
@@ -120,15 +133,18 @@ spec:
description: Number of seconds after the container has started
before readiness probes are initiated.
format: int32
+ minimum: 0
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe.
format: int32
+ minimum: 0
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to be
considered successful after having failed.
format: int32
+ minimum: 0
type: integer
tcpSocket:
description: Health is determined by if the proxy is able to connect.
@@ -139,12 +155,16 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- port
type: object
timeoutSeconds:
description: Number of seconds after which the probe times out.
format: int32
+ minimum: 0
type: integer
type: object
template:
@@ -204,8 +224,6 @@ spec:
type: integer
type: object
x-kubernetes-validations:
- - message: Address is required
- rule: has(self.address) || has(self.network)
- message: UDS may not include ports
rule: '(has(self.address) && self.address.startsWith(''unix://''))
? !has(self.ports) : true'
@@ -283,6 +301,8 @@ spec:
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: false
@@ -311,10 +331,12 @@ spec:
annotations:
additionalProperties:
type: string
+ maxProperties: 256
type: object
labels:
additionalProperties:
type: string
+ maxProperties: 256
type: object
type: object
probe:
@@ -343,13 +365,17 @@ spec:
command:
description: Command to run.
items:
+ minLength: 1
type: string
type: array
+ required:
+ - command
type: object
failureThreshold:
description: Minimum consecutive failures for the probe to be
considered failed after having succeeded.
format: int32
+ minimum: 0
type: integer
httpGet:
description: '`httpGet` is performed to a given endpoint and the
@@ -364,6 +390,7 @@ spec:
items:
properties:
name:
+ pattern: ^[-_A-Za-z0-9]+$
type: string
value:
type: string
@@ -377,8 +404,14 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
scheme:
type: string
+ x-kubernetes-validations:
+ - message: scheme must be one of [HTTP, HTTPS]
+ rule: self in ['', 'HTTP', 'HTTPS']
required:
- port
type: object
@@ -386,15 +419,18 @@ spec:
description: Number of seconds after the container has started
before readiness probes are initiated.
format: int32
+ minimum: 0
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe.
format: int32
+ minimum: 0
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to be
considered successful after having failed.
format: int32
+ minimum: 0
type: integer
tcpSocket:
description: Health is determined by if the proxy is able to connect.
@@ -405,12 +441,16 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- port
type: object
timeoutSeconds:
description: Number of seconds after which the probe times out.
format: int32
+ minimum: 0
type: integer
type: object
template:
@@ -470,8 +510,6 @@ spec:
type: integer
type: object
x-kubernetes-validations:
- - message: Address is required
- rule: has(self.address) || has(self.network)
- message: UDS may not include ports
rule: '(has(self.address) && self.address.startsWith(''unix://''))
? !has(self.ports) : true'
@@ -549,6 +587,8 @@ spec:
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: false
@@ -577,10 +617,12 @@ spec:
annotations:
additionalProperties:
type: string
+ maxProperties: 256
type: object
labels:
additionalProperties:
type: string
+ maxProperties: 256
type: object
type: object
probe:
@@ -609,13 +651,17 @@ spec:
command:
description: Command to run.
items:
+ minLength: 1
type: string
type: array
+ required:
+ - command
type: object
failureThreshold:
description: Minimum consecutive failures for the probe to be
considered failed after having succeeded.
format: int32
+ minimum: 0
type: integer
httpGet:
description: '`httpGet` is performed to a given endpoint and the
@@ -630,6 +676,7 @@ spec:
items:
properties:
name:
+ pattern: ^[-_A-Za-z0-9]+$
type: string
value:
type: string
@@ -643,8 +690,14 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
scheme:
type: string
+ x-kubernetes-validations:
+ - message: scheme must be one of [HTTP, HTTPS]
+ rule: self in ['', 'HTTP', 'HTTPS']
required:
- port
type: object
@@ -652,15 +705,18 @@ spec:
description: Number of seconds after the container has started
before readiness probes are initiated.
format: int32
+ minimum: 0
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe.
format: int32
+ minimum: 0
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to be
considered successful after having failed.
format: int32
+ minimum: 0
type: integer
tcpSocket:
description: Health is determined by if the proxy is able to connect.
@@ -671,12 +727,16 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- port
type: object
timeoutSeconds:
description: Number of seconds after which the probe times out.
format: int32
+ minimum: 0
type: integer
type: object
template:
@@ -736,8 +796,6 @@ spec:
type: integer
type: object
x-kubernetes-validations:
- - message: Address is required
- rule: has(self.address) || has(self.network)
- message: UDS may not include ports
rule: '(has(self.address) && self.address.startsWith(''unix://''))
? !has(self.ports) : true'
@@ -815,6 +873,8 @@ spec:
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: true
diff --git a/bundle/manifests/sailoperator.io_istiocnis.yaml b/bundle/manifests/sailoperator.io_istiocnis.yaml
index 7025e9062..34fb11fdf 100644
--- a/bundle/manifests/sailoperator.io_istiocnis.yaml
+++ b/bundle/manifests/sailoperator.io_istiocnis.yaml
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.16.0
+ controller-gen.kubebuilder.io/version: v0.16.4
creationTimestamp: null
name: istiocnis.sailoperator.io
spec:
@@ -378,7 +378,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -393,7 +393,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -561,7 +561,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -576,7 +576,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -742,7 +742,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -757,7 +757,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -925,7 +925,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -940,7 +940,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1078,13 +1078,13 @@ spec:
description: |-
Additional annotations to apply to the istio-cni Pods.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: object
privileged:
description: |-
No longer used for CNI. See: https://github.com/istio/istio/issues/49004
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: boolean
provider:
description: |-
@@ -1122,7 +1122,7 @@ spec:
description: |-
No longer used.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: string
deletePods:
description: |-
@@ -1204,6 +1204,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1290,7 +1296,7 @@ spec:
description: |-
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -1310,6 +1316,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
diff --git a/bundle/manifests/sailoperator.io_istiorevisions.yaml b/bundle/manifests/sailoperator.io_istiorevisions.yaml
index 96e9a6790..fb7b7df7f 100644
--- a/bundle/manifests/sailoperator.io_istiorevisions.yaml
+++ b/bundle/manifests/sailoperator.io_istiorevisions.yaml
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.16.0
+ controller-gen.kubebuilder.io/version: v0.16.4
creationTimestamp: null
name: istiorevisions.sailoperator.io
spec:
@@ -75,6 +75,9 @@ spec:
namespace:
description: Namespace to which the Istio components should be installed.
type: string
+ x-kubernetes-validations:
+ - message: Value is immutable
+ rule: self == oldSelf
type:
default: Local
description: Type indicates whether this revision represents a local
@@ -90,6 +93,11 @@ spec:
base:
description: Configuration for the base component.
properties:
+ excludedCRDs:
+ description: CRDs to exclude. Requires `enableCRDTemplates`
+ items:
+ type: string
+ type: array
validationCABundle:
description: validation webhook CA bundle
type: string
@@ -118,7 +126,7 @@ spec:
- Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated:
replaced by the affinity k8s settings which allows architecture
nodeAffinity configuration of this behavior.\n\nDeprecated:
- Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto."
+ Marked as deprecated in pkg/apis/values_types.proto."
properties:
amd64:
description: Sets pod scheduling weight for amd64 arch
@@ -170,13 +178,10 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: object
defaultPodDisruptionBudget:
- description: |-
- Specifies the default pod disruption budget configuration.
-
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ description: Specifies the default pod disruption budget configuration.
properties:
enabled:
description: Controls whether a PodDisruptionBudget with
@@ -190,7 +195,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -210,6 +215,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -251,7 +262,7 @@ spec:
Configure this field in case that all pods of Istio control plane are expected to
be scheduled to particular nodes with specified taints.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
@@ -344,7 +355,7 @@ spec:
Configure the policy for validating JWT.
This is deprecated and has no effect.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: string
logAsJson:
description: Specifies whether istio components should output
@@ -411,7 +422,7 @@ spec:
with the endpoint by\nadding the `ISTIO_META_NETWORK`
environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta.
By matching the registry name with one of the \"fromRegistry\"\n\tin
- the mesh config. A \"from_registry\" can only be
+ the mesh config. A \"fromRegistry\" can only be
assigned to a\n\tsingle network.\n\n\tb. By matching
the IP against one of the CIDR ranges in a mesh\n\tconfig
network. The CIDR ranges must not overlap and be
@@ -566,7 +577,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: string
proxy:
description: Specifies how proxies are configured within Istio.
@@ -591,6 +602,8 @@ spec:
Enables core dumps for newly injected sidecars.
If set, newly injected sidecars will have core dumps enabled.
+
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: boolean
excludeIPRanges:
description: Lists the excluded IP ranges of Istio egress
@@ -610,7 +623,7 @@ spec:
Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: boolean
image:
description: |-
@@ -901,7 +914,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -922,6 +935,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1008,7 +1027,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -1029,6 +1048,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1075,7 +1100,7 @@ spec:
instead of using K8S secrets to mount the certificates.
properties:
token:
- description: 'Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.'
+ description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.'
properties:
aud:
type: string
@@ -1138,26 +1163,1056 @@ spec:
format: int32
type: integer
type: object
- zipkin:
- description: Configuration for the zipkin tracing service.
- properties:
- address:
- description: |-
- Address of zipkin instance in host:port format for reporting trace data.
+ zipkin:
+ description: Configuration for the zipkin tracing service.
+ properties:
+ address:
+ description: |-
+ Address of zipkin instance in host:port format for reporting trace data.
+
+ Example: .:941
+ type: string
+ type: object
+ type: object
+ variant:
+ description: The variant of the Istio container images to
+ use. Options are "debug" or "distroless". Unset will use
+ the default for the given version.
+ type: string
+ waypoint:
+ description: Specifies how waypoints are configured within
+ Istio.
+ properties:
+ affinity:
+ description: |-
+ K8s affinity settings for waypoint pods.
+
+ See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling rules
+ for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with matching
+ the corresponding nodeSelectorTerm, in
+ the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node selector
+ terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling rules
+ (e.g. co-locate this pod in the same node, zone,
+ etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added per-node
+ to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term,
+ associated with the corresponding weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added per-node
+ to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term,
+ associated with the corresponding weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ nodeSelector:
+ description: |-
+ K8s node labels settings.
- Example: .:941
- type: string
+ See https://kubernetes.io/docs/user-guide/node-selection/
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node selector terms.
+ The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector requirements
+ by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector requirements
+ by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
type: object
- type: object
- variant:
- description: The variant of the Istio container images to
- use. Options are "debug" or "distroless". Unset will use
- the default for the given version.
- type: string
- waypoint:
- description: Specifies how waypoints are configured within
- Istio.
- properties:
+ x-kubernetes-map-type: atomic
resources:
description: |-
K8s resource settings.
@@ -1183,6 +2238,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1215,11 +2276,242 @@ spec:
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
+ toleration:
+ description: |-
+ K8s tolerations settings.
+
+ See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ description: |-
+ K8s topology spread constraints settings.
+
+ See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+ items:
+ description: TopologySpreadConstraint specifies how
+ to spread matching pods among the given topology.
+ properties:
+ labelSelector:
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
+ in their corresponding topology domain.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
+ format: int32
+ type: integer
+ minDomains:
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ nodeTaintsPolicy:
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ topologyKey:
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
+ type: string
+ whenUnsatisfiable:
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
type: object
type: object
istiodRemote:
- description: Configuration for istiod-remote.
+ description: |-
+ Configuration for istiod-remote.
+ DEPRECATED - istiod-remote chart is removed and replaced with
+ `istio-discovery --set values.istiodRemote.enabled=true`
+
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
+ enabled:
+ description: Indicates if this cluster/install should consume
+ a "remote" istiod instance,
+ type: boolean
injectionCABundle:
description: injector ca bundle
type: string
@@ -1267,7 +2559,7 @@ spec:
type: string
istiodSide:
description: |-
- Use istiod_side to specify CA Server integrate to Istiod side or Agent side
+ Use istiodSide to specify CA Server integrate to Istiod side or Agent side
Default: true
type: boolean
requestTimeout:
@@ -1277,8 +2569,8 @@ spec:
type: string
tlsSettings:
description: |-
- Use the tls_settings to specify the tls mode to use.
- Regarding tls_settings:
+ Use the tlsSettings to specify the tls mode to use.
+ Regarding tlsSettings:
- DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
DISABLE MODE can also be used for testing
- TLS MUTUAL MODE be on by default. If the CA certificates
@@ -1299,7 +2591,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1404,12 +2697,12 @@ spec:
Optional. Specify the list of trust domains to which this trustAnchor data belongs.
If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain
and its aliases.
- Note that we can have multiple trustAnchor data for a same trust_domain.
+ Note that we can have multiple trustAnchor data for a same trustDomain.
In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates.
- If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers.
- If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers.
- If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains.
- If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains.
+ If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers.
+ If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers.
+ If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains.
+ If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains.
items:
type: string
type: array
@@ -1481,7 +2774,7 @@ spec:
type: array
tlsSettings:
description: |-
- Use the tls_settings to specify the tls mode to use. If the MCP server
+ Use the tlsSettings to specify the tls mode to use. If the MCP server
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -1499,7 +2792,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1679,7 +2973,7 @@ spec:
type: object
tlsSettings:
description: |-
- Use the `tls_settings` to specify the tls mode to use. If the remote service
+ Use the `tlsSettings` to specify the tls mode to use. If the remote service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -1697,7 +2991,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1807,7 +3102,7 @@ spec:
type: object
tlsSettings:
description: |-
- Use the `tls_settings` to specify the tls mode to use. If the remote service
+ Use the `tlsSettings` to specify the tls mode to use. If the remote service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -1825,7 +3120,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1943,7 +3239,7 @@ spec:
address to the X-Forwarded-For (XFF) address and set the
X-Envoy-External-Address header to the trusted client address before
forwarding it to the upstream services in the cluster.
- The default value of num_trusted_proxies is 0.
+ The default value of numTrustedProxies is 0.
See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for)
header handling for more details.
format: int32
@@ -2129,6 +3425,41 @@ spec:
header. By default, `istio-envoy` will be used.
type: string
type: object
+ setCurrentClientCertDetails:
+ description: |-
+ This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET
+ and the client connection is mTLS. It specifies the fields in
+ the client certificate to be forwarded. Note that `Hash` is always set, and
+ `By` is always set when the client certificate presents the URI type Subject Alternative Name value.
+ properties:
+ cert:
+ description: |-
+ Whether to forward the entire client cert in URL encoded PEM format. This will appear in the
+ XFCC header comma separated from other values with the value Cert="PEM".
+ Defaults to false.
+ type: boolean
+ chain:
+ description: |-
+ Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM
+ format. This will appear in the XFCC header comma separated from other values with the value
+ Chain="PEM".
+ Defaults to false.
+ type: boolean
+ dns:
+ description: |-
+ Whether to forward the DNS type Subject Alternative Names of the client cert.
+ Defaults to true.
+ type: boolean
+ subject:
+ description: Whether to forward the subject of
+ the client cert. Defaults to true.
+ type: boolean
+ uri:
+ description: |-
+ Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to
+ true.
+ type: boolean
+ type: object
type: object
proxyMetadata:
additionalProperties:
@@ -2391,7 +3722,7 @@ spec:
The amount of time allowed for connections to complete on proxy shutdown.
On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining,
discouraging any new connections and allowing existing connections to complete. It then
- sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes.
+ sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes.
If not set, a default of `5s` will be applied.
type: string
tracing:
@@ -2544,7 +3875,7 @@ spec:
type: object
tlsSettings:
description: |-
- Use the tls_settings to specify the tls mode to use. If the remote tracing service
+ Use the tlsSettings to specify the tls mode to use. If the remote tracing service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -2562,7 +3893,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -2672,8 +4004,8 @@ spec:
<= 1
defaultDestinationRuleExportTo:
description: |-
- The default value for the `DestinationRule.export_to` field. Has the same
- syntax as `default_service_export_to`.
+ The default value for the `DestinationRule.exportTo` field. Has the same
+ syntax as `defaultServiceExportTo`.
If not set the system will use "*" as the default value which implies that
destination rules are exported to all namespaces
@@ -2749,7 +4081,7 @@ spec:
type: object
defaultServiceExportTo:
description: |-
- The default value for the ServiceEntry.export_to field and services
+ The default value for the ServiceEntry.exportTo field and services
imported through container registry integrations, e.g. this applies to
Kubernetes Service resources. The value is a list of namespace names and
reserved namespace aliases. The allowed namespace aliases are:
@@ -2778,8 +4110,8 @@ spec:
type: array
defaultVirtualServiceExportTo:
description: |-
- The default value for the VirtualService.export_to field. Has the same
- syntax as `default_service_export_to`.
+ The default value for the VirtualService.exportTo field. Has the same
+ syntax as `defaultServiceExportTo`.
If not set the system will use "*" as the default value which implies that
virtual services are exported to all namespaces
@@ -2962,7 +4294,7 @@ spec:
properties:
allowPartialMessage:
description: |-
- When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
+ When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached.
The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
indicating if the body data is partial.
@@ -2970,10 +4302,10 @@ spec:
maxRequestBytes:
description: |-
Sets the maximum size of a message body that the ext-authz filter will hold in memory.
- If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
+ If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large).
Otherwise the request will be sent to the provider with a partial message.
- Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
- fail_open is set to true.
+ Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the
+ failOpen is set to true.
format: int32
type: integer
packAsBytes:
@@ -2981,7 +4313,7 @@ spec:
If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
- This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.
+ This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.
type: boolean
type: object
port:
@@ -3007,7 +4339,7 @@ spec:
description: |-
The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s).
When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
- In this situation, the response sent back to the client will depend on the configured `fail_open` field.
+ In this situation, the response sent back to the client will depend on the configured `failOpen` field.
type: string
required:
- port
@@ -3081,11 +4413,11 @@ spec:
description: |-
Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
Key is the header name and value is the header value.
- Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden.
+ Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden.
type: object
includeHeadersInCheck:
description: |-
- DEPRECATED. Use include_request_headers_in_check instead.
+ DEPRECATED. Use includeRequestHeadersInCheck instead.
Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
items:
@@ -3098,7 +4430,7 @@ spec:
properties:
allowPartialMessage:
description: |-
- When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
+ When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached.
The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
indicating if the body data is partial.
@@ -3106,10 +4438,10 @@ spec:
maxRequestBytes:
description: |-
Sets the maximum size of a message body that the ext-authz filter will hold in memory.
- If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
+ If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large).
Otherwise the request will be sent to the provider with a partial message.
- Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
- fail_open is set to true.
+ Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the
+ failOpen is set to true.
format: int32
type: integer
packAsBytes:
@@ -3117,7 +4449,7 @@ spec:
If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
- This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.
+ This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.
type: boolean
type: object
includeRequestHeadersInCheck:
@@ -3126,7 +4458,7 @@ spec:
Note that in addition to the headers specified here following headers are included by default:
1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent.
2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization
- request can include the buffered client request body (controlled by include_request_body_in_check setting),
+ request can include the buffered client request body (controlled by includeRequestBodyInCheck setting),
consequently the value of Content-Length of the authorization request reflects the size of its payload size.
Exact, prefix and suffix matches are supported (similar to the
@@ -3167,7 +4499,7 @@ spec:
description: |-
The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s).
When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
- In this situation, the response sent back to the client will depend on the configured `fail_open` field.
+ In this situation, the response sent back to the client will depend on the configured `failOpen` field.
type: string
required:
- port
@@ -3292,7 +4624,7 @@ spec:
dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)).
Nested JSON is\nsupported for some command
operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias
- to `attributes` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus:
+ to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus:
\"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```"
type: object
text:
@@ -3300,7 +4632,7 @@ spec:
Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be
used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings)
provides more information.
- Alias to `body` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
+ Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"`
type: string
type: object
@@ -3470,11 +4802,11 @@ spec:
headers:
- name: "Authorization"
value: "Api-Token dt0c01."
- resource_detectors:
+ resourceDetectors:
dynatrace: {}
- dynatrace_sampler:
+ dynatraceSampler:
tenant: "{your-environment-id}"
- cluster_id: 1234
+ clusterId: 1234
properties:
clusterId:
description: |-
@@ -3551,8 +4883,8 @@ spec:
A default value of `1000` is used when:
- - `root_spans_per_minute` is unset
- - `root_spans_per_minute` is set to 0
+ - `rootSpansPerMinute` is unset
+ - `rootSpansPerMinute` is set to 0
format: int32
type: integer
tenant:
@@ -3565,6 +4897,50 @@ spec:
- clusterId
- tenant
type: object
+ grpc:
+ description: "Optional. Specifies the configuration
+ for exporting OTLP traces via GRPC.\nWhen empty,
+ traces will check whether HTTP is set.\nIf not,
+ traces will use default GRPC configurations.\n\nThe
+ following example shows how to configure the OpenTelemetry
+ ExtensionProvider to export via GRPC:\n\n1. Add/change
+ the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n
+ \ - name: opentelemetry\n opentelemetry:\n
+ \ port: 8090\n service: tracing.example.com\n
+ \ grpc:\n timeout: 10s\n initialMetadata:\n
+ \ - name: \"Authentication\"\n value: \"token-xxxxx\"\n\n```\n\n2.
+ Deploy a `ServiceEntry` for the observability
+ back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind:
+ ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t-
+ tracing.example.com\n\tports:\n\t- number: 8090\n\t
+ \ name: grpc-port\n\t protocol: GRPC\n\tresolution:
+ DNS\n\tlocation: MESH_EXTERNAL\n\n```"
+ properties:
+ initialMetadata:
+ description: |-
+ Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for
+ scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to
+ be injected.
+ items:
+ properties:
+ name:
+ description: REQUIRED. The HTTP header
+ name.
+ type: string
+ value:
+ description: REQUIRED. The HTTP header
+ value.
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ timeout:
+ description: Optional. Specifies the timeout
+ for the GRPC request.
+ type: string
+ type: object
http:
description: "Optional. Specifies the configuration
for exporting OTLP traces via HTTP.\nWhen empty,
@@ -3643,7 +5019,7 @@ spec:
opentelemetry:
port: 443
service: my.olly-backend.com
- resource_detectors:
+ resourceDetectors:
environment: {}
```
@@ -3779,6 +5155,11 @@ spec:
NOTE: currently only controls max length of the path tag.
format: int32
type: integer
+ path:
+ description: |-
+ Optional. Specifies the endpoint of Zipkin API.
+ The default value is "/api/v2/spans".
+ type: string
port:
description: REQUIRED. Specifies the port of the
service.
@@ -3880,7 +5261,7 @@ spec:
the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`.
By default, `ingressgateway` is used, which will select the default IngressGateway as it has the
`istio: ingressgateway` labels.
- It is recommended that this is the same value as ingress_service.
+ It is recommended that this is the same value as ingressService.
type: string
ingressService:
description: |-
@@ -4188,7 +5569,7 @@ spec:
```yaml
serviceSettings:
- settings:
- cluster_local: true
+ clusterLocal: true
hosts:
- "*.foo.svc.cluster.local"
- "bar.baz.svc.cluster.local"
@@ -4257,7 +5638,7 @@ spec:
tlsDefaults:
description: |-
Configuration of TLS for all traffic except for ISTIO_MUTUAL mode.
- Currently, this supports configuration of ecdh_curves and cipher_suites only.
+ Currently, this supports configuration of ecdhCurves and cipherSuites only.
For ISTIO_MUTUAL TLS settings, use meshMTLS configuration.
properties:
cipherSuites:
@@ -4304,7 +5685,7 @@ spec:
type: string
trustDomainAliases:
description: |-
- The trust domain aliases represent the aliases of `trust_domain`.
+ The trust domain aliases represent the aliases of `trustDomain`.
For example, if we have
```yaml
trustDomain: td1
@@ -4632,7 +6013,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4647,7 +6028,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4815,7 +6196,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4830,7 +6211,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4996,7 +6377,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5011,7 +6392,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5179,7 +6560,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5194,7 +6575,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5429,7 +6810,7 @@ spec:
See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
targetAverageUtilization:
description: |-
@@ -5488,6 +6869,26 @@ spec:
are PreferDualStack, RequireDualStack, and SingleStack.
More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
type: string
+ istiodRemote:
+ description: Configuration for the istio-discovery chart when
+ istiod is running in a remote cluster (e.g. "remote control
+ plane").
+ properties:
+ enabled:
+ description: Indicates if this cluster/install should
+ consume a "remote" istiod instance,
+ type: boolean
+ injectionCABundle:
+ description: injector ca bundle
+ type: string
+ injectionPath:
+ description: Path to use for the sidecar injector webhook
+ service.
+ type: string
+ injectionURL:
+ description: URL to use for sidecar injector webhook.
+ type: string
+ type: object
jwksResolverExtraRootCA:
description: |-
Specifies an extra root certificate in PEM format. This certificate will be trusted
@@ -5507,7 +6908,7 @@ spec:
See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
targetAverageUtilization:
description: |-
@@ -5525,7 +6926,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: object
podAnnotations:
additionalProperties:
@@ -5535,7 +6936,7 @@ spec:
See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: object
podLabels:
additionalProperties:
@@ -5549,7 +6950,7 @@ spec:
description: |-
Number of replicas in the Pilot Deployment.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
format: int32
type: integer
resources:
@@ -5558,7 +6959,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -5578,6 +6979,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -5617,7 +7024,7 @@ spec:
description: |-
K8s rolling update strategy
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
x-kubernetes-int-or-string: true
rollingMaxUnavailable:
anyOf:
@@ -5630,7 +7037,7 @@ spec:
May be specified as a number of pods or as a percent of the total number
of pods at the start of the update.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
x-kubernetes-int-or-string: true
seccompProfile:
description: |-
@@ -5693,7 +7100,7 @@ spec:
scheduled to particular nodes with matching taints.
More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
@@ -6047,6 +7454,7 @@ spec:
the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -6060,6 +7468,7 @@ spec:
set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -6669,7 +8078,7 @@ spec:
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
- (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
type: string
volumeMode:
description: |-
@@ -6892,6 +8301,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -6923,6 +8367,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -7074,10 +8519,13 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected
- along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
clusterTrustBundle:
description: |-
@@ -7462,6 +8910,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -7476,6 +8925,7 @@ spec:
type: array
x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -7506,6 +8956,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -7520,6 +8971,7 @@ spec:
volume attached and mounted on Kubernetes nodes.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -7560,6 +9012,7 @@ spec:
communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
diff --git a/bundle/manifests/sailoperator.io_istios.yaml b/bundle/manifests/sailoperator.io_istios.yaml
index a4d3cde69..d6c42561b 100644
--- a/bundle/manifests/sailoperator.io_istios.yaml
+++ b/bundle/manifests/sailoperator.io_istios.yaml
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.16.0
+ controller-gen.kubebuilder.io/version: v0.16.4
creationTimestamp: null
name: istios.sailoperator.io
spec:
@@ -30,9 +30,13 @@ spec:
jsonPath: .status.revisions.inUse
name: In use
type: string
+ - description: The name of the currently active revision.
+ jsonPath: .status.activeRevisionName
+ name: Active Revision
+ type: string
- description: The current state of the active revision.
jsonPath: .status.state
- name: Active Revision
+ name: Status
type: string
- description: The version of the control plane installation.
jsonPath: .spec.version
@@ -82,7 +86,11 @@ spec:
namespace:
default: istio-system
description: Namespace to which the Istio components should be installed.
+ Note that this field is immutable.
type: string
+ x-kubernetes-validations:
+ - message: Value is immutable
+ rule: self == oldSelf
profile:
description: |-
The built-in installation configuration profile to use.
@@ -144,6 +152,11 @@ spec:
base:
description: Configuration for the base component.
properties:
+ excludedCRDs:
+ description: CRDs to exclude. Requires `enableCRDTemplates`
+ items:
+ type: string
+ type: array
validationCABundle:
description: validation webhook CA bundle
type: string
@@ -172,7 +185,7 @@ spec:
- Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated:
replaced by the affinity k8s settings which allows architecture
nodeAffinity configuration of this behavior.\n\nDeprecated:
- Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto."
+ Marked as deprecated in pkg/apis/values_types.proto."
properties:
amd64:
description: Sets pod scheduling weight for amd64 arch
@@ -224,13 +237,10 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: object
defaultPodDisruptionBudget:
- description: |-
- Specifies the default pod disruption budget configuration.
-
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ description: Specifies the default pod disruption budget configuration.
properties:
enabled:
description: Controls whether a PodDisruptionBudget with
@@ -244,7 +254,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -264,6 +274,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -305,7 +321,7 @@ spec:
Configure this field in case that all pods of Istio control plane are expected to
be scheduled to particular nodes with specified taints.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
@@ -398,7 +414,7 @@ spec:
Configure the policy for validating JWT.
This is deprecated and has no effect.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: string
logAsJson:
description: Specifies whether istio components should output
@@ -465,7 +481,7 @@ spec:
with the endpoint by\nadding the `ISTIO_META_NETWORK`
environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta.
By matching the registry name with one of the \"fromRegistry\"\n\tin
- the mesh config. A \"from_registry\" can only be
+ the mesh config. A \"fromRegistry\" can only be
assigned to a\n\tsingle network.\n\n\tb. By matching
the IP against one of the CIDR ranges in a mesh\n\tconfig
network. The CIDR ranges must not overlap and be
@@ -620,7 +636,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: string
proxy:
description: Specifies how proxies are configured within Istio.
@@ -645,6 +661,8 @@ spec:
Enables core dumps for newly injected sidecars.
If set, newly injected sidecars will have core dumps enabled.
+
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: boolean
excludeIPRanges:
description: Lists the excluded IP ranges of Istio egress
@@ -664,7 +682,7 @@ spec:
Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: boolean
image:
description: |-
@@ -955,7 +973,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -976,6 +994,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1062,7 +1086,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -1083,6 +1107,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1129,7 +1159,7 @@ spec:
instead of using K8S secrets to mount the certificates.
properties:
token:
- description: 'Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.'
+ description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.'
properties:
aud:
type: string
@@ -1192,26 +1222,1056 @@ spec:
format: int32
type: integer
type: object
- zipkin:
- description: Configuration for the zipkin tracing service.
- properties:
- address:
- description: |-
- Address of zipkin instance in host:port format for reporting trace data.
+ zipkin:
+ description: Configuration for the zipkin tracing service.
+ properties:
+ address:
+ description: |-
+ Address of zipkin instance in host:port format for reporting trace data.
+
+ Example: .:941
+ type: string
+ type: object
+ type: object
+ variant:
+ description: The variant of the Istio container images to
+ use. Options are "debug" or "distroless". Unset will use
+ the default for the given version.
+ type: string
+ waypoint:
+ description: Specifies how waypoints are configured within
+ Istio.
+ properties:
+ affinity:
+ description: |-
+ K8s affinity settings for waypoint pods.
+
+ See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling rules
+ for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with matching
+ the corresponding nodeSelectorTerm, in
+ the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node selector
+ terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling rules
+ (e.g. co-locate this pod in the same node, zone,
+ etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added per-node
+ to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term,
+ associated with the corresponding weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added per-node
+ to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term,
+ associated with the corresponding weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ nodeSelector:
+ description: |-
+ K8s node labels settings.
- Example: .:941
- type: string
+ See https://kubernetes.io/docs/user-guide/node-selection/
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node selector terms.
+ The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector requirements
+ by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector requirements
+ by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
type: object
- type: object
- variant:
- description: The variant of the Istio container images to
- use. Options are "debug" or "distroless". Unset will use
- the default for the given version.
- type: string
- waypoint:
- description: Specifies how waypoints are configured within
- Istio.
- properties:
+ x-kubernetes-map-type: atomic
resources:
description: |-
K8s resource settings.
@@ -1237,6 +2297,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1269,11 +2335,242 @@ spec:
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
+ toleration:
+ description: |-
+ K8s tolerations settings.
+
+ See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ description: |-
+ K8s topology spread constraints settings.
+
+ See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+ items:
+ description: TopologySpreadConstraint specifies how
+ to spread matching pods among the given topology.
+ properties:
+ labelSelector:
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
+ in their corresponding topology domain.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
+ format: int32
+ type: integer
+ minDomains:
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ nodeTaintsPolicy:
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ topologyKey:
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
+ type: string
+ whenUnsatisfiable:
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
type: object
type: object
istiodRemote:
- description: Configuration for istiod-remote.
+ description: |-
+ Configuration for istiod-remote.
+ DEPRECATED - istiod-remote chart is removed and replaced with
+ `istio-discovery --set values.istiodRemote.enabled=true`
+
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
+ enabled:
+ description: Indicates if this cluster/install should consume
+ a "remote" istiod instance,
+ type: boolean
injectionCABundle:
description: injector ca bundle
type: string
@@ -1321,7 +2618,7 @@ spec:
type: string
istiodSide:
description: |-
- Use istiod_side to specify CA Server integrate to Istiod side or Agent side
+ Use istiodSide to specify CA Server integrate to Istiod side or Agent side
Default: true
type: boolean
requestTimeout:
@@ -1331,8 +2628,8 @@ spec:
type: string
tlsSettings:
description: |-
- Use the tls_settings to specify the tls mode to use.
- Regarding tls_settings:
+ Use the tlsSettings to specify the tls mode to use.
+ Regarding tlsSettings:
- DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
DISABLE MODE can also be used for testing
- TLS MUTUAL MODE be on by default. If the CA certificates
@@ -1353,7 +2650,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1458,12 +2756,12 @@ spec:
Optional. Specify the list of trust domains to which this trustAnchor data belongs.
If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain
and its aliases.
- Note that we can have multiple trustAnchor data for a same trust_domain.
+ Note that we can have multiple trustAnchor data for a same trustDomain.
In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates.
- If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers.
- If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers.
- If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains.
- If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains.
+ If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers.
+ If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers.
+ If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains.
+ If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains.
items:
type: string
type: array
@@ -1535,7 +2833,7 @@ spec:
type: array
tlsSettings:
description: |-
- Use the tls_settings to specify the tls mode to use. If the MCP server
+ Use the tlsSettings to specify the tls mode to use. If the MCP server
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -1553,7 +2851,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1733,7 +3032,7 @@ spec:
type: object
tlsSettings:
description: |-
- Use the `tls_settings` to specify the tls mode to use. If the remote service
+ Use the `tlsSettings` to specify the tls mode to use. If the remote service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -1751,7 +3050,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1861,7 +3161,7 @@ spec:
type: object
tlsSettings:
description: |-
- Use the `tls_settings` to specify the tls mode to use. If the remote service
+ Use the `tlsSettings` to specify the tls mode to use. If the remote service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -1879,7 +3179,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1997,7 +3298,7 @@ spec:
address to the X-Forwarded-For (XFF) address and set the
X-Envoy-External-Address header to the trusted client address before
forwarding it to the upstream services in the cluster.
- The default value of num_trusted_proxies is 0.
+ The default value of numTrustedProxies is 0.
See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for)
header handling for more details.
format: int32
@@ -2183,6 +3484,41 @@ spec:
header. By default, `istio-envoy` will be used.
type: string
type: object
+ setCurrentClientCertDetails:
+ description: |-
+ This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET
+ and the client connection is mTLS. It specifies the fields in
+ the client certificate to be forwarded. Note that `Hash` is always set, and
+ `By` is always set when the client certificate presents the URI type Subject Alternative Name value.
+ properties:
+ cert:
+ description: |-
+ Whether to forward the entire client cert in URL encoded PEM format. This will appear in the
+ XFCC header comma separated from other values with the value Cert="PEM".
+ Defaults to false.
+ type: boolean
+ chain:
+ description: |-
+ Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM
+ format. This will appear in the XFCC header comma separated from other values with the value
+ Chain="PEM".
+ Defaults to false.
+ type: boolean
+ dns:
+ description: |-
+ Whether to forward the DNS type Subject Alternative Names of the client cert.
+ Defaults to true.
+ type: boolean
+ subject:
+ description: Whether to forward the subject of
+ the client cert. Defaults to true.
+ type: boolean
+ uri:
+ description: |-
+ Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to
+ true.
+ type: boolean
+ type: object
type: object
proxyMetadata:
additionalProperties:
@@ -2445,7 +3781,7 @@ spec:
The amount of time allowed for connections to complete on proxy shutdown.
On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining,
discouraging any new connections and allowing existing connections to complete. It then
- sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes.
+ sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes.
If not set, a default of `5s` will be applied.
type: string
tracing:
@@ -2598,7 +3934,7 @@ spec:
type: object
tlsSettings:
description: |-
- Use the tls_settings to specify the tls mode to use. If the remote tracing service
+ Use the tlsSettings to specify the tls mode to use. If the remote tracing service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -2616,7 +3952,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -2726,8 +4063,8 @@ spec:
<= 1
defaultDestinationRuleExportTo:
description: |-
- The default value for the `DestinationRule.export_to` field. Has the same
- syntax as `default_service_export_to`.
+ The default value for the `DestinationRule.exportTo` field. Has the same
+ syntax as `defaultServiceExportTo`.
If not set the system will use "*" as the default value which implies that
destination rules are exported to all namespaces
@@ -2803,7 +4140,7 @@ spec:
type: object
defaultServiceExportTo:
description: |-
- The default value for the ServiceEntry.export_to field and services
+ The default value for the ServiceEntry.exportTo field and services
imported through container registry integrations, e.g. this applies to
Kubernetes Service resources. The value is a list of namespace names and
reserved namespace aliases. The allowed namespace aliases are:
@@ -2832,8 +4169,8 @@ spec:
type: array
defaultVirtualServiceExportTo:
description: |-
- The default value for the VirtualService.export_to field. Has the same
- syntax as `default_service_export_to`.
+ The default value for the VirtualService.exportTo field. Has the same
+ syntax as `defaultServiceExportTo`.
If not set the system will use "*" as the default value which implies that
virtual services are exported to all namespaces
@@ -3016,7 +4353,7 @@ spec:
properties:
allowPartialMessage:
description: |-
- When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
+ When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached.
The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
indicating if the body data is partial.
@@ -3024,10 +4361,10 @@ spec:
maxRequestBytes:
description: |-
Sets the maximum size of a message body that the ext-authz filter will hold in memory.
- If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
+ If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large).
Otherwise the request will be sent to the provider with a partial message.
- Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
- fail_open is set to true.
+ Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the
+ failOpen is set to true.
format: int32
type: integer
packAsBytes:
@@ -3035,7 +4372,7 @@ spec:
If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
- This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.
+ This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.
type: boolean
type: object
port:
@@ -3061,7 +4398,7 @@ spec:
description: |-
The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s).
When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
- In this situation, the response sent back to the client will depend on the configured `fail_open` field.
+ In this situation, the response sent back to the client will depend on the configured `failOpen` field.
type: string
required:
- port
@@ -3135,11 +4472,11 @@ spec:
description: |-
Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
Key is the header name and value is the header value.
- Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden.
+ Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden.
type: object
includeHeadersInCheck:
description: |-
- DEPRECATED. Use include_request_headers_in_check instead.
+ DEPRECATED. Use includeRequestHeadersInCheck instead.
Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
items:
@@ -3152,7 +4489,7 @@ spec:
properties:
allowPartialMessage:
description: |-
- When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
+ When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached.
The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
indicating if the body data is partial.
@@ -3160,10 +4497,10 @@ spec:
maxRequestBytes:
description: |-
Sets the maximum size of a message body that the ext-authz filter will hold in memory.
- If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
+ If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large).
Otherwise the request will be sent to the provider with a partial message.
- Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
- fail_open is set to true.
+ Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the
+ failOpen is set to true.
format: int32
type: integer
packAsBytes:
@@ -3171,7 +4508,7 @@ spec:
If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
- This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.
+ This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.
type: boolean
type: object
includeRequestHeadersInCheck:
@@ -3180,7 +4517,7 @@ spec:
Note that in addition to the headers specified here following headers are included by default:
1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent.
2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization
- request can include the buffered client request body (controlled by include_request_body_in_check setting),
+ request can include the buffered client request body (controlled by includeRequestBodyInCheck setting),
consequently the value of Content-Length of the authorization request reflects the size of its payload size.
Exact, prefix and suffix matches are supported (similar to the
@@ -3221,7 +4558,7 @@ spec:
description: |-
The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s).
When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
- In this situation, the response sent back to the client will depend on the configured `fail_open` field.
+ In this situation, the response sent back to the client will depend on the configured `failOpen` field.
type: string
required:
- port
@@ -3346,7 +4683,7 @@ spec:
dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)).
Nested JSON is\nsupported for some command
operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias
- to `attributes` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus:
+ to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus:
\"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```"
type: object
text:
@@ -3354,7 +4691,7 @@ spec:
Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be
used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings)
provides more information.
- Alias to `body` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
+ Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"`
type: string
type: object
@@ -3524,11 +4861,11 @@ spec:
headers:
- name: "Authorization"
value: "Api-Token dt0c01."
- resource_detectors:
+ resourceDetectors:
dynatrace: {}
- dynatrace_sampler:
+ dynatraceSampler:
tenant: "{your-environment-id}"
- cluster_id: 1234
+ clusterId: 1234
properties:
clusterId:
description: |-
@@ -3605,8 +4942,8 @@ spec:
A default value of `1000` is used when:
- - `root_spans_per_minute` is unset
- - `root_spans_per_minute` is set to 0
+ - `rootSpansPerMinute` is unset
+ - `rootSpansPerMinute` is set to 0
format: int32
type: integer
tenant:
@@ -3619,6 +4956,50 @@ spec:
- clusterId
- tenant
type: object
+ grpc:
+ description: "Optional. Specifies the configuration
+ for exporting OTLP traces via GRPC.\nWhen empty,
+ traces will check whether HTTP is set.\nIf not,
+ traces will use default GRPC configurations.\n\nThe
+ following example shows how to configure the OpenTelemetry
+ ExtensionProvider to export via GRPC:\n\n1. Add/change
+ the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n
+ \ - name: opentelemetry\n opentelemetry:\n
+ \ port: 8090\n service: tracing.example.com\n
+ \ grpc:\n timeout: 10s\n initialMetadata:\n
+ \ - name: \"Authentication\"\n value: \"token-xxxxx\"\n\n```\n\n2.
+ Deploy a `ServiceEntry` for the observability
+ back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind:
+ ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t-
+ tracing.example.com\n\tports:\n\t- number: 8090\n\t
+ \ name: grpc-port\n\t protocol: GRPC\n\tresolution:
+ DNS\n\tlocation: MESH_EXTERNAL\n\n```"
+ properties:
+ initialMetadata:
+ description: |-
+ Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for
+ scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to
+ be injected.
+ items:
+ properties:
+ name:
+ description: REQUIRED. The HTTP header
+ name.
+ type: string
+ value:
+ description: REQUIRED. The HTTP header
+ value.
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ timeout:
+ description: Optional. Specifies the timeout
+ for the GRPC request.
+ type: string
+ type: object
http:
description: "Optional. Specifies the configuration
for exporting OTLP traces via HTTP.\nWhen empty,
@@ -3697,7 +5078,7 @@ spec:
opentelemetry:
port: 443
service: my.olly-backend.com
- resource_detectors:
+ resourceDetectors:
environment: {}
```
@@ -3833,6 +5214,11 @@ spec:
NOTE: currently only controls max length of the path tag.
format: int32
type: integer
+ path:
+ description: |-
+ Optional. Specifies the endpoint of Zipkin API.
+ The default value is "/api/v2/spans".
+ type: string
port:
description: REQUIRED. Specifies the port of the
service.
@@ -3934,7 +5320,7 @@ spec:
the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`.
By default, `ingressgateway` is used, which will select the default IngressGateway as it has the
`istio: ingressgateway` labels.
- It is recommended that this is the same value as ingress_service.
+ It is recommended that this is the same value as ingressService.
type: string
ingressService:
description: |-
@@ -4242,7 +5628,7 @@ spec:
```yaml
serviceSettings:
- settings:
- cluster_local: true
+ clusterLocal: true
hosts:
- "*.foo.svc.cluster.local"
- "bar.baz.svc.cluster.local"
@@ -4311,7 +5697,7 @@ spec:
tlsDefaults:
description: |-
Configuration of TLS for all traffic except for ISTIO_MUTUAL mode.
- Currently, this supports configuration of ecdh_curves and cipher_suites only.
+ Currently, this supports configuration of ecdhCurves and cipherSuites only.
For ISTIO_MUTUAL TLS settings, use meshMTLS configuration.
properties:
cipherSuites:
@@ -4358,7 +5744,7 @@ spec:
type: string
trustDomainAliases:
description: |-
- The trust domain aliases represent the aliases of `trust_domain`.
+ The trust domain aliases represent the aliases of `trustDomain`.
For example, if we have
```yaml
trustDomain: td1
@@ -4686,7 +6072,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4701,7 +6087,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4869,7 +6255,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4884,7 +6270,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5050,7 +6436,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5065,7 +6451,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5233,7 +6619,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5248,7 +6634,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5483,7 +6869,7 @@ spec:
See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
targetAverageUtilization:
description: |-
@@ -5542,6 +6928,26 @@ spec:
are PreferDualStack, RequireDualStack, and SingleStack.
More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
type: string
+ istiodRemote:
+ description: Configuration for the istio-discovery chart when
+ istiod is running in a remote cluster (e.g. "remote control
+ plane").
+ properties:
+ enabled:
+ description: Indicates if this cluster/install should
+ consume a "remote" istiod instance,
+ type: boolean
+ injectionCABundle:
+ description: injector ca bundle
+ type: string
+ injectionPath:
+ description: Path to use for the sidecar injector webhook
+ service.
+ type: string
+ injectionURL:
+ description: URL to use for sidecar injector webhook.
+ type: string
+ type: object
jwksResolverExtraRootCA:
description: |-
Specifies an extra root certificate in PEM format. This certificate will be trusted
@@ -5561,7 +6967,7 @@ spec:
See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
targetAverageUtilization:
description: |-
@@ -5579,7 +6985,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: object
podAnnotations:
additionalProperties:
@@ -5589,7 +6995,7 @@ spec:
See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: object
podLabels:
additionalProperties:
@@ -5603,7 +7009,7 @@ spec:
description: |-
Number of replicas in the Pilot Deployment.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
format: int32
type: integer
resources:
@@ -5612,7 +7018,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -5632,6 +7038,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -5671,7 +7083,7 @@ spec:
description: |-
K8s rolling update strategy
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
x-kubernetes-int-or-string: true
rollingMaxUnavailable:
anyOf:
@@ -5684,7 +7096,7 @@ spec:
May be specified as a number of pods or as a percent of the total number
of pods at the start of the update.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
x-kubernetes-int-or-string: true
seccompProfile:
description: |-
@@ -5747,7 +7159,7 @@ spec:
scheduled to particular nodes with matching taints.
More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
@@ -6101,6 +7513,7 @@ spec:
the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -6114,6 +7527,7 @@ spec:
set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -6723,7 +8137,7 @@ spec:
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
- (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
type: string
volumeMode:
description: |-
@@ -6946,6 +8360,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -6977,6 +8426,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -7128,10 +8578,13 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected
- along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
clusterTrustBundle:
description: |-
@@ -7516,6 +8969,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -7530,6 +8984,7 @@ spec:
type: array
x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -7560,6 +9015,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -7574,6 +9030,7 @@ spec:
volume attached and mounted on Kubernetes nodes.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -7614,6 +9071,7 @@ spec:
communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
@@ -7997,6 +9455,9 @@ spec:
status:
description: IstioStatus defines the observed state of Istio
properties:
+ activeRevisionName:
+ description: The name of the active revision.
+ type: string
conditions:
description: Represents the latest available observations of the object's
current state.
diff --git a/bundle/manifests/sailoperator.io_remoteistios.yaml b/bundle/manifests/sailoperator.io_remoteistios.yaml
index be25b78e7..eda03ec73 100644
--- a/bundle/manifests/sailoperator.io_remoteistios.yaml
+++ b/bundle/manifests/sailoperator.io_remoteistios.yaml
@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.16.0
+ controller-gen.kubebuilder.io/version: v0.16.4
creationTimestamp: null
name: remoteistios.sailoperator.io
spec:
@@ -30,9 +30,13 @@ spec:
jsonPath: .status.revisions.inUse
name: In use
type: string
+ - description: The name of the currently active revision.
+ jsonPath: .status.activeRevisionName
+ name: Active Revision
+ type: string
- description: The current state of the active revision.
jsonPath: .status.state
- name: Active Revision
+ name: Status
type: string
- description: The version of the control plane installation.
jsonPath: .spec.version
@@ -139,6 +143,11 @@ spec:
base:
description: Configuration for the base component.
properties:
+ excludedCRDs:
+ description: CRDs to exclude. Requires `enableCRDTemplates`
+ items:
+ type: string
+ type: array
validationCABundle:
description: validation webhook CA bundle
type: string
@@ -167,7 +176,7 @@ spec:
- Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated:
replaced by the affinity k8s settings which allows architecture
nodeAffinity configuration of this behavior.\n\nDeprecated:
- Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto."
+ Marked as deprecated in pkg/apis/values_types.proto."
properties:
amd64:
description: Sets pod scheduling weight for amd64 arch
@@ -219,13 +228,10 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: object
defaultPodDisruptionBudget:
- description: |-
- Specifies the default pod disruption budget configuration.
-
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ description: Specifies the default pod disruption budget configuration.
properties:
enabled:
description: Controls whether a PodDisruptionBudget with
@@ -239,7 +245,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -259,6 +265,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -300,7 +312,7 @@ spec:
Configure this field in case that all pods of Istio control plane are expected to
be scheduled to particular nodes with specified taints.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
@@ -393,7 +405,7 @@ spec:
Configure the policy for validating JWT.
This is deprecated and has no effect.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: string
logAsJson:
description: Specifies whether istio components should output
@@ -460,7 +472,7 @@ spec:
with the endpoint by\nadding the `ISTIO_META_NETWORK`
environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta.
By matching the registry name with one of the \"fromRegistry\"\n\tin
- the mesh config. A \"from_registry\" can only be
+ the mesh config. A \"fromRegistry\" can only be
assigned to a\n\tsingle network.\n\n\tb. By matching
the IP against one of the CIDR ranges in a mesh\n\tconfig
network. The CIDR ranges must not overlap and be
@@ -615,7 +627,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: string
proxy:
description: Specifies how proxies are configured within Istio.
@@ -640,6 +652,8 @@ spec:
Enables core dumps for newly injected sidecars.
If set, newly injected sidecars will have core dumps enabled.
+
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: boolean
excludeIPRanges:
description: Lists the excluded IP ranges of Istio egress
@@ -659,7 +673,7 @@ spec:
Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: boolean
image:
description: |-
@@ -950,7 +964,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -971,6 +985,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1057,7 +1077,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -1078,6 +1098,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1124,7 +1150,7 @@ spec:
instead of using K8S secrets to mount the certificates.
properties:
token:
- description: 'Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.'
+ description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.'
properties:
aud:
type: string
@@ -1187,26 +1213,1056 @@ spec:
format: int32
type: integer
type: object
- zipkin:
- description: Configuration for the zipkin tracing service.
- properties:
- address:
- description: |-
- Address of zipkin instance in host:port format for reporting trace data.
+ zipkin:
+ description: Configuration for the zipkin tracing service.
+ properties:
+ address:
+ description: |-
+ Address of zipkin instance in host:port format for reporting trace data.
+
+ Example: .:941
+ type: string
+ type: object
+ type: object
+ variant:
+ description: The variant of the Istio container images to
+ use. Options are "debug" or "distroless". Unset will use
+ the default for the given version.
+ type: string
+ waypoint:
+ description: Specifies how waypoints are configured within
+ Istio.
+ properties:
+ affinity:
+ description: |-
+ K8s affinity settings for waypoint pods.
+
+ See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling rules
+ for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with matching
+ the corresponding nodeSelectorTerm, in
+ the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node selector
+ terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling rules
+ (e.g. co-locate this pod in the same node, zone,
+ etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added per-node
+ to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term,
+ associated with the corresponding weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added per-node
+ to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term,
+ associated with the corresponding weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ nodeSelector:
+ description: |-
+ K8s node labels settings.
- Example: .:941
- type: string
+ See https://kubernetes.io/docs/user-guide/node-selection/
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node selector terms.
+ The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector requirements
+ by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector requirements
+ by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
type: object
- type: object
- variant:
- description: The variant of the Istio container images to
- use. Options are "debug" or "distroless". Unset will use
- the default for the given version.
- type: string
- waypoint:
- description: Specifies how waypoints are configured within
- Istio.
- properties:
+ x-kubernetes-map-type: atomic
resources:
description: |-
K8s resource settings.
@@ -1232,6 +2288,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1264,11 +2326,242 @@ spec:
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
+ toleration:
+ description: |-
+ K8s tolerations settings.
+
+ See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ description: |-
+ K8s topology spread constraints settings.
+
+ See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+ items:
+ description: TopologySpreadConstraint specifies how
+ to spread matching pods among the given topology.
+ properties:
+ labelSelector:
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
+ in their corresponding topology domain.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
+ format: int32
+ type: integer
+ minDomains:
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ nodeTaintsPolicy:
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ topologyKey:
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
+ type: string
+ whenUnsatisfiable:
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
type: object
type: object
istiodRemote:
- description: Configuration for istiod-remote.
+ description: |-
+ Configuration for istiod-remote.
+ DEPRECATED - istiod-remote chart is removed and replaced with
+ `istio-discovery --set values.istiodRemote.enabled=true`
+
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
+ enabled:
+ description: Indicates if this cluster/install should consume
+ a "remote" istiod instance,
+ type: boolean
injectionCABundle:
description: injector ca bundle
type: string
@@ -1316,7 +2609,7 @@ spec:
type: string
istiodSide:
description: |-
- Use istiod_side to specify CA Server integrate to Istiod side or Agent side
+ Use istiodSide to specify CA Server integrate to Istiod side or Agent side
Default: true
type: boolean
requestTimeout:
@@ -1326,8 +2619,8 @@ spec:
type: string
tlsSettings:
description: |-
- Use the tls_settings to specify the tls mode to use.
- Regarding tls_settings:
+ Use the tlsSettings to specify the tls mode to use.
+ Regarding tlsSettings:
- DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
DISABLE MODE can also be used for testing
- TLS MUTUAL MODE be on by default. If the CA certificates
@@ -1348,7 +2641,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1453,12 +2747,12 @@ spec:
Optional. Specify the list of trust domains to which this trustAnchor data belongs.
If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain
and its aliases.
- Note that we can have multiple trustAnchor data for a same trust_domain.
+ Note that we can have multiple trustAnchor data for a same trustDomain.
In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates.
- If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers.
- If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers.
- If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains.
- If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains.
+ If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers.
+ If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers.
+ If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains.
+ If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains.
items:
type: string
type: array
@@ -1530,7 +2824,7 @@ spec:
type: array
tlsSettings:
description: |-
- Use the tls_settings to specify the tls mode to use. If the MCP server
+ Use the tlsSettings to specify the tls mode to use. If the MCP server
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -1548,7 +2842,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1728,7 +3023,7 @@ spec:
type: object
tlsSettings:
description: |-
- Use the `tls_settings` to specify the tls mode to use. If the remote service
+ Use the `tlsSettings` to specify the tls mode to use. If the remote service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -1746,7 +3041,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1856,7 +3152,7 @@ spec:
type: object
tlsSettings:
description: |-
- Use the `tls_settings` to specify the tls mode to use. If the remote service
+ Use the `tlsSettings` to specify the tls mode to use. If the remote service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -1874,7 +3170,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1992,7 +3289,7 @@ spec:
address to the X-Forwarded-For (XFF) address and set the
X-Envoy-External-Address header to the trusted client address before
forwarding it to the upstream services in the cluster.
- The default value of num_trusted_proxies is 0.
+ The default value of numTrustedProxies is 0.
See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for)
header handling for more details.
format: int32
@@ -2178,6 +3475,41 @@ spec:
header. By default, `istio-envoy` will be used.
type: string
type: object
+ setCurrentClientCertDetails:
+ description: |-
+ This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET
+ and the client connection is mTLS. It specifies the fields in
+ the client certificate to be forwarded. Note that `Hash` is always set, and
+ `By` is always set when the client certificate presents the URI type Subject Alternative Name value.
+ properties:
+ cert:
+ description: |-
+ Whether to forward the entire client cert in URL encoded PEM format. This will appear in the
+ XFCC header comma separated from other values with the value Cert="PEM".
+ Defaults to false.
+ type: boolean
+ chain:
+ description: |-
+ Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM
+ format. This will appear in the XFCC header comma separated from other values with the value
+ Chain="PEM".
+ Defaults to false.
+ type: boolean
+ dns:
+ description: |-
+ Whether to forward the DNS type Subject Alternative Names of the client cert.
+ Defaults to true.
+ type: boolean
+ subject:
+ description: Whether to forward the subject of
+ the client cert. Defaults to true.
+ type: boolean
+ uri:
+ description: |-
+ Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to
+ true.
+ type: boolean
+ type: object
type: object
proxyMetadata:
additionalProperties:
@@ -2440,7 +3772,7 @@ spec:
The amount of time allowed for connections to complete on proxy shutdown.
On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining,
discouraging any new connections and allowing existing connections to complete. It then
- sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes.
+ sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes.
If not set, a default of `5s` will be applied.
type: string
tracing:
@@ -2593,7 +3925,7 @@ spec:
type: object
tlsSettings:
description: |-
- Use the tls_settings to specify the tls mode to use. If the remote tracing service
+ Use the tlsSettings to specify the tls mode to use. If the remote tracing service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -2611,7 +3943,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -2721,8 +4054,8 @@ spec:
<= 1
defaultDestinationRuleExportTo:
description: |-
- The default value for the `DestinationRule.export_to` field. Has the same
- syntax as `default_service_export_to`.
+ The default value for the `DestinationRule.exportTo` field. Has the same
+ syntax as `defaultServiceExportTo`.
If not set the system will use "*" as the default value which implies that
destination rules are exported to all namespaces
@@ -2798,7 +4131,7 @@ spec:
type: object
defaultServiceExportTo:
description: |-
- The default value for the ServiceEntry.export_to field and services
+ The default value for the ServiceEntry.exportTo field and services
imported through container registry integrations, e.g. this applies to
Kubernetes Service resources. The value is a list of namespace names and
reserved namespace aliases. The allowed namespace aliases are:
@@ -2827,8 +4160,8 @@ spec:
type: array
defaultVirtualServiceExportTo:
description: |-
- The default value for the VirtualService.export_to field. Has the same
- syntax as `default_service_export_to`.
+ The default value for the VirtualService.exportTo field. Has the same
+ syntax as `defaultServiceExportTo`.
If not set the system will use "*" as the default value which implies that
virtual services are exported to all namespaces
@@ -3011,7 +4344,7 @@ spec:
properties:
allowPartialMessage:
description: |-
- When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
+ When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached.
The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
indicating if the body data is partial.
@@ -3019,10 +4352,10 @@ spec:
maxRequestBytes:
description: |-
Sets the maximum size of a message body that the ext-authz filter will hold in memory.
- If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
+ If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large).
Otherwise the request will be sent to the provider with a partial message.
- Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
- fail_open is set to true.
+ Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the
+ failOpen is set to true.
format: int32
type: integer
packAsBytes:
@@ -3030,7 +4363,7 @@ spec:
If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
- This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.
+ This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.
type: boolean
type: object
port:
@@ -3056,7 +4389,7 @@ spec:
description: |-
The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s).
When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
- In this situation, the response sent back to the client will depend on the configured `fail_open` field.
+ In this situation, the response sent back to the client will depend on the configured `failOpen` field.
type: string
required:
- port
@@ -3130,11 +4463,11 @@ spec:
description: |-
Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
Key is the header name and value is the header value.
- Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden.
+ Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden.
type: object
includeHeadersInCheck:
description: |-
- DEPRECATED. Use include_request_headers_in_check instead.
+ DEPRECATED. Use includeRequestHeadersInCheck instead.
Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
items:
@@ -3147,7 +4480,7 @@ spec:
properties:
allowPartialMessage:
description: |-
- When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
+ When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached.
The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
indicating if the body data is partial.
@@ -3155,10 +4488,10 @@ spec:
maxRequestBytes:
description: |-
Sets the maximum size of a message body that the ext-authz filter will hold in memory.
- If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
+ If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large).
Otherwise the request will be sent to the provider with a partial message.
- Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
- fail_open is set to true.
+ Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the
+ failOpen is set to true.
format: int32
type: integer
packAsBytes:
@@ -3166,7 +4499,7 @@ spec:
If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
- This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.
+ This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.
type: boolean
type: object
includeRequestHeadersInCheck:
@@ -3175,7 +4508,7 @@ spec:
Note that in addition to the headers specified here following headers are included by default:
1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent.
2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization
- request can include the buffered client request body (controlled by include_request_body_in_check setting),
+ request can include the buffered client request body (controlled by includeRequestBodyInCheck setting),
consequently the value of Content-Length of the authorization request reflects the size of its payload size.
Exact, prefix and suffix matches are supported (similar to the
@@ -3216,7 +4549,7 @@ spec:
description: |-
The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s).
When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
- In this situation, the response sent back to the client will depend on the configured `fail_open` field.
+ In this situation, the response sent back to the client will depend on the configured `failOpen` field.
type: string
required:
- port
@@ -3341,7 +4674,7 @@ spec:
dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)).
Nested JSON is\nsupported for some command
operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias
- to `attributes` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus:
+ to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus:
\"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```"
type: object
text:
@@ -3349,7 +4682,7 @@ spec:
Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be
used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings)
provides more information.
- Alias to `body` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
+ Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"`
type: string
type: object
@@ -3519,11 +4852,11 @@ spec:
headers:
- name: "Authorization"
value: "Api-Token dt0c01."
- resource_detectors:
+ resourceDetectors:
dynatrace: {}
- dynatrace_sampler:
+ dynatraceSampler:
tenant: "{your-environment-id}"
- cluster_id: 1234
+ clusterId: 1234
properties:
clusterId:
description: |-
@@ -3600,8 +4933,8 @@ spec:
A default value of `1000` is used when:
- - `root_spans_per_minute` is unset
- - `root_spans_per_minute` is set to 0
+ - `rootSpansPerMinute` is unset
+ - `rootSpansPerMinute` is set to 0
format: int32
type: integer
tenant:
@@ -3614,6 +4947,50 @@ spec:
- clusterId
- tenant
type: object
+ grpc:
+ description: "Optional. Specifies the configuration
+ for exporting OTLP traces via GRPC.\nWhen empty,
+ traces will check whether HTTP is set.\nIf not,
+ traces will use default GRPC configurations.\n\nThe
+ following example shows how to configure the OpenTelemetry
+ ExtensionProvider to export via GRPC:\n\n1. Add/change
+ the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n
+ \ - name: opentelemetry\n opentelemetry:\n
+ \ port: 8090\n service: tracing.example.com\n
+ \ grpc:\n timeout: 10s\n initialMetadata:\n
+ \ - name: \"Authentication\"\n value: \"token-xxxxx\"\n\n```\n\n2.
+ Deploy a `ServiceEntry` for the observability
+ back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind:
+ ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t-
+ tracing.example.com\n\tports:\n\t- number: 8090\n\t
+ \ name: grpc-port\n\t protocol: GRPC\n\tresolution:
+ DNS\n\tlocation: MESH_EXTERNAL\n\n```"
+ properties:
+ initialMetadata:
+ description: |-
+ Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for
+ scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to
+ be injected.
+ items:
+ properties:
+ name:
+ description: REQUIRED. The HTTP header
+ name.
+ type: string
+ value:
+ description: REQUIRED. The HTTP header
+ value.
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ timeout:
+ description: Optional. Specifies the timeout
+ for the GRPC request.
+ type: string
+ type: object
http:
description: "Optional. Specifies the configuration
for exporting OTLP traces via HTTP.\nWhen empty,
@@ -3692,7 +5069,7 @@ spec:
opentelemetry:
port: 443
service: my.olly-backend.com
- resource_detectors:
+ resourceDetectors:
environment: {}
```
@@ -3828,6 +5205,11 @@ spec:
NOTE: currently only controls max length of the path tag.
format: int32
type: integer
+ path:
+ description: |-
+ Optional. Specifies the endpoint of Zipkin API.
+ The default value is "/api/v2/spans".
+ type: string
port:
description: REQUIRED. Specifies the port of the
service.
@@ -3929,7 +5311,7 @@ spec:
the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`.
By default, `ingressgateway` is used, which will select the default IngressGateway as it has the
`istio: ingressgateway` labels.
- It is recommended that this is the same value as ingress_service.
+ It is recommended that this is the same value as ingressService.
type: string
ingressService:
description: |-
@@ -4237,7 +5619,7 @@ spec:
```yaml
serviceSettings:
- settings:
- cluster_local: true
+ clusterLocal: true
hosts:
- "*.foo.svc.cluster.local"
- "bar.baz.svc.cluster.local"
@@ -4306,7 +5688,7 @@ spec:
tlsDefaults:
description: |-
Configuration of TLS for all traffic except for ISTIO_MUTUAL mode.
- Currently, this supports configuration of ecdh_curves and cipher_suites only.
+ Currently, this supports configuration of ecdhCurves and cipherSuites only.
For ISTIO_MUTUAL TLS settings, use meshMTLS configuration.
properties:
cipherSuites:
@@ -4353,7 +5735,7 @@ spec:
type: string
trustDomainAliases:
description: |-
- The trust domain aliases represent the aliases of `trust_domain`.
+ The trust domain aliases represent the aliases of `trustDomain`.
For example, if we have
```yaml
trustDomain: td1
@@ -4681,7 +6063,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4696,7 +6078,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4864,7 +6246,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4879,7 +6261,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5045,7 +6427,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5060,7 +6442,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5228,7 +6610,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5243,7 +6625,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5478,7 +6860,7 @@ spec:
See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
targetAverageUtilization:
description: |-
@@ -5537,6 +6919,26 @@ spec:
are PreferDualStack, RequireDualStack, and SingleStack.
More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
type: string
+ istiodRemote:
+ description: Configuration for the istio-discovery chart when
+ istiod is running in a remote cluster (e.g. "remote control
+ plane").
+ properties:
+ enabled:
+ description: Indicates if this cluster/install should
+ consume a "remote" istiod instance,
+ type: boolean
+ injectionCABundle:
+ description: injector ca bundle
+ type: string
+ injectionPath:
+ description: Path to use for the sidecar injector webhook
+ service.
+ type: string
+ injectionURL:
+ description: URL to use for sidecar injector webhook.
+ type: string
+ type: object
jwksResolverExtraRootCA:
description: |-
Specifies an extra root certificate in PEM format. This certificate will be trusted
@@ -5556,7 +6958,7 @@ spec:
See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
targetAverageUtilization:
description: |-
@@ -5574,7 +6976,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: object
podAnnotations:
additionalProperties:
@@ -5584,7 +6986,7 @@ spec:
See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: object
podLabels:
additionalProperties:
@@ -5598,7 +7000,7 @@ spec:
description: |-
Number of replicas in the Pilot Deployment.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
format: int32
type: integer
resources:
@@ -5607,7 +7009,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -5627,6 +7029,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -5666,7 +7074,7 @@ spec:
description: |-
K8s rolling update strategy
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
x-kubernetes-int-or-string: true
rollingMaxUnavailable:
anyOf:
@@ -5679,7 +7087,7 @@ spec:
May be specified as a number of pods or as a percent of the total number
of pods at the start of the update.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
x-kubernetes-int-or-string: true
seccompProfile:
description: |-
@@ -5742,7 +7150,7 @@ spec:
scheduled to particular nodes with matching taints.
More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
@@ -6096,6 +7504,7 @@ spec:
the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -6109,6 +7518,7 @@ spec:
set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -6718,7 +8128,7 @@ spec:
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
- (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
type: string
volumeMode:
description: |-
@@ -6941,6 +8351,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -6972,6 +8417,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -7123,10 +8569,13 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected
- along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
clusterTrustBundle:
description: |-
@@ -7511,6 +8960,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -7525,6 +8975,7 @@ spec:
type: array
x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -7555,6 +9006,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -7569,6 +9021,7 @@ spec:
volume attached and mounted on Kubernetes nodes.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -7609,6 +9062,7 @@ spec:
communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
@@ -7992,6 +9446,9 @@ spec:
status:
description: RemoteIstioStatus defines the observed state of RemoteIstio
properties:
+ activeRevisionName:
+ description: The name of the active revision.
+ type: string
conditions:
description: Represents the latest available observations of the object's
current state.
diff --git a/bundle/manifests/security.istio.io_authorizationpolicies.yaml b/bundle/manifests/security.istio.io_authorizationpolicies.yaml
index c7aef487f..bebc1b2c6 100644
--- a/bundle/manifests/security.istio.io_authorizationpolicies.yaml
+++ b/bundle/manifests/security.istio.io_authorizationpolicies.yaml
@@ -296,8 +296,12 @@ spec:
gateway.networking.k8s.io/Gateway
rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''],
[''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]'
+ maxItems: 16
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
properties:
conditions:
@@ -645,8 +649,12 @@ spec:
gateway.networking.k8s.io/Gateway
rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''],
[''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]'
+ maxItems: 16
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
properties:
conditions:
diff --git a/bundle/manifests/security.istio.io_requestauthentications.yaml b/bundle/manifests/security.istio.io_requestauthentications.yaml
index 94dad1c0e..2d1b0ba00 100644
--- a/bundle/manifests/security.istio.io_requestauthentications.yaml
+++ b/bundle/manifests/security.istio.io_requestauthentications.yaml
@@ -230,10 +230,11 @@ spec:
gateway.networking.k8s.io/Gateway
rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''],
[''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]'
+ maxItems: 16
type: array
type: object
x-kubernetes-validations:
- - message: only one of targetRefs or workloadSelector can be set
+ - message: only one of targetRefs or selector can be set
rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
properties:
@@ -516,10 +517,11 @@ spec:
gateway.networking.k8s.io/Gateway
rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''],
[''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]'
+ maxItems: 16
type: array
type: object
x-kubernetes-validations:
- - message: only one of targetRefs or workloadSelector can be set
+ - message: only one of targetRefs or selector can be set
rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
properties:
diff --git a/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml b/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml
index 2d9ebf907..0cd99abcf 100644
--- a/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml
+++ b/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml
@@ -34,7 +34,7 @@ metadata:
capabilities: Seamless Upgrades
categories: OpenShift Optional, Integration & Delivery, Networking, Security
containerImage: quay.io/maistra-dev/sail-operator:3.0-latest
- createdAt: "2024-10-10T07:52:12Z"
+ createdAt: "2024-10-16T09:19:43Z"
description: The OpenShift Service Mesh Operator enables you to install, configure,
and manage an instance of Red Hat OpenShift Service Mesh. OpenShift Service
Mesh is based on the open source Istio project.
@@ -50,7 +50,7 @@ metadata:
features.operators.openshift.io/token-auth-gcp: "false"
operators.openshift.io/valid-subscription: '["OpenShift Container Platform", "OpenShift
Platform Plus"]'
- operators.operatorframework.io/builder: operator-sdk-v1.36.1
+ operators.operatorframework.io/builder: operator-sdk-v1.37.0
operators.operatorframework.io/internal-objects: '["wasmplugins.extensions.istio.io","destinationrules.networking.istio.io","envoyfilters.networking.istio.io","gateways.networking.istio.io","proxyconfigs.networking.istio.io","serviceentries.networking.istio.io","sidecars.networking.istio.io","virtualservices.networking.istio.io","workloadentries.networking.istio.io","workloadgroups.networking.istio.io","authorizationpolicies.security.istio.io","peerauthentications.security.istio.io","requestauthentications.security.istio.io","telemetries.telemetry.istio.io"]'
operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
repository: https://github.com/istio-ecosystem/sail-operator
@@ -268,6 +268,7 @@ spec:
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- description: Namespace to which the Istio components should be installed.
+ Note that this field is immutable.
displayName: Namespace
path: namespace
x-descriptors:
@@ -596,7 +597,7 @@ spec:
serviceAccountName: servicemesh-operator3
deployments:
- label:
- app.kubernetes.io/component: manager
+ app.kubernetes.io/component: sail-operator
app.kubernetes.io/created-by: servicemeshoperator3
app.kubernetes.io/instance: servicemesh-operator3
app.kubernetes.io/managed-by: helm
@@ -615,12 +616,12 @@ spec:
template:
metadata:
annotations:
- images.v1_23_0.cni: registry.redhat.io/openshift-service-mesh/istio-cni-rhel9:1.23.0.tp.1
- images.v1_23_0.istiod: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9:1.23.0.tp.1
- images.v1_23_0.must-gather: registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9:3.0.0.tp.1
- images.v1_23_0.proxy: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9:3.0.0.tp.1
- images.v1_23_0.ztunnel: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9:1.23.0.tp.1
- kubectl.kubernetes.io/default-container: manager
+ images.v1_23_2.cni: registry.redhat.io/openshift-service-mesh/istio-cni-rhel9:1.23.2.tp.1
+ images.v1_23_2.istiod: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9:1.23.2.tp.1
+ images.v1_23_2.must-gather: registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9:3.0.0.tp.1
+ images.v1_23_2.proxy: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9:3.0.0.tp.1
+ images.v1_23_2.ztunnel: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9:1.23.2.tp.1
+ kubectl.kubernetes.io/default-container: sail-operator
labels:
app.kubernetes.io/created-by: servicemeshoperator3
app.kubernetes.io/part-of: servicemeshoperator3
@@ -669,18 +670,18 @@ spec:
- args:
- --health-probe-bind-address=:8081
- --metrics-bind-address=127.0.0.1:8080
+ - --zap-log-level=info
- --default-profile=openshift
command:
- - /manager
+ - /sail-operator
image: quay.io/maistra-dev/sail-operator:3.0-latest
- imagePullPolicy: Always
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
- name: manager
+ name: sail-operator
readinessProbe:
httpGet:
path: /readyz
diff --git a/bundle/manifests/telemetry.istio.io_telemetries.yaml b/bundle/manifests/telemetry.istio.io_telemetries.yaml
index 2839a1467..ec3cf100a 100644
--- a/bundle/manifests/telemetry.istio.io_telemetries.yaml
+++ b/bundle/manifests/telemetry.istio.io_telemetries.yaml
@@ -282,6 +282,7 @@ spec:
gateway.networking.k8s.io/Gateway
rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''],
[''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]'
+ maxItems: 16
type: array
tracing:
description: Optional.
@@ -393,6 +394,9 @@ spec:
type: object
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
properties:
conditions:
@@ -726,6 +730,7 @@ spec:
gateway.networking.k8s.io/Gateway
rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''],
[''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]'
+ maxItems: 16
type: array
tracing:
description: Optional.
@@ -837,6 +842,9 @@ spec:
type: object
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
properties:
conditions:
diff --git a/bundle/metadata/annotations.yaml b/bundle/metadata/annotations.yaml
index 5fd517b82..3bef409f7 100644
--- a/bundle/metadata/annotations.yaml
+++ b/bundle/metadata/annotations.yaml
@@ -5,7 +5,7 @@ annotations:
operators.operatorframework.io.bundle.metadata.v1: metadata/
operators.operatorframework.io.bundle.package.v1: servicemeshoperator3
operators.operatorframework.io.bundle.channels.v1: "candidates"
- operators.operatorframework.io.metrics.builder: operator-sdk-v1.36.1
+ operators.operatorframework.io.metrics.builder: operator-sdk-v1.37.0
operators.operatorframework.io.metrics.mediatype.v1: metrics+v1
operators.operatorframework.io.metrics.project_layout: go.kubebuilder.io/v4
diff --git a/bundle/tests/scorecard/config.yaml b/bundle/tests/scorecard/config.yaml
index 798809dc7..bd9bf1e03 100644
--- a/bundle/tests/scorecard/config.yaml
+++ b/bundle/tests/scorecard/config.yaml
@@ -8,7 +8,7 @@ stages:
- entrypoint:
- scorecard-test
- basic-check-spec
- image: quay.io/operator-framework/scorecard-test:v1.36.1
+ image: quay.io/operator-framework/scorecard-test:v1.37.0
labels:
suite: basic
test: basic-check-spec-test
@@ -18,7 +18,7 @@ stages:
- entrypoint:
- scorecard-test
- olm-bundle-validation
- image: quay.io/operator-framework/scorecard-test:v1.36.1
+ image: quay.io/operator-framework/scorecard-test:v1.37.0
labels:
suite: olm
test: olm-bundle-validation-test
@@ -28,7 +28,7 @@ stages:
- entrypoint:
- scorecard-test
- olm-crds-have-validation
- image: quay.io/operator-framework/scorecard-test:v1.36.1
+ image: quay.io/operator-framework/scorecard-test:v1.37.0
labels:
suite: olm
test: olm-crds-have-validation-test
@@ -38,7 +38,7 @@ stages:
- entrypoint:
- scorecard-test
- olm-spec-descriptors
- image: quay.io/operator-framework/scorecard-test:v1.36.1
+ image: quay.io/operator-framework/scorecard-test:v1.37.0
labels:
suite: olm
test: olm-spec-descriptors-test
@@ -48,7 +48,7 @@ stages:
- entrypoint:
- scorecard-test
- olm-status-descriptors
- image: quay.io/operator-framework/scorecard-test:v1.36.1
+ image: quay.io/operator-framework/scorecard-test:v1.37.0
labels:
suite: olm
test: olm-status-descriptors-test
diff --git a/chart/README.md b/chart/README.md
new file mode 100644
index 000000000..b7b40273e
--- /dev/null
+++ b/chart/README.md
@@ -0,0 +1,242 @@
+# Deploy Sail Operator by using Helm charts
+
+Follow this guide to install and configure Sail Operator by using [Helm](https://helm.sh/docs/)
+
+## Prerequisites
+
+Kubernetes:
+* You have deployed a cluster on Kubernetes platform 1.27 or later.
+* You are logged in to the Kubernetes cluster with admin permissions level user.
+
+OpenShift:
+* You have deployed a cluster on OpenShift Container Platform 4.14 or later.
+* You are logged in to the OpenShift Container Platform web console as a user with the `cluster-admin` role.
+
+[Install the Helm client](https://helm.sh/docs/intro/install/), version 3.6 or above.
+
+## Prepare the Helm charts
+
+```sh
+$ helm repo add sail-operator https://istio-ecosystem.github.io/sail-operator
+$ helm repo update
+```
+
+## Installation steps
+
+This section describes the procedure to install `Sail Operator` using Helm. The general syntax for helm installation is:
+
+```sh
+$ helm install --create-namespace --namespace [--set ]
+```
+
+The variables specified in the command are as follows:
+* `` - A name to identify and manage the Helm chart once installed.
+* `` - A path to a packaged chart, a path to an unpacked chart directory or a URL.
+* `` - The namespace in which the chart is to be installed.
+
+Default configuration values can be changed using one or more `--set =` arguments. Alternatively, you can specify several parameters in a custom values file using the `--values ` argument.
+
+1. Create the namespace, `sail-operator`, for the Sail Operator components:
+
+ ```sh
+ $ kubectl create namespace sail-operator
+ ```
+
+**Note** - This step could be skipped by using the `--create-namespace` argument in step 2.
+
+2. Install the Sail Operator base charts which will manage all the Custom Resource Definitions(CRDs) to be able to deploy the Istio control plane:
+
+* Kubernetes
+
+ ```sh
+ $ helm install sail-operator sail-operator/sail-operator --namespace sail-operator
+ ```
+
+* OpenShift
+
+ ```sh
+ $ helm install sail-operator sail-operator/sail-operator --namespace sail-operator --set platform=openshift
+ ```
+
+3. Validate the CRD installation with the `helm ls` command:
+
+ ```sh
+ $ helm ls -n sail-operator
+
+ NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
+ sail-operator sail-operator 1 2024-09-26 21:15:52.508983383 +0300 IDT deployed sail-operator-0.1.0 0.1.0
+ ```
+
+4. Get the status of the installed helm chart to ensure it is deployed:
+
+ ```bash
+ $ helm status sail-operator -n sail-operator
+
+ NAME: sail-operator
+ LAST DEPLOYED: Thu Sep 26 21:15:52 2024
+ NAMESPACE: sail-operator
+ STATUS: deployed
+ REVISION: 1
+ TEST SUITE: None
+ ```
+
+5. Check `sail-operator` deployment is successfully installed and its pods are running:
+
+ ```sh
+ $ kubectl -n sail-operator get deployment --output wide
+
+ NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
+ sail-operator 1/1 1 1 107s kube-rbac-proxy,sail-operator gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0,quay.io/maistra-dev/sail-operator:0.1-latest app.kubernetes.io/created-by=sailoperator,app.kubernetes.io/part-of=sailoperator,control-plane=sail-operator
+
+ $ kubectl -n sail-operator get pods -o wide
+
+ NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
+ sail-operator-666f84b6f4-9hw4t 2/2 Running 0 43s 10.244.0.8 sail-control-plane
+ ```
+
+## Deploying Istio
+
+To deploy Istio, you must create the following resources:
+* `Istio`.
+* If you are using OpenShift, the `IstioCNI` must also be created.
+
+The `Istio` resource deploys and configures the Istio Control Plane, whereas the `IstioCNI` resource (in OpenShift) deploys and configures the Istio CNI plugin. You should create these resources in separate projects.
+
+### Create a namespace for Istio project.
+
+* Kubernetes
+
+ ```sh
+ $ kubectl create namespace istio-system
+ ```
+
+* OpenShift
+
+ ```sh
+ $ kubectl create namespace istio-system
+ $ kubectl create namespace istio-cni
+ ```
+
+### Create the Istio resource
+
+The `sail-operator` charts directory contains `samples` directory, which contains manifests that could be used for Istio deployment.
+
+* Kubernetes
+
+ ```sh
+ $ kubectl apply -f sail-operator/samples/istio-sample-kubernetes.yaml
+ ```
+
+* OpenShift
+
+ ```sh
+ $ kubectl apply -f sail-operator/samples/istio-sample-openshift.yaml
+ $ kubectl apply -f sail-operator/samples/istiocni-sample.yaml
+ ```
+
+**Note** - The version can be specified by modifying the `version` field within `Istio` and `IstioCNI` manifests.
+
+### Customizing Istio configuration
+
+The `spec.values` field of the `Istio` and `IstioCNI` resource can be used to customize Istio and Istio CNI plugin configuration using Istio's `Helm` configuration values.
+
+An example configuration:
+
+ ```yaml
+ apiVersion: sailoperator.io/v1alpha1
+ kind: Istio
+ metadata:
+ name: example
+ spec:
+ version: v1.23.0
+ values:
+ global:
+ mtls:
+ enabled: true
+ trustDomainAliases:
+ - example.net
+ meshConfig:
+ trustDomain: example.com
+ trustDomainAliases:
+ - example.net
+ ```
+
+For a list of available configuration for the `spec.values` field, run the following command:
+
+```sh
+$ kubectl explain istio.spec.values
+```
+
+For the `IstioCNI` resource, replace `istio` with `istiocni` in the command above.
+
+Alternatively, refer to [Istio's artifacthub chart documentation](https://artifacthub.io/packages/search?org=istio&sort=relevance&page=1) for:
+
+- [Base parameters](https://artifacthub.io/packages/helm/istio-official/base?modal=values)
+- [Istiod parameters](https://artifacthub.io/packages/helm/istio-official/istiod?modal=values)
+- [Gateway parameters](https://artifacthub.io/packages/helm/istio-official/gateway?modal=values)
+- [CNI parameters](https://artifacthub.io/packages/helm/istio-official/cni?modal=values)
+- [ZTunnel parameters](https://artifacthub.io/packages/helm/istio-official/ztunnel?modal=values)
+
+## Installing the istioctl tool
+
+The `istioctl` tool is a configuration command line utility that allows service
+operators to debug and diagnose Istio service mesh deployments.
+
+For installation steps, refer to the following [link](../docs/common/install-istioctl-tool.md).
+
+## Installing the Bookinfo Application
+
+You can use the `bookinfo` example application to explore service mesh features.
+Using the `bookinfo` application, you can easily confirm that requests from a
+web browser pass through the mesh and reach the application.
+
+For installation steps, refer to the following [link](../docs/common/install-bookinfo-app.md).
+
+## Creating and Configuring Gateways
+
+The Sail Operator does not deploy Ingress or Egress Gateways. Gateways are not
+part of the control plane. As a security best-practice, Ingress and Egress
+Gateways should be deployed in a different namespace than the namespace that
+contains the control plane.
+
+You can deploy gateways using either the Gateway API or Gateway Injection methods.
+
+For installation steps, refer to the following [link](../docs/common/create-and-configure-gateways.md).
+
+## Istio Addons Integrations
+
+Istio can be integrated with other software to provide additional functionality
+(More information can be found in: https://istio.io/latest/docs/ops/integrations/).
+The following addons are for demonstration or development purposes only and
+should not be used in production environments:
+
+For installation steps, refer to the following [link](../docs/common/istio-addons-integrations.md).
+
+
+## Undeploying Istio and the Sail Operator
+
+### Deleting Istio
+
+```sh
+$ kubectl -n istio-system delete istio default
+```
+
+### Deleting IstioCNI (in OpenShift cluster platform)
+
+```sh
+$ kubectl -n istio-cni delete istiocni default
+```
+
+### Uninstall the Sail Operator using Helm
+
+```sh
+$ helm uninstall sail-operator --namespace sail-operator
+```
+
+### Deleting the Project namespaces
+
+```sh
+$ kubectl delete namespace istio-system
+$ kubectl delete namespace istio-cni
+$ kubectl delete namespace sail-operator
+```
diff --git a/chart/crds/extensions.istio.io_wasmplugins.yaml b/chart/crds/extensions.istio.io_wasmplugins.yaml
index 334b5af14..1acec4b67 100644
--- a/chart/crds/extensions.istio.io_wasmplugins.yaml
+++ b/chart/crds/extensions.istio.io_wasmplugins.yaml
@@ -217,6 +217,7 @@ spec:
gateway.networking.k8s.io/Gateway
rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''],
[''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]'
+ maxItems: 16
type: array
type:
description: |-
@@ -282,6 +283,9 @@ spec:
required:
- url
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
properties:
conditions:
diff --git a/chart/crds/networking.istio.io_envoyfilters.yaml b/chart/crds/networking.istio.io_envoyfilters.yaml
index 678f9e714..e2be5b942 100644
--- a/chart/crds/networking.istio.io_envoyfilters.yaml
+++ b/chart/crds/networking.istio.io_envoyfilters.yaml
@@ -303,6 +303,7 @@ spec:
gateway.networking.k8s.io/Gateway
rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''],
[''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]'
+ maxItems: 16
type: array
workloadSelector:
description: Criteria used to select the specific set of pods/VMs
@@ -310,12 +311,20 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: '!self.contains(''*'')'
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or workloadSelector can be set
+ rule: (has(self.workloadSelector)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
properties:
conditions:
diff --git a/chart/crds/networking.istio.io_serviceentries.yaml b/chart/crds/networking.istio.io_serviceentries.yaml
index f5dd5c258..bc244d50b 100644
--- a/chart/crds/networking.istio.io_serviceentries.yaml
+++ b/chart/crds/networking.istio.io_serviceentries.yaml
@@ -56,7 +56,9 @@ spec:
addresses:
description: The virtual IP addresses associated with the service.
items:
+ maxLength: 64
type: string
+ maxItems: 256
type: array
endpoints:
description: One or more endpoints associated with the service.
@@ -131,6 +133,11 @@ spec:
description: The hosts associated with the ServiceEntry.
items:
type: string
+ x-kubernetes-validations:
+ - message: hostname cannot be wildcard
+ rule: self != '*'
+ maxItems: 256
+ minItems: 1
type: array
location:
description: |-
@@ -147,14 +154,19 @@ spec:
properties:
name:
description: Label assigned to the port.
+ maxLength: 256
type: string
number:
description: A valid non-negative integer port number.
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
protocol:
description: The protocol exposed on the port.
+ maxLength: 256
type: string
targetPort:
description: The port number on the endpoint where the traffic
@@ -162,11 +174,21 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- number
- name
type: object
+ maxItems: 256
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: port number cannot be duplicated
+ rule: self.all(l1, self.exists_one(l2, l1.number == l2.number))
resolution:
description: |-
Service resolution mode for the hosts.
@@ -189,14 +211,32 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: '!self.contains(''*'')'
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
required:
- hosts
type: object
+ x-kubernetes-validations:
+ - message: only one of WorkloadSelector or Endpoints can be set
+ rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1
+ - message: CIDR addresses are allowed only for NONE/STATIC resolution
+ types
+ rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/''))
+ && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))'
+ - message: NONE mode cannot set endpoints
+ rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints)
+ : true'
+ - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
+ rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'')
+ ? (!has(self.endpoints) || size(self.endpoints) == 1) : true'
status:
properties:
conditions:
@@ -268,6 +308,8 @@ spec:
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: false
@@ -306,7 +348,9 @@ spec:
addresses:
description: The virtual IP addresses associated with the service.
items:
+ maxLength: 64
type: string
+ maxItems: 256
type: array
endpoints:
description: One or more endpoints associated with the service.
@@ -381,6 +425,11 @@ spec:
description: The hosts associated with the ServiceEntry.
items:
type: string
+ x-kubernetes-validations:
+ - message: hostname cannot be wildcard
+ rule: self != '*'
+ maxItems: 256
+ minItems: 1
type: array
location:
description: |-
@@ -397,14 +446,19 @@ spec:
properties:
name:
description: Label assigned to the port.
+ maxLength: 256
type: string
number:
description: A valid non-negative integer port number.
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
protocol:
description: The protocol exposed on the port.
+ maxLength: 256
type: string
targetPort:
description: The port number on the endpoint where the traffic
@@ -412,11 +466,21 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- number
- name
type: object
+ maxItems: 256
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: port number cannot be duplicated
+ rule: self.all(l1, self.exists_one(l2, l1.number == l2.number))
resolution:
description: |-
Service resolution mode for the hosts.
@@ -439,14 +503,32 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: '!self.contains(''*'')'
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
required:
- hosts
type: object
+ x-kubernetes-validations:
+ - message: only one of WorkloadSelector or Endpoints can be set
+ rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1
+ - message: CIDR addresses are allowed only for NONE/STATIC resolution
+ types
+ rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/''))
+ && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))'
+ - message: NONE mode cannot set endpoints
+ rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints)
+ : true'
+ - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
+ rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'')
+ ? (!has(self.endpoints) || size(self.endpoints) == 1) : true'
status:
properties:
conditions:
@@ -518,6 +600,8 @@ spec:
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: false
@@ -556,7 +640,9 @@ spec:
addresses:
description: The virtual IP addresses associated with the service.
items:
+ maxLength: 64
type: string
+ maxItems: 256
type: array
endpoints:
description: One or more endpoints associated with the service.
@@ -631,6 +717,11 @@ spec:
description: The hosts associated with the ServiceEntry.
items:
type: string
+ x-kubernetes-validations:
+ - message: hostname cannot be wildcard
+ rule: self != '*'
+ maxItems: 256
+ minItems: 1
type: array
location:
description: |-
@@ -647,14 +738,19 @@ spec:
properties:
name:
description: Label assigned to the port.
+ maxLength: 256
type: string
number:
description: A valid non-negative integer port number.
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
protocol:
description: The protocol exposed on the port.
+ maxLength: 256
type: string
targetPort:
description: The port number on the endpoint where the traffic
@@ -662,11 +758,21 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- number
- name
type: object
+ maxItems: 256
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: port number cannot be duplicated
+ rule: self.all(l1, self.exists_one(l2, l1.number == l2.number))
resolution:
description: |-
Service resolution mode for the hosts.
@@ -689,14 +795,32 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: '!self.contains(''*'')'
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
required:
- hosts
type: object
+ x-kubernetes-validations:
+ - message: only one of WorkloadSelector or Endpoints can be set
+ rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1
+ - message: CIDR addresses are allowed only for NONE/STATIC resolution
+ types
+ rule: '!(has(self.addresses) && self.addresses.exists(k, k.contains(''/''))
+ && (self.resolution != ''STATIC'' && self.resolution != ''NONE''))'
+ - message: NONE mode cannot set endpoints
+ rule: '(!has(self.resolution) || self.resolution == ''NONE'') ? !has(self.endpoints)
+ : true'
+ - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
+ rule: '(has(self.resolution) && self.resolution == ''DNS_ROUND_ROBIN'')
+ ? (!has(self.endpoints) || size(self.endpoints) == 1) : true'
status:
properties:
conditions:
@@ -768,6 +892,8 @@ spec:
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: true
diff --git a/chart/crds/networking.istio.io_sidecars.yaml b/chart/crds/networking.istio.io_sidecars.yaml
index 7ff9a81c4..560e8fbb1 100644
--- a/chart/crds/networking.istio.io_sidecars.yaml
+++ b/chart/crds/networking.istio.io_sidecars.yaml
@@ -472,9 +472,14 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: '!self.contains(''*'')'
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
type: object
@@ -1005,9 +1010,14 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: '!self.contains(''*'')'
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
type: object
@@ -1538,9 +1548,14 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: '!self.contains(''*'')'
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
type: object
diff --git a/chart/crds/networking.istio.io_workloadentries.yaml b/chart/crds/networking.istio.io_workloadentries.yaml
index ec4ed86ed..cf682cd2d 100644
--- a/chart/crds/networking.istio.io_workloadentries.yaml
+++ b/chart/crds/networking.istio.io_workloadentries.yaml
@@ -174,8 +174,6 @@ spec:
x-kubernetes-preserve-unknown-fields: true
required:
- spec
- - spec
- - spec
type: object
served: true
storage: false
@@ -332,8 +330,6 @@ spec:
x-kubernetes-preserve-unknown-fields: true
required:
- spec
- - spec
- - spec
type: object
served: true
storage: false
@@ -490,8 +486,6 @@ spec:
x-kubernetes-preserve-unknown-fields: true
required:
- spec
- - spec
- - spec
type: object
served: true
storage: true
diff --git a/chart/crds/networking.istio.io_workloadgroups.yaml b/chart/crds/networking.istio.io_workloadgroups.yaml
index 6659317d5..9f06ab833 100644
--- a/chart/crds/networking.istio.io_workloadgroups.yaml
+++ b/chart/crds/networking.istio.io_workloadgroups.yaml
@@ -44,10 +44,12 @@ spec:
annotations:
additionalProperties:
type: string
+ maxProperties: 256
type: object
labels:
additionalProperties:
type: string
+ maxProperties: 256
type: object
type: object
probe:
@@ -76,13 +78,17 @@ spec:
command:
description: Command to run.
items:
+ minLength: 1
type: string
type: array
+ required:
+ - command
type: object
failureThreshold:
description: Minimum consecutive failures for the probe to be
considered failed after having succeeded.
format: int32
+ minimum: 0
type: integer
httpGet:
description: '`httpGet` is performed to a given endpoint and the
@@ -97,6 +103,7 @@ spec:
items:
properties:
name:
+ pattern: ^[-_A-Za-z0-9]+$
type: string
value:
type: string
@@ -110,8 +117,14 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
scheme:
type: string
+ x-kubernetes-validations:
+ - message: scheme must be one of [HTTP, HTTPS]
+ rule: self in ['', 'HTTP', 'HTTPS']
required:
- port
type: object
@@ -119,15 +132,18 @@ spec:
description: Number of seconds after the container has started
before readiness probes are initiated.
format: int32
+ minimum: 0
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe.
format: int32
+ minimum: 0
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to be
considered successful after having failed.
format: int32
+ minimum: 0
type: integer
tcpSocket:
description: Health is determined by if the proxy is able to connect.
@@ -138,12 +154,16 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- port
type: object
timeoutSeconds:
description: Number of seconds after which the probe times out.
format: int32
+ minimum: 0
type: integer
type: object
template:
@@ -203,8 +223,6 @@ spec:
type: integer
type: object
x-kubernetes-validations:
- - message: Address is required
- rule: has(self.address) || has(self.network)
- message: UDS may not include ports
rule: '(has(self.address) && self.address.startsWith(''unix://''))
? !has(self.ports) : true'
@@ -282,6 +300,8 @@ spec:
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: false
@@ -310,10 +330,12 @@ spec:
annotations:
additionalProperties:
type: string
+ maxProperties: 256
type: object
labels:
additionalProperties:
type: string
+ maxProperties: 256
type: object
type: object
probe:
@@ -342,13 +364,17 @@ spec:
command:
description: Command to run.
items:
+ minLength: 1
type: string
type: array
+ required:
+ - command
type: object
failureThreshold:
description: Minimum consecutive failures for the probe to be
considered failed after having succeeded.
format: int32
+ minimum: 0
type: integer
httpGet:
description: '`httpGet` is performed to a given endpoint and the
@@ -363,6 +389,7 @@ spec:
items:
properties:
name:
+ pattern: ^[-_A-Za-z0-9]+$
type: string
value:
type: string
@@ -376,8 +403,14 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
scheme:
type: string
+ x-kubernetes-validations:
+ - message: scheme must be one of [HTTP, HTTPS]
+ rule: self in ['', 'HTTP', 'HTTPS']
required:
- port
type: object
@@ -385,15 +418,18 @@ spec:
description: Number of seconds after the container has started
before readiness probes are initiated.
format: int32
+ minimum: 0
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe.
format: int32
+ minimum: 0
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to be
considered successful after having failed.
format: int32
+ minimum: 0
type: integer
tcpSocket:
description: Health is determined by if the proxy is able to connect.
@@ -404,12 +440,16 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- port
type: object
timeoutSeconds:
description: Number of seconds after which the probe times out.
format: int32
+ minimum: 0
type: integer
type: object
template:
@@ -469,8 +509,6 @@ spec:
type: integer
type: object
x-kubernetes-validations:
- - message: Address is required
- rule: has(self.address) || has(self.network)
- message: UDS may not include ports
rule: '(has(self.address) && self.address.startsWith(''unix://''))
? !has(self.ports) : true'
@@ -548,6 +586,8 @@ spec:
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: false
@@ -576,10 +616,12 @@ spec:
annotations:
additionalProperties:
type: string
+ maxProperties: 256
type: object
labels:
additionalProperties:
type: string
+ maxProperties: 256
type: object
type: object
probe:
@@ -608,13 +650,17 @@ spec:
command:
description: Command to run.
items:
+ minLength: 1
type: string
type: array
+ required:
+ - command
type: object
failureThreshold:
description: Minimum consecutive failures for the probe to be
considered failed after having succeeded.
format: int32
+ minimum: 0
type: integer
httpGet:
description: '`httpGet` is performed to a given endpoint and the
@@ -629,6 +675,7 @@ spec:
items:
properties:
name:
+ pattern: ^[-_A-Za-z0-9]+$
type: string
value:
type: string
@@ -642,8 +689,14 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
scheme:
type: string
+ x-kubernetes-validations:
+ - message: scheme must be one of [HTTP, HTTPS]
+ rule: self in ['', 'HTTP', 'HTTPS']
required:
- port
type: object
@@ -651,15 +704,18 @@ spec:
description: Number of seconds after the container has started
before readiness probes are initiated.
format: int32
+ minimum: 0
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe.
format: int32
+ minimum: 0
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to be
considered successful after having failed.
format: int32
+ minimum: 0
type: integer
tcpSocket:
description: Health is determined by if the proxy is able to connect.
@@ -670,12 +726,16 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- port
type: object
timeoutSeconds:
description: Number of seconds after which the probe times out.
format: int32
+ minimum: 0
type: integer
type: object
template:
@@ -735,8 +795,6 @@ spec:
type: integer
type: object
x-kubernetes-validations:
- - message: Address is required
- rule: has(self.address) || has(self.network)
- message: UDS may not include ports
rule: '(has(self.address) && self.address.startsWith(''unix://''))
? !has(self.ports) : true'
@@ -814,6 +872,8 @@ spec:
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: true
diff --git a/chart/crds/sailoperator.io_istiocnis.yaml b/chart/crds/sailoperator.io_istiocnis.yaml
index 39e5f3fe3..f793ef80e 100644
--- a/chart/crds/sailoperator.io_istiocnis.yaml
+++ b/chart/crds/sailoperator.io_istiocnis.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.16.0
+ controller-gen.kubebuilder.io/version: v0.16.4
name: istiocnis.sailoperator.io
spec:
group: sailoperator.io
@@ -378,7 +378,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -393,7 +393,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -561,7 +561,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -576,7 +576,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -742,7 +742,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -757,7 +757,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -925,7 +925,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -940,7 +940,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -1078,13 +1078,13 @@ spec:
description: |-
Additional annotations to apply to the istio-cni Pods.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: object
privileged:
description: |-
No longer used for CNI. See: https://github.com/istio/istio/issues/49004
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: boolean
provider:
description: |-
@@ -1122,7 +1122,7 @@ spec:
description: |-
No longer used.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: string
deletePods:
description: |-
@@ -1204,6 +1204,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1290,7 +1296,7 @@ spec:
description: |-
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -1310,6 +1316,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
diff --git a/chart/crds/sailoperator.io_istiorevisions.yaml b/chart/crds/sailoperator.io_istiorevisions.yaml
index f6255f6b0..e216e7ebc 100644
--- a/chart/crds/sailoperator.io_istiorevisions.yaml
+++ b/chart/crds/sailoperator.io_istiorevisions.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.16.0
+ controller-gen.kubebuilder.io/version: v0.16.4
name: istiorevisions.sailoperator.io
spec:
group: sailoperator.io
@@ -75,6 +75,9 @@ spec:
namespace:
description: Namespace to which the Istio components should be installed.
type: string
+ x-kubernetes-validations:
+ - message: Value is immutable
+ rule: self == oldSelf
type:
default: Local
description: Type indicates whether this revision represents a local
@@ -90,6 +93,11 @@ spec:
base:
description: Configuration for the base component.
properties:
+ excludedCRDs:
+ description: CRDs to exclude. Requires `enableCRDTemplates`
+ items:
+ type: string
+ type: array
validationCABundle:
description: validation webhook CA bundle
type: string
@@ -118,7 +126,7 @@ spec:
- Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated:
replaced by the affinity k8s settings which allows architecture
nodeAffinity configuration of this behavior.\n\nDeprecated:
- Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto."
+ Marked as deprecated in pkg/apis/values_types.proto."
properties:
amd64:
description: Sets pod scheduling weight for amd64 arch
@@ -170,13 +178,10 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: object
defaultPodDisruptionBudget:
- description: |-
- Specifies the default pod disruption budget configuration.
-
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ description: Specifies the default pod disruption budget configuration.
properties:
enabled:
description: Controls whether a PodDisruptionBudget with
@@ -190,7 +195,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -210,6 +215,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -251,7 +262,7 @@ spec:
Configure this field in case that all pods of Istio control plane are expected to
be scheduled to particular nodes with specified taints.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
@@ -344,7 +355,7 @@ spec:
Configure the policy for validating JWT.
This is deprecated and has no effect.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: string
logAsJson:
description: Specifies whether istio components should output
@@ -411,7 +422,7 @@ spec:
with the endpoint by\nadding the `ISTIO_META_NETWORK`
environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta.
By matching the registry name with one of the \"fromRegistry\"\n\tin
- the mesh config. A \"from_registry\" can only be
+ the mesh config. A \"fromRegistry\" can only be
assigned to a\n\tsingle network.\n\n\tb. By matching
the IP against one of the CIDR ranges in a mesh\n\tconfig
network. The CIDR ranges must not overlap and be
@@ -566,7 +577,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: string
proxy:
description: Specifies how proxies are configured within Istio.
@@ -591,6 +602,8 @@ spec:
Enables core dumps for newly injected sidecars.
If set, newly injected sidecars will have core dumps enabled.
+
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: boolean
excludeIPRanges:
description: Lists the excluded IP ranges of Istio egress
@@ -610,7 +623,7 @@ spec:
Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: boolean
image:
description: |-
@@ -901,7 +914,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -922,6 +935,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1008,7 +1027,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -1029,6 +1048,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1075,7 +1100,7 @@ spec:
instead of using K8S secrets to mount the certificates.
properties:
token:
- description: 'Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.'
+ description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.'
properties:
aud:
type: string
@@ -1138,26 +1163,1056 @@ spec:
format: int32
type: integer
type: object
- zipkin:
- description: Configuration for the zipkin tracing service.
- properties:
- address:
- description: |-
- Address of zipkin instance in host:port format for reporting trace data.
+ zipkin:
+ description: Configuration for the zipkin tracing service.
+ properties:
+ address:
+ description: |-
+ Address of zipkin instance in host:port format for reporting trace data.
+
+ Example: .:941
+ type: string
+ type: object
+ type: object
+ variant:
+ description: The variant of the Istio container images to
+ use. Options are "debug" or "distroless". Unset will use
+ the default for the given version.
+ type: string
+ waypoint:
+ description: Specifies how waypoints are configured within
+ Istio.
+ properties:
+ affinity:
+ description: |-
+ K8s affinity settings for waypoint pods.
+
+ See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling rules
+ for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with matching
+ the corresponding nodeSelectorTerm, in
+ the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node selector
+ terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling rules
+ (e.g. co-locate this pod in the same node, zone,
+ etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added per-node
+ to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term,
+ associated with the corresponding weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added per-node
+ to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term,
+ associated with the corresponding weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ nodeSelector:
+ description: |-
+ K8s node labels settings.
- Example: .:941
- type: string
+ See https://kubernetes.io/docs/user-guide/node-selection/
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node selector terms.
+ The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector requirements
+ by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector requirements
+ by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
type: object
- type: object
- variant:
- description: The variant of the Istio container images to
- use. Options are "debug" or "distroless". Unset will use
- the default for the given version.
- type: string
- waypoint:
- description: Specifies how waypoints are configured within
- Istio.
- properties:
+ x-kubernetes-map-type: atomic
resources:
description: |-
K8s resource settings.
@@ -1183,6 +2238,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1215,11 +2276,242 @@ spec:
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
+ toleration:
+ description: |-
+ K8s tolerations settings.
+
+ See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ description: |-
+ K8s topology spread constraints settings.
+
+ See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+ items:
+ description: TopologySpreadConstraint specifies how
+ to spread matching pods among the given topology.
+ properties:
+ labelSelector:
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
+ in their corresponding topology domain.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
+ format: int32
+ type: integer
+ minDomains:
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ nodeTaintsPolicy:
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ topologyKey:
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
+ type: string
+ whenUnsatisfiable:
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
type: object
type: object
istiodRemote:
- description: Configuration for istiod-remote.
+ description: |-
+ Configuration for istiod-remote.
+ DEPRECATED - istiod-remote chart is removed and replaced with
+ `istio-discovery --set values.istiodRemote.enabled=true`
+
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
+ enabled:
+ description: Indicates if this cluster/install should consume
+ a "remote" istiod instance,
+ type: boolean
injectionCABundle:
description: injector ca bundle
type: string
@@ -1267,7 +2559,7 @@ spec:
type: string
istiodSide:
description: |-
- Use istiod_side to specify CA Server integrate to Istiod side or Agent side
+ Use istiodSide to specify CA Server integrate to Istiod side or Agent side
Default: true
type: boolean
requestTimeout:
@@ -1277,8 +2569,8 @@ spec:
type: string
tlsSettings:
description: |-
- Use the tls_settings to specify the tls mode to use.
- Regarding tls_settings:
+ Use the tlsSettings to specify the tls mode to use.
+ Regarding tlsSettings:
- DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
DISABLE MODE can also be used for testing
- TLS MUTUAL MODE be on by default. If the CA certificates
@@ -1299,7 +2591,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1404,12 +2697,12 @@ spec:
Optional. Specify the list of trust domains to which this trustAnchor data belongs.
If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain
and its aliases.
- Note that we can have multiple trustAnchor data for a same trust_domain.
+ Note that we can have multiple trustAnchor data for a same trustDomain.
In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates.
- If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers.
- If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers.
- If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains.
- If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains.
+ If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers.
+ If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers.
+ If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains.
+ If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains.
items:
type: string
type: array
@@ -1481,7 +2774,7 @@ spec:
type: array
tlsSettings:
description: |-
- Use the tls_settings to specify the tls mode to use. If the MCP server
+ Use the tlsSettings to specify the tls mode to use. If the MCP server
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -1499,7 +2792,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1679,7 +2973,7 @@ spec:
type: object
tlsSettings:
description: |-
- Use the `tls_settings` to specify the tls mode to use. If the remote service
+ Use the `tlsSettings` to specify the tls mode to use. If the remote service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -1697,7 +2991,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1807,7 +3102,7 @@ spec:
type: object
tlsSettings:
description: |-
- Use the `tls_settings` to specify the tls mode to use. If the remote service
+ Use the `tlsSettings` to specify the tls mode to use. If the remote service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -1825,7 +3120,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1943,7 +3239,7 @@ spec:
address to the X-Forwarded-For (XFF) address and set the
X-Envoy-External-Address header to the trusted client address before
forwarding it to the upstream services in the cluster.
- The default value of num_trusted_proxies is 0.
+ The default value of numTrustedProxies is 0.
See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for)
header handling for more details.
format: int32
@@ -2129,6 +3425,41 @@ spec:
header. By default, `istio-envoy` will be used.
type: string
type: object
+ setCurrentClientCertDetails:
+ description: |-
+ This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET
+ and the client connection is mTLS. It specifies the fields in
+ the client certificate to be forwarded. Note that `Hash` is always set, and
+ `By` is always set when the client certificate presents the URI type Subject Alternative Name value.
+ properties:
+ cert:
+ description: |-
+ Whether to forward the entire client cert in URL encoded PEM format. This will appear in the
+ XFCC header comma separated from other values with the value Cert="PEM".
+ Defaults to false.
+ type: boolean
+ chain:
+ description: |-
+ Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM
+ format. This will appear in the XFCC header comma separated from other values with the value
+ Chain="PEM".
+ Defaults to false.
+ type: boolean
+ dns:
+ description: |-
+ Whether to forward the DNS type Subject Alternative Names of the client cert.
+ Defaults to true.
+ type: boolean
+ subject:
+ description: Whether to forward the subject of
+ the client cert. Defaults to true.
+ type: boolean
+ uri:
+ description: |-
+ Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to
+ true.
+ type: boolean
+ type: object
type: object
proxyMetadata:
additionalProperties:
@@ -2391,7 +3722,7 @@ spec:
The amount of time allowed for connections to complete on proxy shutdown.
On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining,
discouraging any new connections and allowing existing connections to complete. It then
- sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes.
+ sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes.
If not set, a default of `5s` will be applied.
type: string
tracing:
@@ -2544,7 +3875,7 @@ spec:
type: object
tlsSettings:
description: |-
- Use the tls_settings to specify the tls mode to use. If the remote tracing service
+ Use the tlsSettings to specify the tls mode to use. If the remote tracing service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -2562,7 +3893,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -2672,8 +4004,8 @@ spec:
<= 1
defaultDestinationRuleExportTo:
description: |-
- The default value for the `DestinationRule.export_to` field. Has the same
- syntax as `default_service_export_to`.
+ The default value for the `DestinationRule.exportTo` field. Has the same
+ syntax as `defaultServiceExportTo`.
If not set the system will use "*" as the default value which implies that
destination rules are exported to all namespaces
@@ -2749,7 +4081,7 @@ spec:
type: object
defaultServiceExportTo:
description: |-
- The default value for the ServiceEntry.export_to field and services
+ The default value for the ServiceEntry.exportTo field and services
imported through container registry integrations, e.g. this applies to
Kubernetes Service resources. The value is a list of namespace names and
reserved namespace aliases. The allowed namespace aliases are:
@@ -2778,8 +4110,8 @@ spec:
type: array
defaultVirtualServiceExportTo:
description: |-
- The default value for the VirtualService.export_to field. Has the same
- syntax as `default_service_export_to`.
+ The default value for the VirtualService.exportTo field. Has the same
+ syntax as `defaultServiceExportTo`.
If not set the system will use "*" as the default value which implies that
virtual services are exported to all namespaces
@@ -2962,7 +4294,7 @@ spec:
properties:
allowPartialMessage:
description: |-
- When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
+ When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached.
The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
indicating if the body data is partial.
@@ -2970,10 +4302,10 @@ spec:
maxRequestBytes:
description: |-
Sets the maximum size of a message body that the ext-authz filter will hold in memory.
- If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
+ If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large).
Otherwise the request will be sent to the provider with a partial message.
- Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
- fail_open is set to true.
+ Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the
+ failOpen is set to true.
format: int32
type: integer
packAsBytes:
@@ -2981,7 +4313,7 @@ spec:
If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
- This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.
+ This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.
type: boolean
type: object
port:
@@ -3007,7 +4339,7 @@ spec:
description: |-
The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s).
When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
- In this situation, the response sent back to the client will depend on the configured `fail_open` field.
+ In this situation, the response sent back to the client will depend on the configured `failOpen` field.
type: string
required:
- port
@@ -3081,11 +4413,11 @@ spec:
description: |-
Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
Key is the header name and value is the header value.
- Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden.
+ Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden.
type: object
includeHeadersInCheck:
description: |-
- DEPRECATED. Use include_request_headers_in_check instead.
+ DEPRECATED. Use includeRequestHeadersInCheck instead.
Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
items:
@@ -3098,7 +4430,7 @@ spec:
properties:
allowPartialMessage:
description: |-
- When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
+ When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached.
The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
indicating if the body data is partial.
@@ -3106,10 +4438,10 @@ spec:
maxRequestBytes:
description: |-
Sets the maximum size of a message body that the ext-authz filter will hold in memory.
- If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
+ If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large).
Otherwise the request will be sent to the provider with a partial message.
- Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
- fail_open is set to true.
+ Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the
+ failOpen is set to true.
format: int32
type: integer
packAsBytes:
@@ -3117,7 +4449,7 @@ spec:
If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
- This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.
+ This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.
type: boolean
type: object
includeRequestHeadersInCheck:
@@ -3126,7 +4458,7 @@ spec:
Note that in addition to the headers specified here following headers are included by default:
1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent.
2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization
- request can include the buffered client request body (controlled by include_request_body_in_check setting),
+ request can include the buffered client request body (controlled by includeRequestBodyInCheck setting),
consequently the value of Content-Length of the authorization request reflects the size of its payload size.
Exact, prefix and suffix matches are supported (similar to the
@@ -3167,7 +4499,7 @@ spec:
description: |-
The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s).
When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
- In this situation, the response sent back to the client will depend on the configured `fail_open` field.
+ In this situation, the response sent back to the client will depend on the configured `failOpen` field.
type: string
required:
- port
@@ -3292,7 +4624,7 @@ spec:
dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)).
Nested JSON is\nsupported for some command
operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias
- to `attributes` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus:
+ to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus:
\"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```"
type: object
text:
@@ -3300,7 +4632,7 @@ spec:
Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be
used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings)
provides more information.
- Alias to `body` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
+ Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"`
type: string
type: object
@@ -3470,11 +4802,11 @@ spec:
headers:
- name: "Authorization"
value: "Api-Token dt0c01."
- resource_detectors:
+ resourceDetectors:
dynatrace: {}
- dynatrace_sampler:
+ dynatraceSampler:
tenant: "{your-environment-id}"
- cluster_id: 1234
+ clusterId: 1234
properties:
clusterId:
description: |-
@@ -3551,8 +4883,8 @@ spec:
A default value of `1000` is used when:
- - `root_spans_per_minute` is unset
- - `root_spans_per_minute` is set to 0
+ - `rootSpansPerMinute` is unset
+ - `rootSpansPerMinute` is set to 0
format: int32
type: integer
tenant:
@@ -3565,6 +4897,50 @@ spec:
- clusterId
- tenant
type: object
+ grpc:
+ description: "Optional. Specifies the configuration
+ for exporting OTLP traces via GRPC.\nWhen empty,
+ traces will check whether HTTP is set.\nIf not,
+ traces will use default GRPC configurations.\n\nThe
+ following example shows how to configure the OpenTelemetry
+ ExtensionProvider to export via GRPC:\n\n1. Add/change
+ the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n
+ \ - name: opentelemetry\n opentelemetry:\n
+ \ port: 8090\n service: tracing.example.com\n
+ \ grpc:\n timeout: 10s\n initialMetadata:\n
+ \ - name: \"Authentication\"\n value: \"token-xxxxx\"\n\n```\n\n2.
+ Deploy a `ServiceEntry` for the observability
+ back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind:
+ ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t-
+ tracing.example.com\n\tports:\n\t- number: 8090\n\t
+ \ name: grpc-port\n\t protocol: GRPC\n\tresolution:
+ DNS\n\tlocation: MESH_EXTERNAL\n\n```"
+ properties:
+ initialMetadata:
+ description: |-
+ Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for
+ scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to
+ be injected.
+ items:
+ properties:
+ name:
+ description: REQUIRED. The HTTP header
+ name.
+ type: string
+ value:
+ description: REQUIRED. The HTTP header
+ value.
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ timeout:
+ description: Optional. Specifies the timeout
+ for the GRPC request.
+ type: string
+ type: object
http:
description: "Optional. Specifies the configuration
for exporting OTLP traces via HTTP.\nWhen empty,
@@ -3643,7 +5019,7 @@ spec:
opentelemetry:
port: 443
service: my.olly-backend.com
- resource_detectors:
+ resourceDetectors:
environment: {}
```
@@ -3779,6 +5155,11 @@ spec:
NOTE: currently only controls max length of the path tag.
format: int32
type: integer
+ path:
+ description: |-
+ Optional. Specifies the endpoint of Zipkin API.
+ The default value is "/api/v2/spans".
+ type: string
port:
description: REQUIRED. Specifies the port of the
service.
@@ -3880,7 +5261,7 @@ spec:
the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`.
By default, `ingressgateway` is used, which will select the default IngressGateway as it has the
`istio: ingressgateway` labels.
- It is recommended that this is the same value as ingress_service.
+ It is recommended that this is the same value as ingressService.
type: string
ingressService:
description: |-
@@ -4188,7 +5569,7 @@ spec:
```yaml
serviceSettings:
- settings:
- cluster_local: true
+ clusterLocal: true
hosts:
- "*.foo.svc.cluster.local"
- "bar.baz.svc.cluster.local"
@@ -4257,7 +5638,7 @@ spec:
tlsDefaults:
description: |-
Configuration of TLS for all traffic except for ISTIO_MUTUAL mode.
- Currently, this supports configuration of ecdh_curves and cipher_suites only.
+ Currently, this supports configuration of ecdhCurves and cipherSuites only.
For ISTIO_MUTUAL TLS settings, use meshMTLS configuration.
properties:
cipherSuites:
@@ -4304,7 +5685,7 @@ spec:
type: string
trustDomainAliases:
description: |-
- The trust domain aliases represent the aliases of `trust_domain`.
+ The trust domain aliases represent the aliases of `trustDomain`.
For example, if we have
```yaml
trustDomain: td1
@@ -4632,7 +6013,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4647,7 +6028,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4815,7 +6196,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4830,7 +6211,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4996,7 +6377,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5011,7 +6392,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5179,7 +6560,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5194,7 +6575,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5429,7 +6810,7 @@ spec:
See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
targetAverageUtilization:
description: |-
@@ -5488,6 +6869,26 @@ spec:
are PreferDualStack, RequireDualStack, and SingleStack.
More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
type: string
+ istiodRemote:
+ description: Configuration for the istio-discovery chart when
+ istiod is running in a remote cluster (e.g. "remote control
+ plane").
+ properties:
+ enabled:
+ description: Indicates if this cluster/install should
+ consume a "remote" istiod instance,
+ type: boolean
+ injectionCABundle:
+ description: injector ca bundle
+ type: string
+ injectionPath:
+ description: Path to use for the sidecar injector webhook
+ service.
+ type: string
+ injectionURL:
+ description: URL to use for sidecar injector webhook.
+ type: string
+ type: object
jwksResolverExtraRootCA:
description: |-
Specifies an extra root certificate in PEM format. This certificate will be trusted
@@ -5507,7 +6908,7 @@ spec:
See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
targetAverageUtilization:
description: |-
@@ -5525,7 +6926,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: object
podAnnotations:
additionalProperties:
@@ -5535,7 +6936,7 @@ spec:
See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: object
podLabels:
additionalProperties:
@@ -5549,7 +6950,7 @@ spec:
description: |-
Number of replicas in the Pilot Deployment.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
format: int32
type: integer
resources:
@@ -5558,7 +6959,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -5578,6 +6979,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -5617,7 +7024,7 @@ spec:
description: |-
K8s rolling update strategy
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
x-kubernetes-int-or-string: true
rollingMaxUnavailable:
anyOf:
@@ -5630,7 +7037,7 @@ spec:
May be specified as a number of pods or as a percent of the total number
of pods at the start of the update.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
x-kubernetes-int-or-string: true
seccompProfile:
description: |-
@@ -5693,7 +7100,7 @@ spec:
scheduled to particular nodes with matching taints.
More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
@@ -6047,6 +7454,7 @@ spec:
the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -6060,6 +7468,7 @@ spec:
set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -6669,7 +8078,7 @@ spec:
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
- (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
type: string
volumeMode:
description: |-
@@ -6892,6 +8301,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -6923,6 +8367,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -7074,10 +8519,13 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected
- along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
clusterTrustBundle:
description: |-
@@ -7462,6 +8910,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -7476,6 +8925,7 @@ spec:
type: array
x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -7506,6 +8956,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -7520,6 +8971,7 @@ spec:
volume attached and mounted on Kubernetes nodes.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -7560,6 +9012,7 @@ spec:
communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
diff --git a/chart/crds/sailoperator.io_istios.yaml b/chart/crds/sailoperator.io_istios.yaml
index cabad5391..337acd4fb 100644
--- a/chart/crds/sailoperator.io_istios.yaml
+++ b/chart/crds/sailoperator.io_istios.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.16.0
+ controller-gen.kubebuilder.io/version: v0.16.4
name: istios.sailoperator.io
spec:
group: sailoperator.io
@@ -30,9 +30,13 @@ spec:
jsonPath: .status.revisions.inUse
name: In use
type: string
+ - description: The name of the currently active revision.
+ jsonPath: .status.activeRevisionName
+ name: Active Revision
+ type: string
- description: The current state of the active revision.
jsonPath: .status.state
- name: Active Revision
+ name: Status
type: string
- description: The version of the control plane installation.
jsonPath: .spec.version
@@ -82,7 +86,11 @@ spec:
namespace:
default: istio-system
description: Namespace to which the Istio components should be installed.
+ Note that this field is immutable.
type: string
+ x-kubernetes-validations:
+ - message: Value is immutable
+ rule: self == oldSelf
profile:
description: |-
The built-in installation configuration profile to use.
@@ -144,6 +152,11 @@ spec:
base:
description: Configuration for the base component.
properties:
+ excludedCRDs:
+ description: CRDs to exclude. Requires `enableCRDTemplates`
+ items:
+ type: string
+ type: array
validationCABundle:
description: validation webhook CA bundle
type: string
@@ -172,7 +185,7 @@ spec:
- Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated:
replaced by the affinity k8s settings which allows architecture
nodeAffinity configuration of this behavior.\n\nDeprecated:
- Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto."
+ Marked as deprecated in pkg/apis/values_types.proto."
properties:
amd64:
description: Sets pod scheduling weight for amd64 arch
@@ -224,13 +237,10 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: object
defaultPodDisruptionBudget:
- description: |-
- Specifies the default pod disruption budget configuration.
-
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ description: Specifies the default pod disruption budget configuration.
properties:
enabled:
description: Controls whether a PodDisruptionBudget with
@@ -244,7 +254,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -264,6 +274,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -305,7 +321,7 @@ spec:
Configure this field in case that all pods of Istio control plane are expected to
be scheduled to particular nodes with specified taints.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
@@ -398,7 +414,7 @@ spec:
Configure the policy for validating JWT.
This is deprecated and has no effect.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: string
logAsJson:
description: Specifies whether istio components should output
@@ -465,7 +481,7 @@ spec:
with the endpoint by\nadding the `ISTIO_META_NETWORK`
environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta.
By matching the registry name with one of the \"fromRegistry\"\n\tin
- the mesh config. A \"from_registry\" can only be
+ the mesh config. A \"fromRegistry\" can only be
assigned to a\n\tsingle network.\n\n\tb. By matching
the IP against one of the CIDR ranges in a mesh\n\tconfig
network. The CIDR ranges must not overlap and be
@@ -620,7 +636,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: string
proxy:
description: Specifies how proxies are configured within Istio.
@@ -645,6 +661,8 @@ spec:
Enables core dumps for newly injected sidecars.
If set, newly injected sidecars will have core dumps enabled.
+
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: boolean
excludeIPRanges:
description: Lists the excluded IP ranges of Istio egress
@@ -664,7 +682,7 @@ spec:
Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: boolean
image:
description: |-
@@ -955,7 +973,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -976,6 +994,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1062,7 +1086,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -1083,6 +1107,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1129,7 +1159,7 @@ spec:
instead of using K8S secrets to mount the certificates.
properties:
token:
- description: 'Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.'
+ description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.'
properties:
aud:
type: string
@@ -1192,26 +1222,1056 @@ spec:
format: int32
type: integer
type: object
- zipkin:
- description: Configuration for the zipkin tracing service.
- properties:
- address:
- description: |-
- Address of zipkin instance in host:port format for reporting trace data.
+ zipkin:
+ description: Configuration for the zipkin tracing service.
+ properties:
+ address:
+ description: |-
+ Address of zipkin instance in host:port format for reporting trace data.
+
+ Example: .:941
+ type: string
+ type: object
+ type: object
+ variant:
+ description: The variant of the Istio container images to
+ use. Options are "debug" or "distroless". Unset will use
+ the default for the given version.
+ type: string
+ waypoint:
+ description: Specifies how waypoints are configured within
+ Istio.
+ properties:
+ affinity:
+ description: |-
+ K8s affinity settings for waypoint pods.
+
+ See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling rules
+ for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with matching
+ the corresponding nodeSelectorTerm, in
+ the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node selector
+ terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling rules
+ (e.g. co-locate this pod in the same node, zone,
+ etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added per-node
+ to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term,
+ associated with the corresponding weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added per-node
+ to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term,
+ associated with the corresponding weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ nodeSelector:
+ description: |-
+ K8s node labels settings.
- Example: .:941
- type: string
+ See https://kubernetes.io/docs/user-guide/node-selection/
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node selector terms.
+ The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector requirements
+ by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector requirements
+ by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
type: object
- type: object
- variant:
- description: The variant of the Istio container images to
- use. Options are "debug" or "distroless". Unset will use
- the default for the given version.
- type: string
- waypoint:
- description: Specifies how waypoints are configured within
- Istio.
- properties:
+ x-kubernetes-map-type: atomic
resources:
description: |-
K8s resource settings.
@@ -1237,6 +2297,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1269,11 +2335,242 @@ spec:
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
+ toleration:
+ description: |-
+ K8s tolerations settings.
+
+ See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ description: |-
+ K8s topology spread constraints settings.
+
+ See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+ items:
+ description: TopologySpreadConstraint specifies how
+ to spread matching pods among the given topology.
+ properties:
+ labelSelector:
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
+ in their corresponding topology domain.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
+ format: int32
+ type: integer
+ minDomains:
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ nodeTaintsPolicy:
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ topologyKey:
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
+ type: string
+ whenUnsatisfiable:
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
type: object
type: object
istiodRemote:
- description: Configuration for istiod-remote.
+ description: |-
+ Configuration for istiod-remote.
+ DEPRECATED - istiod-remote chart is removed and replaced with
+ `istio-discovery --set values.istiodRemote.enabled=true`
+
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
+ enabled:
+ description: Indicates if this cluster/install should consume
+ a "remote" istiod instance,
+ type: boolean
injectionCABundle:
description: injector ca bundle
type: string
@@ -1321,7 +2618,7 @@ spec:
type: string
istiodSide:
description: |-
- Use istiod_side to specify CA Server integrate to Istiod side or Agent side
+ Use istiodSide to specify CA Server integrate to Istiod side or Agent side
Default: true
type: boolean
requestTimeout:
@@ -1331,8 +2628,8 @@ spec:
type: string
tlsSettings:
description: |-
- Use the tls_settings to specify the tls mode to use.
- Regarding tls_settings:
+ Use the tlsSettings to specify the tls mode to use.
+ Regarding tlsSettings:
- DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
DISABLE MODE can also be used for testing
- TLS MUTUAL MODE be on by default. If the CA certificates
@@ -1353,7 +2650,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1458,12 +2756,12 @@ spec:
Optional. Specify the list of trust domains to which this trustAnchor data belongs.
If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain
and its aliases.
- Note that we can have multiple trustAnchor data for a same trust_domain.
+ Note that we can have multiple trustAnchor data for a same trustDomain.
In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates.
- If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers.
- If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers.
- If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains.
- If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains.
+ If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers.
+ If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers.
+ If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains.
+ If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains.
items:
type: string
type: array
@@ -1535,7 +2833,7 @@ spec:
type: array
tlsSettings:
description: |-
- Use the tls_settings to specify the tls mode to use. If the MCP server
+ Use the tlsSettings to specify the tls mode to use. If the MCP server
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -1553,7 +2851,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1733,7 +3032,7 @@ spec:
type: object
tlsSettings:
description: |-
- Use the `tls_settings` to specify the tls mode to use. If the remote service
+ Use the `tlsSettings` to specify the tls mode to use. If the remote service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -1751,7 +3050,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1861,7 +3161,7 @@ spec:
type: object
tlsSettings:
description: |-
- Use the `tls_settings` to specify the tls mode to use. If the remote service
+ Use the `tlsSettings` to specify the tls mode to use. If the remote service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -1879,7 +3179,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1997,7 +3298,7 @@ spec:
address to the X-Forwarded-For (XFF) address and set the
X-Envoy-External-Address header to the trusted client address before
forwarding it to the upstream services in the cluster.
- The default value of num_trusted_proxies is 0.
+ The default value of numTrustedProxies is 0.
See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for)
header handling for more details.
format: int32
@@ -2183,6 +3484,41 @@ spec:
header. By default, `istio-envoy` will be used.
type: string
type: object
+ setCurrentClientCertDetails:
+ description: |-
+ This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET
+ and the client connection is mTLS. It specifies the fields in
+ the client certificate to be forwarded. Note that `Hash` is always set, and
+ `By` is always set when the client certificate presents the URI type Subject Alternative Name value.
+ properties:
+ cert:
+ description: |-
+ Whether to forward the entire client cert in URL encoded PEM format. This will appear in the
+ XFCC header comma separated from other values with the value Cert="PEM".
+ Defaults to false.
+ type: boolean
+ chain:
+ description: |-
+ Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM
+ format. This will appear in the XFCC header comma separated from other values with the value
+ Chain="PEM".
+ Defaults to false.
+ type: boolean
+ dns:
+ description: |-
+ Whether to forward the DNS type Subject Alternative Names of the client cert.
+ Defaults to true.
+ type: boolean
+ subject:
+ description: Whether to forward the subject of
+ the client cert. Defaults to true.
+ type: boolean
+ uri:
+ description: |-
+ Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to
+ true.
+ type: boolean
+ type: object
type: object
proxyMetadata:
additionalProperties:
@@ -2445,7 +3781,7 @@ spec:
The amount of time allowed for connections to complete on proxy shutdown.
On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining,
discouraging any new connections and allowing existing connections to complete. It then
- sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes.
+ sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes.
If not set, a default of `5s` will be applied.
type: string
tracing:
@@ -2598,7 +3934,7 @@ spec:
type: object
tlsSettings:
description: |-
- Use the tls_settings to specify the tls mode to use. If the remote tracing service
+ Use the tlsSettings to specify the tls mode to use. If the remote tracing service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -2616,7 +3952,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -2726,8 +4063,8 @@ spec:
<= 1
defaultDestinationRuleExportTo:
description: |-
- The default value for the `DestinationRule.export_to` field. Has the same
- syntax as `default_service_export_to`.
+ The default value for the `DestinationRule.exportTo` field. Has the same
+ syntax as `defaultServiceExportTo`.
If not set the system will use "*" as the default value which implies that
destination rules are exported to all namespaces
@@ -2803,7 +4140,7 @@ spec:
type: object
defaultServiceExportTo:
description: |-
- The default value for the ServiceEntry.export_to field and services
+ The default value for the ServiceEntry.exportTo field and services
imported through container registry integrations, e.g. this applies to
Kubernetes Service resources. The value is a list of namespace names and
reserved namespace aliases. The allowed namespace aliases are:
@@ -2832,8 +4169,8 @@ spec:
type: array
defaultVirtualServiceExportTo:
description: |-
- The default value for the VirtualService.export_to field. Has the same
- syntax as `default_service_export_to`.
+ The default value for the VirtualService.exportTo field. Has the same
+ syntax as `defaultServiceExportTo`.
If not set the system will use "*" as the default value which implies that
virtual services are exported to all namespaces
@@ -3016,7 +4353,7 @@ spec:
properties:
allowPartialMessage:
description: |-
- When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
+ When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached.
The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
indicating if the body data is partial.
@@ -3024,10 +4361,10 @@ spec:
maxRequestBytes:
description: |-
Sets the maximum size of a message body that the ext-authz filter will hold in memory.
- If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
+ If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large).
Otherwise the request will be sent to the provider with a partial message.
- Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
- fail_open is set to true.
+ Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the
+ failOpen is set to true.
format: int32
type: integer
packAsBytes:
@@ -3035,7 +4372,7 @@ spec:
If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
- This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.
+ This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.
type: boolean
type: object
port:
@@ -3061,7 +4398,7 @@ spec:
description: |-
The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s).
When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
- In this situation, the response sent back to the client will depend on the configured `fail_open` field.
+ In this situation, the response sent back to the client will depend on the configured `failOpen` field.
type: string
required:
- port
@@ -3135,11 +4472,11 @@ spec:
description: |-
Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
Key is the header name and value is the header value.
- Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden.
+ Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden.
type: object
includeHeadersInCheck:
description: |-
- DEPRECATED. Use include_request_headers_in_check instead.
+ DEPRECATED. Use includeRequestHeadersInCheck instead.
Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
items:
@@ -3152,7 +4489,7 @@ spec:
properties:
allowPartialMessage:
description: |-
- When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
+ When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached.
The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
indicating if the body data is partial.
@@ -3160,10 +4497,10 @@ spec:
maxRequestBytes:
description: |-
Sets the maximum size of a message body that the ext-authz filter will hold in memory.
- If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
+ If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large).
Otherwise the request will be sent to the provider with a partial message.
- Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
- fail_open is set to true.
+ Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the
+ failOpen is set to true.
format: int32
type: integer
packAsBytes:
@@ -3171,7 +4508,7 @@ spec:
If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
- This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.
+ This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.
type: boolean
type: object
includeRequestHeadersInCheck:
@@ -3180,7 +4517,7 @@ spec:
Note that in addition to the headers specified here following headers are included by default:
1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent.
2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization
- request can include the buffered client request body (controlled by include_request_body_in_check setting),
+ request can include the buffered client request body (controlled by includeRequestBodyInCheck setting),
consequently the value of Content-Length of the authorization request reflects the size of its payload size.
Exact, prefix and suffix matches are supported (similar to the
@@ -3221,7 +4558,7 @@ spec:
description: |-
The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s).
When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
- In this situation, the response sent back to the client will depend on the configured `fail_open` field.
+ In this situation, the response sent back to the client will depend on the configured `failOpen` field.
type: string
required:
- port
@@ -3346,7 +4683,7 @@ spec:
dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)).
Nested JSON is\nsupported for some command
operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias
- to `attributes` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus:
+ to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus:
\"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```"
type: object
text:
@@ -3354,7 +4691,7 @@ spec:
Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be
used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings)
provides more information.
- Alias to `body` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
+ Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"`
type: string
type: object
@@ -3524,11 +4861,11 @@ spec:
headers:
- name: "Authorization"
value: "Api-Token dt0c01."
- resource_detectors:
+ resourceDetectors:
dynatrace: {}
- dynatrace_sampler:
+ dynatraceSampler:
tenant: "{your-environment-id}"
- cluster_id: 1234
+ clusterId: 1234
properties:
clusterId:
description: |-
@@ -3605,8 +4942,8 @@ spec:
A default value of `1000` is used when:
- - `root_spans_per_minute` is unset
- - `root_spans_per_minute` is set to 0
+ - `rootSpansPerMinute` is unset
+ - `rootSpansPerMinute` is set to 0
format: int32
type: integer
tenant:
@@ -3619,6 +4956,50 @@ spec:
- clusterId
- tenant
type: object
+ grpc:
+ description: "Optional. Specifies the configuration
+ for exporting OTLP traces via GRPC.\nWhen empty,
+ traces will check whether HTTP is set.\nIf not,
+ traces will use default GRPC configurations.\n\nThe
+ following example shows how to configure the OpenTelemetry
+ ExtensionProvider to export via GRPC:\n\n1. Add/change
+ the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n
+ \ - name: opentelemetry\n opentelemetry:\n
+ \ port: 8090\n service: tracing.example.com\n
+ \ grpc:\n timeout: 10s\n initialMetadata:\n
+ \ - name: \"Authentication\"\n value: \"token-xxxxx\"\n\n```\n\n2.
+ Deploy a `ServiceEntry` for the observability
+ back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind:
+ ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t-
+ tracing.example.com\n\tports:\n\t- number: 8090\n\t
+ \ name: grpc-port\n\t protocol: GRPC\n\tresolution:
+ DNS\n\tlocation: MESH_EXTERNAL\n\n```"
+ properties:
+ initialMetadata:
+ description: |-
+ Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for
+ scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to
+ be injected.
+ items:
+ properties:
+ name:
+ description: REQUIRED. The HTTP header
+ name.
+ type: string
+ value:
+ description: REQUIRED. The HTTP header
+ value.
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ timeout:
+ description: Optional. Specifies the timeout
+ for the GRPC request.
+ type: string
+ type: object
http:
description: "Optional. Specifies the configuration
for exporting OTLP traces via HTTP.\nWhen empty,
@@ -3697,7 +5078,7 @@ spec:
opentelemetry:
port: 443
service: my.olly-backend.com
- resource_detectors:
+ resourceDetectors:
environment: {}
```
@@ -3833,6 +5214,11 @@ spec:
NOTE: currently only controls max length of the path tag.
format: int32
type: integer
+ path:
+ description: |-
+ Optional. Specifies the endpoint of Zipkin API.
+ The default value is "/api/v2/spans".
+ type: string
port:
description: REQUIRED. Specifies the port of the
service.
@@ -3934,7 +5320,7 @@ spec:
the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`.
By default, `ingressgateway` is used, which will select the default IngressGateway as it has the
`istio: ingressgateway` labels.
- It is recommended that this is the same value as ingress_service.
+ It is recommended that this is the same value as ingressService.
type: string
ingressService:
description: |-
@@ -4242,7 +5628,7 @@ spec:
```yaml
serviceSettings:
- settings:
- cluster_local: true
+ clusterLocal: true
hosts:
- "*.foo.svc.cluster.local"
- "bar.baz.svc.cluster.local"
@@ -4311,7 +5697,7 @@ spec:
tlsDefaults:
description: |-
Configuration of TLS for all traffic except for ISTIO_MUTUAL mode.
- Currently, this supports configuration of ecdh_curves and cipher_suites only.
+ Currently, this supports configuration of ecdhCurves and cipherSuites only.
For ISTIO_MUTUAL TLS settings, use meshMTLS configuration.
properties:
cipherSuites:
@@ -4358,7 +5744,7 @@ spec:
type: string
trustDomainAliases:
description: |-
- The trust domain aliases represent the aliases of `trust_domain`.
+ The trust domain aliases represent the aliases of `trustDomain`.
For example, if we have
```yaml
trustDomain: td1
@@ -4686,7 +6072,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4701,7 +6087,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4869,7 +6255,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4884,7 +6270,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5050,7 +6436,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5065,7 +6451,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5233,7 +6619,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5248,7 +6634,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5483,7 +6869,7 @@ spec:
See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
targetAverageUtilization:
description: |-
@@ -5542,6 +6928,26 @@ spec:
are PreferDualStack, RequireDualStack, and SingleStack.
More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
type: string
+ istiodRemote:
+ description: Configuration for the istio-discovery chart when
+ istiod is running in a remote cluster (e.g. "remote control
+ plane").
+ properties:
+ enabled:
+ description: Indicates if this cluster/install should
+ consume a "remote" istiod instance,
+ type: boolean
+ injectionCABundle:
+ description: injector ca bundle
+ type: string
+ injectionPath:
+ description: Path to use for the sidecar injector webhook
+ service.
+ type: string
+ injectionURL:
+ description: URL to use for sidecar injector webhook.
+ type: string
+ type: object
jwksResolverExtraRootCA:
description: |-
Specifies an extra root certificate in PEM format. This certificate will be trusted
@@ -5561,7 +6967,7 @@ spec:
See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
targetAverageUtilization:
description: |-
@@ -5579,7 +6985,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: object
podAnnotations:
additionalProperties:
@@ -5589,7 +6995,7 @@ spec:
See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: object
podLabels:
additionalProperties:
@@ -5603,7 +7009,7 @@ spec:
description: |-
Number of replicas in the Pilot Deployment.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
format: int32
type: integer
resources:
@@ -5612,7 +7018,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -5632,6 +7038,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -5671,7 +7083,7 @@ spec:
description: |-
K8s rolling update strategy
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
x-kubernetes-int-or-string: true
rollingMaxUnavailable:
anyOf:
@@ -5684,7 +7096,7 @@ spec:
May be specified as a number of pods or as a percent of the total number
of pods at the start of the update.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
x-kubernetes-int-or-string: true
seccompProfile:
description: |-
@@ -5747,7 +7159,7 @@ spec:
scheduled to particular nodes with matching taints.
More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
@@ -6101,6 +7513,7 @@ spec:
the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -6114,6 +7527,7 @@ spec:
set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -6723,7 +8137,7 @@ spec:
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
- (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
type: string
volumeMode:
description: |-
@@ -6946,6 +8360,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -6977,6 +8426,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -7128,10 +8578,13 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected
- along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
clusterTrustBundle:
description: |-
@@ -7516,6 +8969,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -7530,6 +8984,7 @@ spec:
type: array
x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -7560,6 +9015,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -7574,6 +9030,7 @@ spec:
volume attached and mounted on Kubernetes nodes.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -7614,6 +9071,7 @@ spec:
communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
@@ -7997,6 +9455,9 @@ spec:
status:
description: IstioStatus defines the observed state of Istio
properties:
+ activeRevisionName:
+ description: The name of the active revision.
+ type: string
conditions:
description: Represents the latest available observations of the object's
current state.
diff --git a/chart/crds/sailoperator.io_remoteistios.yaml b/chart/crds/sailoperator.io_remoteistios.yaml
index ef400a913..0ce8746a7 100644
--- a/chart/crds/sailoperator.io_remoteistios.yaml
+++ b/chart/crds/sailoperator.io_remoteistios.yaml
@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
- controller-gen.kubebuilder.io/version: v0.16.0
+ controller-gen.kubebuilder.io/version: v0.16.4
name: remoteistios.sailoperator.io
spec:
group: sailoperator.io
@@ -30,9 +30,13 @@ spec:
jsonPath: .status.revisions.inUse
name: In use
type: string
+ - description: The name of the currently active revision.
+ jsonPath: .status.activeRevisionName
+ name: Active Revision
+ type: string
- description: The current state of the active revision.
jsonPath: .status.state
- name: Active Revision
+ name: Status
type: string
- description: The version of the control plane installation.
jsonPath: .spec.version
@@ -139,6 +143,11 @@ spec:
base:
description: Configuration for the base component.
properties:
+ excludedCRDs:
+ description: CRDs to exclude. Requires `enableCRDTemplates`
+ items:
+ type: string
+ type: array
validationCABundle:
description: validation webhook CA bundle
type: string
@@ -167,7 +176,7 @@ spec:
- Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated:
replaced by the affinity k8s settings which allows architecture
nodeAffinity configuration of this behavior.\n\nDeprecated:
- Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto."
+ Marked as deprecated in pkg/apis/values_types.proto."
properties:
amd64:
description: Sets pod scheduling weight for amd64 arch
@@ -219,13 +228,10 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: object
defaultPodDisruptionBudget:
- description: |-
- Specifies the default pod disruption budget configuration.
-
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ description: Specifies the default pod disruption budget configuration.
properties:
enabled:
description: Controls whether a PodDisruptionBudget with
@@ -239,7 +245,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -259,6 +265,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -300,7 +312,7 @@ spec:
Configure this field in case that all pods of Istio control plane are expected to
be scheduled to particular nodes with specified taints.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
@@ -393,7 +405,7 @@ spec:
Configure the policy for validating JWT.
This is deprecated and has no effect.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: string
logAsJson:
description: Specifies whether istio components should output
@@ -460,7 +472,7 @@ spec:
with the endpoint by\nadding the `ISTIO_META_NETWORK`
environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta.
By matching the registry name with one of the \"fromRegistry\"\n\tin
- the mesh config. A \"from_registry\" can only be
+ the mesh config. A \"fromRegistry\" can only be
assigned to a\n\tsingle network.\n\n\tb. By matching
the IP against one of the CIDR ranges in a mesh\n\tconfig
network. The CIDR ranges must not overlap and be
@@ -615,7 +627,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: string
proxy:
description: Specifies how proxies are configured within Istio.
@@ -640,6 +652,8 @@ spec:
Enables core dumps for newly injected sidecars.
If set, newly injected sidecars will have core dumps enabled.
+
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: boolean
excludeIPRanges:
description: Lists the excluded IP ranges of Istio egress
@@ -659,7 +673,7 @@ spec:
Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: boolean
image:
description: |-
@@ -950,7 +964,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -971,6 +985,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1057,7 +1077,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -1078,6 +1098,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1124,7 +1150,7 @@ spec:
instead of using K8S secrets to mount the certificates.
properties:
token:
- description: 'Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.'
+ description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.'
properties:
aud:
type: string
@@ -1187,26 +1213,1056 @@ spec:
format: int32
type: integer
type: object
- zipkin:
- description: Configuration for the zipkin tracing service.
- properties:
- address:
- description: |-
- Address of zipkin instance in host:port format for reporting trace data.
+ zipkin:
+ description: Configuration for the zipkin tracing service.
+ properties:
+ address:
+ description: |-
+ Address of zipkin instance in host:port format for reporting trace data.
+
+ Example: .:941
+ type: string
+ type: object
+ type: object
+ variant:
+ description: The variant of the Istio container images to
+ use. Options are "debug" or "distroless". Unset will use
+ the default for the given version.
+ type: string
+ waypoint:
+ description: Specifies how waypoints are configured within
+ Istio.
+ properties:
+ affinity:
+ description: |-
+ K8s affinity settings for waypoint pods.
+
+ See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+ properties:
+ nodeAffinity:
+ description: Describes node affinity scheduling rules
+ for the pod.
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node matches the corresponding matchExpressions; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: |-
+ An empty preferred scheduling term matches all objects with implicit weight 0
+ (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
+ properties:
+ preference:
+ description: A node selector term, associated
+ with the corresponding weight.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ description: Weight associated with matching
+ the corresponding nodeSelectorTerm, in
+ the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to an update), the system
+ may or may not try to eventually evict the pod from its node.
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node selector
+ terms. The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector
+ requirements by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector
+ requirements by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ description: Describes pod affinity scheduling rules
+ (e.g. co-locate this pod in the same node, zone,
+ etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added per-node
+ to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term,
+ associated with the corresponding weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ description: Describes pod anti-affinity scheduling
+ rules (e.g. avoid putting this pod in the same node,
+ zone, etc. as some other pod(s)).
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ The scheduler will prefer to schedule pods to nodes that satisfy
+ the anti-affinity expressions specified by this field, but it may choose
+ a node that violates one or more of the expressions. The node that is
+ most preferred is the one with the greatest sum of weights, i.e.
+ for each node that meets all of the scheduling requirements (resource
+ request, requiredDuringScheduling anti-affinity expressions, etc.),
+ compute a sum by iterating through the elements of this field and adding
+ "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+ node(s) with the highest sum are the most preferred.
+ items:
+ description: The weights of all of the matched
+ WeightedPodAffinityTerm fields are added per-node
+ to find the most preferred node(s)
+ properties:
+ podAffinityTerm:
+ description: Required. A pod affinity term,
+ associated with the corresponding weight.
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is
+ a list of label selector requirements.
+ The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ description: |-
+ weight associated with matching the corresponding podAffinityTerm,
+ in the range 1-100.
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ description: |-
+ If the anti-affinity requirements specified by this field are not met at
+ scheduling time, the pod will not be scheduled onto the node.
+ If the anti-affinity requirements specified by this field cease to be met
+ at some point during pod execution (e.g. due to a pod label update), the
+ system may or may not try to eventually evict the pod from its node.
+ When there are multiple elements, the lists of nodes corresponding to each
+ podAffinityTerm are intersected, i.e. all terms must be satisfied.
+ items:
+ description: |-
+ Defines a set of pods (namely those matching the labelSelector
+ relative to the given namespace(s)) that this pod should be
+ co-located (affinity) or not co-located (anti-affinity) with,
+ where co-located is defined as running on a node whose value of
+ the label with key matches that of any node on which
+ a pod of the set of pods is running
+ properties:
+ labelSelector:
+ description: |-
+ A label query over a set of resources, in this case pods.
+ If it's null, this PodAffinityTerm matches with no Pods.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both matchLabelKeys and labelSelector.
+ Also, matchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ description: |-
+ MismatchLabelKeys is a set of pod label keys to select which pods will
+ be taken into consideration. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
+ to select the group of existing pods which pods will be taken into consideration
+ for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
+ pod labels will be ignored. The default value is empty.
+ The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
+ Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ description: |-
+ A label query over the set of namespaces that the term applies to.
+ The term is applied to the union of the namespaces selected by this field
+ and the ones listed in the namespaces field.
+ null selector and null or empty namespaces list means "this pod's namespace".
+ An empty selector ({}) matches all namespaces.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label
+ key that the selector applies
+ to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: |-
+ namespaces specifies a static list of namespace names that the term applies to.
+ The term is applied to the union of the namespaces listed in this field
+ and the ones selected by namespaceSelector.
+ null or empty namespaces list and null namespaceSelector means "this pod's namespace".
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ description: |-
+ This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
+ the labelSelector in the specified namespaces, where co-located is defined as running on a node
+ whose value of the label with key topologyKey matches that of any node on which any of the
+ selected pods is running.
+ Empty topologyKey is not allowed.
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ nodeSelector:
+ description: |-
+ K8s node labels settings.
- Example: .:941
- type: string
+ See https://kubernetes.io/docs/user-guide/node-selection/
+ properties:
+ nodeSelectorTerms:
+ description: Required. A list of node selector terms.
+ The terms are ORed.
+ items:
+ description: |-
+ A null or empty node selector term matches no objects. The requirements of
+ them are ANDed.
+ The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
+ properties:
+ matchExpressions:
+ description: A list of node selector requirements
+ by node's labels.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ description: A list of node selector requirements
+ by node's fields.
+ items:
+ description: |-
+ A node selector requirement is a selector that contains values, a key, and an operator
+ that relates the key and values.
+ properties:
+ key:
+ description: The label key that the selector
+ applies to.
+ type: string
+ operator:
+ description: |-
+ Represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.
+ type: string
+ values:
+ description: |-
+ An array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. If the operator is Gt or Lt, the values
+ array must have a single element, which will be interpreted as an integer.
+ This array is replaced during a strategic merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
type: object
- type: object
- variant:
- description: The variant of the Istio container images to
- use. Options are "debug" or "distroless". Unset will use
- the default for the given version.
- type: string
- waypoint:
- description: Specifies how waypoints are configured within
- Istio.
- properties:
+ x-kubernetes-map-type: atomic
resources:
description: |-
K8s resource settings.
@@ -1232,6 +2288,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -1264,11 +2326,242 @@ spec:
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
+ toleration:
+ description: |-
+ K8s tolerations settings.
+
+ See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+ items:
+ description: |-
+ The pod this Toleration is attached to tolerates any taint that matches
+ the triple using the matching operator .
+ properties:
+ effect:
+ description: |-
+ Effect indicates the taint effect to match. Empty means match all taint effects.
+ When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.
+ type: string
+ key:
+ description: |-
+ Key is the taint key that the toleration applies to. Empty means match all taint keys.
+ If the key is empty, operator must be Exists; this combination means to match all values and all keys.
+ type: string
+ operator:
+ description: |-
+ Operator represents a key's relationship to the value.
+ Valid operators are Exists and Equal. Defaults to Equal.
+ Exists is equivalent to wildcard for value, so that a pod can
+ tolerate all taints of a particular category.
+ type: string
+ tolerationSeconds:
+ description: |-
+ TolerationSeconds represents the period of time the toleration (which must be
+ of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
+ it is not set, which means tolerate the taint forever (do not evict). Zero and
+ negative values will be treated as 0 (evict immediately) by the system.
+ format: int64
+ type: integer
+ value:
+ description: |-
+ Value is the taint value the toleration matches to.
+ If the operator is Exists, the value should be empty, otherwise just a regular string.
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ description: |-
+ K8s topology spread constraints settings.
+
+ See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+ items:
+ description: TopologySpreadConstraint specifies how
+ to spread matching pods among the given topology.
+ properties:
+ labelSelector:
+ description: |-
+ LabelSelector is used to find matching pods.
+ Pods that match this label selector are counted to determine the number of pods
+ in their corresponding topology domain.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ description: |-
+ MatchLabelKeys is a set of pod label keys to select the pods over which
+ spreading will be calculated. The keys are used to lookup values from the
+ incoming pod labels, those key-value labels are ANDed with labelSelector
+ to select the group of existing pods over which spreading will be calculated
+ for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector.
+ MatchLabelKeys cannot be set when LabelSelector isn't set.
+ Keys that don't exist in the incoming pod labels will
+ be ignored. A null or empty list means only match against labelSelector.
+
+ This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ description: |-
+ MaxSkew describes the degree to which pods may be unevenly distributed.
+ When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference
+ between the number of matching pods in the target topology and the global minimum.
+ The global minimum is the minimum number of matching pods in an eligible domain
+ or zero if the number of eligible domains is less than MinDomains.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 2/2/1:
+ In this case, the global minimum is 1.
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P |
+ - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2;
+ scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2)
+ violate MaxSkew(1).
+ - if MaxSkew is 2, incoming pod can be scheduled onto any zone.
+ When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence
+ to topologies that satisfy it.
+ It's a required field. Default value is 1 and 0 is not allowed.
+ format: int32
+ type: integer
+ minDomains:
+ description: |-
+ MinDomains indicates a minimum number of eligible domains.
+ When the number of eligible domains with matching topology keys is less than minDomains,
+ Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed.
+ And when the number of eligible domains with matching topology keys equals or greater than minDomains,
+ this value has no effect on scheduling.
+ As a result, when the number of eligible domains is less than minDomains,
+ scheduler won't schedule more than maxSkew Pods to those domains.
+ If value is nil, the constraint behaves as if MinDomains is equal to 1.
+ Valid values are integers greater than 0.
+ When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
+
+ For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same
+ labelSelector spread as 2/2/2:
+ | zone1 | zone2 | zone3 |
+ | P P | P P | P P |
+ The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0.
+ In this situation, new pod with the same labelSelector cannot be scheduled,
+ because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones,
+ it will violate MaxSkew.
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ description: |-
+ NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector
+ when calculating pod topology spread skew. Options are:
+ - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations.
+ - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
+
+ If this value is nil, the behavior is equivalent to the Honor policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ nodeTaintsPolicy:
+ description: |-
+ NodeTaintsPolicy indicates how we will treat node taints when calculating
+ pod topology spread skew. Options are:
+ - Honor: nodes without taints, along with tainted nodes for which the incoming pod
+ has a toleration, are included.
+ - Ignore: node taints are ignored. All nodes are included.
+
+ If this value is nil, the behavior is equivalent to the Ignore policy.
+ This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
+ type: string
+ topologyKey:
+ description: |-
+ TopologyKey is the key of node labels. Nodes that have a label with this key
+ and identical values are considered to be in the same topology.
+ We consider each as a "bucket", and try to put balanced number
+ of pods into each bucket.
+ We define a domain as a particular instance of a topology.
+ Also, we define an eligible domain as a domain whose nodes meet the requirements of
+ nodeAffinityPolicy and nodeTaintsPolicy.
+ e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology.
+ And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology.
+ It's a required field.
+ type: string
+ whenUnsatisfiable:
+ description: |-
+ WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy
+ the spread constraint.
+ - DoNotSchedule (default) tells the scheduler not to schedule it.
+ - ScheduleAnyway tells the scheduler to schedule the pod in any location,
+ but giving higher precedence to topologies that would help reduce the
+ skew.
+ A constraint is considered "Unsatisfiable" for an incoming pod
+ if and only if every possible node assignment for that pod would violate
+ "MaxSkew" on some topology.
+ For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same
+ labelSelector spread as 3/1/1:
+ | zone1 | zone2 | zone3 |
+ | P P P | P | P |
+ If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled
+ to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies
+ MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler
+ won't make it *more* imbalanced.
+ It's a required field.
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
type: object
type: object
istiodRemote:
- description: Configuration for istiod-remote.
+ description: |-
+ Configuration for istiod-remote.
+ DEPRECATED - istiod-remote chart is removed and replaced with
+ `istio-discovery --set values.istiodRemote.enabled=true`
+
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
+ enabled:
+ description: Indicates if this cluster/install should consume
+ a "remote" istiod instance,
+ type: boolean
injectionCABundle:
description: injector ca bundle
type: string
@@ -1316,7 +2609,7 @@ spec:
type: string
istiodSide:
description: |-
- Use istiod_side to specify CA Server integrate to Istiod side or Agent side
+ Use istiodSide to specify CA Server integrate to Istiod side or Agent side
Default: true
type: boolean
requestTimeout:
@@ -1326,8 +2619,8 @@ spec:
type: string
tlsSettings:
description: |-
- Use the tls_settings to specify the tls mode to use.
- Regarding tls_settings:
+ Use the tlsSettings to specify the tls mode to use.
+ Regarding tlsSettings:
- DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
DISABLE MODE can also be used for testing
- TLS MUTUAL MODE be on by default. If the CA certificates
@@ -1348,7 +2641,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1453,12 +2747,12 @@ spec:
Optional. Specify the list of trust domains to which this trustAnchor data belongs.
If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain
and its aliases.
- Note that we can have multiple trustAnchor data for a same trust_domain.
+ Note that we can have multiple trustAnchor data for a same trustDomain.
In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates.
- If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers.
- If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers.
- If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains.
- If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains.
+ If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers.
+ If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers.
+ If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains.
+ If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains.
items:
type: string
type: array
@@ -1530,7 +2824,7 @@ spec:
type: array
tlsSettings:
description: |-
- Use the tls_settings to specify the tls mode to use. If the MCP server
+ Use the tlsSettings to specify the tls mode to use. If the MCP server
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -1548,7 +2842,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1728,7 +3023,7 @@ spec:
type: object
tlsSettings:
description: |-
- Use the `tls_settings` to specify the tls mode to use. If the remote service
+ Use the `tlsSettings` to specify the tls mode to use. If the remote service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -1746,7 +3041,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1856,7 +3152,7 @@ spec:
type: object
tlsSettings:
description: |-
- Use the `tls_settings` to specify the tls mode to use. If the remote service
+ Use the `tlsSettings` to specify the tls mode to use. If the remote service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -1874,7 +3170,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -1992,7 +3289,7 @@ spec:
address to the X-Forwarded-For (XFF) address and set the
X-Envoy-External-Address header to the trusted client address before
forwarding it to the upstream services in the cluster.
- The default value of num_trusted_proxies is 0.
+ The default value of numTrustedProxies is 0.
See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for)
header handling for more details.
format: int32
@@ -2178,6 +3475,41 @@ spec:
header. By default, `istio-envoy` will be used.
type: string
type: object
+ setCurrentClientCertDetails:
+ description: |-
+ This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET
+ and the client connection is mTLS. It specifies the fields in
+ the client certificate to be forwarded. Note that `Hash` is always set, and
+ `By` is always set when the client certificate presents the URI type Subject Alternative Name value.
+ properties:
+ cert:
+ description: |-
+ Whether to forward the entire client cert in URL encoded PEM format. This will appear in the
+ XFCC header comma separated from other values with the value Cert="PEM".
+ Defaults to false.
+ type: boolean
+ chain:
+ description: |-
+ Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM
+ format. This will appear in the XFCC header comma separated from other values with the value
+ Chain="PEM".
+ Defaults to false.
+ type: boolean
+ dns:
+ description: |-
+ Whether to forward the DNS type Subject Alternative Names of the client cert.
+ Defaults to true.
+ type: boolean
+ subject:
+ description: Whether to forward the subject of
+ the client cert. Defaults to true.
+ type: boolean
+ uri:
+ description: |-
+ Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to
+ true.
+ type: boolean
+ type: object
type: object
proxyMetadata:
additionalProperties:
@@ -2440,7 +3772,7 @@ spec:
The amount of time allowed for connections to complete on proxy shutdown.
On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining,
discouraging any new connections and allowing existing connections to complete. It then
- sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes.
+ sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes.
If not set, a default of `5s` will be applied.
type: string
tracing:
@@ -2593,7 +3925,7 @@ spec:
type: object
tlsSettings:
description: |-
- Use the tls_settings to specify the tls mode to use. If the remote tracing service
+ Use the tlsSettings to specify the tls mode to use. If the remote tracing service
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as `ISTIO_MUTUAL`.
properties:
@@ -2611,7 +3943,8 @@ spec:
to use in verifying a presented server certificate. `CRL` is a list of certificates
that have been revoked by the CA (Certificate Authority) before their scheduled expiration date.
If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
- If omitted, the proxy will not verify the certificate against the `crl`.
+ If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set,
+ `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential.
type: string
clientCertificate:
description: |-
@@ -2721,8 +4054,8 @@ spec:
<= 1
defaultDestinationRuleExportTo:
description: |-
- The default value for the `DestinationRule.export_to` field. Has the same
- syntax as `default_service_export_to`.
+ The default value for the `DestinationRule.exportTo` field. Has the same
+ syntax as `defaultServiceExportTo`.
If not set the system will use "*" as the default value which implies that
destination rules are exported to all namespaces
@@ -2798,7 +4131,7 @@ spec:
type: object
defaultServiceExportTo:
description: |-
- The default value for the ServiceEntry.export_to field and services
+ The default value for the ServiceEntry.exportTo field and services
imported through container registry integrations, e.g. this applies to
Kubernetes Service resources. The value is a list of namespace names and
reserved namespace aliases. The allowed namespace aliases are:
@@ -2827,8 +4160,8 @@ spec:
type: array
defaultVirtualServiceExportTo:
description: |-
- The default value for the VirtualService.export_to field. Has the same
- syntax as `default_service_export_to`.
+ The default value for the VirtualService.exportTo field. Has the same
+ syntax as `defaultServiceExportTo`.
If not set the system will use "*" as the default value which implies that
virtual services are exported to all namespaces
@@ -3011,7 +4344,7 @@ spec:
properties:
allowPartialMessage:
description: |-
- When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
+ When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached.
The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
indicating if the body data is partial.
@@ -3019,10 +4352,10 @@ spec:
maxRequestBytes:
description: |-
Sets the maximum size of a message body that the ext-authz filter will hold in memory.
- If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
+ If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large).
Otherwise the request will be sent to the provider with a partial message.
- Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
- fail_open is set to true.
+ Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the
+ failOpen is set to true.
format: int32
type: integer
packAsBytes:
@@ -3030,7 +4363,7 @@ spec:
If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
- This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.
+ This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.
type: boolean
type: object
port:
@@ -3056,7 +4389,7 @@ spec:
description: |-
The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s).
When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
- In this situation, the response sent back to the client will depend on the configured `fail_open` field.
+ In this situation, the response sent back to the client will depend on the configured `failOpen` field.
type: string
required:
- port
@@ -3130,11 +4463,11 @@ spec:
description: |-
Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
Key is the header name and value is the header value.
- Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden.
+ Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden.
type: object
includeHeadersInCheck:
description: |-
- DEPRECATED. Use include_request_headers_in_check instead.
+ DEPRECATED. Use includeRequestHeadersInCheck instead.
Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto.
items:
@@ -3147,7 +4480,7 @@ spec:
properties:
allowPartialMessage:
description: |-
- When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
+ When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached.
The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
indicating if the body data is partial.
@@ -3155,10 +4488,10 @@ spec:
maxRequestBytes:
description: |-
Sets the maximum size of a message body that the ext-authz filter will hold in memory.
- If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
+ If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large).
Otherwise the request will be sent to the provider with a partial message.
- Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
- fail_open is set to true.
+ Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the
+ failOpen is set to true.
format: int32
type: integer
packAsBytes:
@@ -3166,7 +4499,7 @@ spec:
If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
- This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.
+ This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.
type: boolean
type: object
includeRequestHeadersInCheck:
@@ -3175,7 +4508,7 @@ spec:
Note that in addition to the headers specified here following headers are included by default:
1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent.
2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization
- request can include the buffered client request body (controlled by include_request_body_in_check setting),
+ request can include the buffered client request body (controlled by includeRequestBodyInCheck setting),
consequently the value of Content-Length of the authorization request reflects the size of its payload size.
Exact, prefix and suffix matches are supported (similar to the
@@ -3216,7 +4549,7 @@ spec:
description: |-
The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s).
When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
- In this situation, the response sent back to the client will depend on the configured `fail_open` field.
+ In this situation, the response sent back to the client will depend on the configured `failOpen` field.
type: string
required:
- port
@@ -3341,7 +4674,7 @@ spec:
dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)).
Nested JSON is\nsupported for some command
operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias
- to `attributes` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus:
+ to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus:
\"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```"
type: object
text:
@@ -3349,7 +4682,7 @@ spec:
Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be
used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings)
provides more information.
- Alias to `body` filed in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
+ Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"`
type: string
type: object
@@ -3519,11 +4852,11 @@ spec:
headers:
- name: "Authorization"
value: "Api-Token dt0c01."
- resource_detectors:
+ resourceDetectors:
dynatrace: {}
- dynatrace_sampler:
+ dynatraceSampler:
tenant: "{your-environment-id}"
- cluster_id: 1234
+ clusterId: 1234
properties:
clusterId:
description: |-
@@ -3600,8 +4933,8 @@ spec:
A default value of `1000` is used when:
- - `root_spans_per_minute` is unset
- - `root_spans_per_minute` is set to 0
+ - `rootSpansPerMinute` is unset
+ - `rootSpansPerMinute` is set to 0
format: int32
type: integer
tenant:
@@ -3614,6 +4947,50 @@ spec:
- clusterId
- tenant
type: object
+ grpc:
+ description: "Optional. Specifies the configuration
+ for exporting OTLP traces via GRPC.\nWhen empty,
+ traces will check whether HTTP is set.\nIf not,
+ traces will use default GRPC configurations.\n\nThe
+ following example shows how to configure the OpenTelemetry
+ ExtensionProvider to export via GRPC:\n\n1. Add/change
+ the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n
+ \ - name: opentelemetry\n opentelemetry:\n
+ \ port: 8090\n service: tracing.example.com\n
+ \ grpc:\n timeout: 10s\n initialMetadata:\n
+ \ - name: \"Authentication\"\n value: \"token-xxxxx\"\n\n```\n\n2.
+ Deploy a `ServiceEntry` for the observability
+ back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind:
+ ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t-
+ tracing.example.com\n\tports:\n\t- number: 8090\n\t
+ \ name: grpc-port\n\t protocol: GRPC\n\tresolution:
+ DNS\n\tlocation: MESH_EXTERNAL\n\n```"
+ properties:
+ initialMetadata:
+ description: |-
+ Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for
+ scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to
+ be injected.
+ items:
+ properties:
+ name:
+ description: REQUIRED. The HTTP header
+ name.
+ type: string
+ value:
+ description: REQUIRED. The HTTP header
+ value.
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ timeout:
+ description: Optional. Specifies the timeout
+ for the GRPC request.
+ type: string
+ type: object
http:
description: "Optional. Specifies the configuration
for exporting OTLP traces via HTTP.\nWhen empty,
@@ -3692,7 +5069,7 @@ spec:
opentelemetry:
port: 443
service: my.olly-backend.com
- resource_detectors:
+ resourceDetectors:
environment: {}
```
@@ -3828,6 +5205,11 @@ spec:
NOTE: currently only controls max length of the path tag.
format: int32
type: integer
+ path:
+ description: |-
+ Optional. Specifies the endpoint of Zipkin API.
+ The default value is "/api/v2/spans".
+ type: string
port:
description: REQUIRED. Specifies the port of the
service.
@@ -3929,7 +5311,7 @@ spec:
the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`.
By default, `ingressgateway` is used, which will select the default IngressGateway as it has the
`istio: ingressgateway` labels.
- It is recommended that this is the same value as ingress_service.
+ It is recommended that this is the same value as ingressService.
type: string
ingressService:
description: |-
@@ -4237,7 +5619,7 @@ spec:
```yaml
serviceSettings:
- settings:
- cluster_local: true
+ clusterLocal: true
hosts:
- "*.foo.svc.cluster.local"
- "bar.baz.svc.cluster.local"
@@ -4306,7 +5688,7 @@ spec:
tlsDefaults:
description: |-
Configuration of TLS for all traffic except for ISTIO_MUTUAL mode.
- Currently, this supports configuration of ecdh_curves and cipher_suites only.
+ Currently, this supports configuration of ecdhCurves and cipherSuites only.
For ISTIO_MUTUAL TLS settings, use meshMTLS configuration.
properties:
cipherSuites:
@@ -4353,7 +5735,7 @@ spec:
type: string
trustDomainAliases:
description: |-
- The trust domain aliases represent the aliases of `trust_domain`.
+ The trust domain aliases represent the aliases of `trustDomain`.
For example, if we have
```yaml
trustDomain: td1
@@ -4681,7 +6063,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4696,7 +6078,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4864,7 +6246,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -4879,7 +6261,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5045,7 +6427,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5060,7 +6442,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5228,7 +6610,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
Also, matchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5243,7 +6625,7 @@ spec:
pod labels will be ignored. The default value is empty.
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
- This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.
+ This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
items:
type: string
type: array
@@ -5478,7 +6860,7 @@ spec:
See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
targetAverageUtilization:
description: |-
@@ -5537,6 +6919,26 @@ spec:
are PreferDualStack, RequireDualStack, and SingleStack.
More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
type: string
+ istiodRemote:
+ description: Configuration for the istio-discovery chart when
+ istiod is running in a remote cluster (e.g. "remote control
+ plane").
+ properties:
+ enabled:
+ description: Indicates if this cluster/install should
+ consume a "remote" istiod instance,
+ type: boolean
+ injectionCABundle:
+ description: injector ca bundle
+ type: string
+ injectionPath:
+ description: Path to use for the sidecar injector webhook
+ service.
+ type: string
+ injectionURL:
+ description: URL to use for sidecar injector webhook.
+ type: string
+ type: object
jwksResolverExtraRootCA:
description: |-
Specifies an extra root certificate in PEM format. This certificate will be trusted
@@ -5556,7 +6958,7 @@ spec:
See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
targetAverageUtilization:
description: |-
@@ -5574,7 +6976,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: object
podAnnotations:
additionalProperties:
@@ -5584,7 +6986,7 @@ spec:
See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
type: object
podLabels:
additionalProperties:
@@ -5598,7 +7000,7 @@ spec:
description: |-
Number of replicas in the Pilot Deployment.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
format: int32
type: integer
resources:
@@ -5607,7 +7009,7 @@ spec:
See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
properties:
claims:
description: |-
@@ -5627,6 +7029,12 @@ spec:
the Pod where this field is used. It makes that resource available
inside a container.
type: string
+ request:
+ description: |-
+ Request is the name chosen for a request in the referenced claim.
+ If empty, everything from the claim is made available, otherwise
+ only the result of this request.
+ type: string
required:
- name
type: object
@@ -5666,7 +7074,7 @@ spec:
description: |-
K8s rolling update strategy
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
x-kubernetes-int-or-string: true
rollingMaxUnavailable:
anyOf:
@@ -5679,7 +7087,7 @@ spec:
May be specified as a number of pods or as a percent of the total number
of pods at the start of the update.
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
x-kubernetes-int-or-string: true
seccompProfile:
description: |-
@@ -5742,7 +7150,7 @@ spec:
scheduled to particular nodes with matching taints.
More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
- Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto.
+ Deprecated: Marked as deprecated in pkg/apis/values_types.proto.
items:
description: |-
The pod this Toleration is attached to tolerates any taint that matches
@@ -6096,6 +7504,7 @@ spec:
the blob storage
type: string
fsType:
+ default: ext4
description: |-
fsType is Filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -6109,6 +7518,7 @@ spec:
set). defaults to shared'
type: string
readOnly:
+ default: false
description: |-
readOnly Defaults to false (read/write). ReadOnly here will force
the ReadOnly setting in VolumeMounts.
@@ -6718,7 +8128,7 @@ spec:
set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
exists.
More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/
- (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.
+ (Beta) Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).
type: string
volumeMode:
description: |-
@@ -6941,6 +8351,41 @@ spec:
required:
- path
type: object
+ image:
+ description: |-
+ image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine.
+ The volume is resolved at pod startup depending on which PullPolicy value is provided:
+
+ - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+
+ The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation.
+ A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message.
+ The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field.
+ The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images.
+ The volume will be mounted read-only (ro) and non-executable files (noexec).
+ Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath).
+ The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type.
+ properties:
+ pullPolicy:
+ description: |-
+ Policy for pulling OCI objects. Possible values are:
+ Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+ Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+ IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+ Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+ type: string
+ reference:
+ description: |-
+ Required: Image or artifact reference to be used.
+ Behaves in the same way as pod.spec.containers[*].image.
+ Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+ More info: https://kubernetes.io/docs/concepts/containers/images
+ This field is optional to allow higher level config management to default or override
+ container images in workload controllers like Deployments and StatefulSets.
+ type: string
+ type: object
iscsi:
description: |-
iscsi represents an ISCSI Disk resource that is attached to a
@@ -6972,6 +8417,7 @@ spec:
description: iqn is the target iSCSI Qualified Name.
type: string
iscsiInterface:
+ default: default
description: |-
iscsiInterface is the interface Name that uses an iSCSI transport.
Defaults to 'default' (tcp).
@@ -7123,10 +8569,13 @@ spec:
format: int32
type: integer
sources:
- description: sources is the list of volume projections
+ description: |-
+ sources is the list of volume projections. Each entry in this list
+ handles one source.
items:
- description: Projection that may be projected
- along with other supported volume types
+ description: |-
+ Projection that may be projected along with other supported volume types.
+ Exactly one of these fields must be set.
properties:
clusterTrustBundle:
description: |-
@@ -7511,6 +8960,7 @@ spec:
More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it
type: string
keyring:
+ default: /etc/ceph/keyring
description: |-
keyring is the path to key ring for RBDUser.
Default is /etc/ceph/keyring.
@@ -7525,6 +8975,7 @@ spec:
type: array
x-kubernetes-list-type: atomic
pool:
+ default: rbd
description: |-
pool is the rados pool name.
Default is rbd.
@@ -7555,6 +9006,7 @@ spec:
type: object
x-kubernetes-map-type: atomic
user:
+ default: admin
description: |-
user is the rados user name.
Default is admin.
@@ -7569,6 +9021,7 @@ spec:
volume attached and mounted on Kubernetes nodes.
properties:
fsType:
+ default: xfs
description: |-
fsType is the filesystem type to mount.
Must be a filesystem type supported by the host operating system.
@@ -7609,6 +9062,7 @@ spec:
communication with Gateway, default false
type: boolean
storageMode:
+ default: ThinProvisioned
description: |-
storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned.
Default is ThinProvisioned.
@@ -7992,6 +9446,9 @@ spec:
status:
description: RemoteIstioStatus defines the observed state of RemoteIstio
properties:
+ activeRevisionName:
+ description: The name of the active revision.
+ type: string
conditions:
description: Represents the latest available observations of the object's
current state.
diff --git a/chart/crds/security.istio.io_authorizationpolicies.yaml b/chart/crds/security.istio.io_authorizationpolicies.yaml
index 409adc3c4..0f72f71e1 100644
--- a/chart/crds/security.istio.io_authorizationpolicies.yaml
+++ b/chart/crds/security.istio.io_authorizationpolicies.yaml
@@ -295,8 +295,12 @@ spec:
gateway.networking.k8s.io/Gateway
rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''],
[''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]'
+ maxItems: 16
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
properties:
conditions:
@@ -644,8 +648,12 @@ spec:
gateway.networking.k8s.io/Gateway
rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''],
[''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]'
+ maxItems: 16
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
properties:
conditions:
diff --git a/chart/crds/security.istio.io_requestauthentications.yaml b/chart/crds/security.istio.io_requestauthentications.yaml
index 17f28394c..53fe59d32 100644
--- a/chart/crds/security.istio.io_requestauthentications.yaml
+++ b/chart/crds/security.istio.io_requestauthentications.yaml
@@ -229,10 +229,11 @@ spec:
gateway.networking.k8s.io/Gateway
rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''],
[''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]'
+ maxItems: 16
type: array
type: object
x-kubernetes-validations:
- - message: only one of targetRefs or workloadSelector can be set
+ - message: only one of targetRefs or selector can be set
rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
properties:
@@ -515,10 +516,11 @@ spec:
gateway.networking.k8s.io/Gateway
rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''],
[''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]'
+ maxItems: 16
type: array
type: object
x-kubernetes-validations:
- - message: only one of targetRefs or workloadSelector can be set
+ - message: only one of targetRefs or selector can be set
rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
properties:
diff --git a/chart/crds/telemetry.istio.io_telemetries.yaml b/chart/crds/telemetry.istio.io_telemetries.yaml
index 7b6e42a1e..c858b2995 100644
--- a/chart/crds/telemetry.istio.io_telemetries.yaml
+++ b/chart/crds/telemetry.istio.io_telemetries.yaml
@@ -281,6 +281,7 @@ spec:
gateway.networking.k8s.io/Gateway
rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''],
[''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]'
+ maxItems: 16
type: array
tracing:
description: Optional.
@@ -392,6 +393,9 @@ spec:
type: object
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
properties:
conditions:
@@ -725,6 +729,7 @@ spec:
gateway.networking.k8s.io/Gateway
rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''],
[''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]'
+ maxItems: 16
type: array
tracing:
description: Optional.
@@ -836,6 +841,9 @@ spec:
type: object
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
properties:
conditions:
diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
index 0067d9eaa..7a6820bb6 100644
--- a/chart/templates/deployment.yaml
+++ b/chart/templates/deployment.yaml
@@ -2,7 +2,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
labels:
- app.kubernetes.io/component: manager
+ app.kubernetes.io/component: sail-operator
app.kubernetes.io/created-by: {{ .Values.name }}
app.kubernetes.io/instance: {{ .Values.deployment.name }}
app.kubernetes.io/managed-by: helm
@@ -22,7 +22,7 @@ spec:
template:
metadata:
annotations:
- kubectl.kubernetes.io/default-container: manager
+ kubectl.kubernetes.io/default-container: sail-operator
{{- range $key, $val := .Values.deployment.annotations }}
{{ $key | quote }}: {{ $val | quote}}
{{- end }}
@@ -53,7 +53,10 @@ spec:
- --upstream=http://127.0.0.1:8080/
- --logtostderr=true
- --v=0
- image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0
+ image: {{ .Values.proxy.image }}
+{{- if .Values.proxy.imagePullPolicy }}
+ imagePullPolicy: {{ .Values.proxy.imagePullPolicy }}
+{{- end }}
name: kube-rbac-proxy
ports:
- containerPort: 8443
@@ -61,11 +64,11 @@ spec:
protocol: TCP
resources:
limits:
- cpu: 500m
- memory: 128Mi
+ cpu: {{ .Values.proxy.resources.limits.cpu }}
+ memory: {{ .Values.proxy.resources.limits.memory }}
requests:
- cpu: 5m
- memory: 64Mi
+ cpu: {{ .Values.proxy.resources.requests.cpu }}
+ memory: {{ .Values.proxy.resources.requests.memory }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
@@ -74,20 +77,23 @@ spec:
- args:
- --health-probe-bind-address=:8081
- --metrics-bind-address=127.0.0.1:8080
+ - --zap-log-level={{ .Values.operatorLogLevel }}
{{- if eq .Values.platform "openshift" }}
- --default-profile=openshift
{{- end }}
command:
- - /manager
+ - /sail-operator
image: {{ .Values.image }}
+{{- if .Values.proxy.imagePullPolicy }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
+{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: 8081
initialDelaySeconds: 15
periodSeconds: 20
- name: manager
+ name: sail-operator
readinessProbe:
httpGet:
path: /readyz
@@ -96,11 +102,11 @@ spec:
periodSeconds: 10
resources:
limits:
- cpu: 500m
- memory: 512Mi
+ cpu: {{ .Values.operator.resources.limits.cpu }}
+ memory: {{ .Values.operator.resources.limits.memory }}
requests:
- cpu: 10m
- memory: 64Mi
+ cpu: {{ .Values.operator.resources.requests.cpu }}
+ memory: {{ .Values.operator.resources.requests.memory }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
diff --git a/chart/templates/olm/scorecard.yaml b/chart/templates/olm/scorecard.yaml
index 4bd164b92..feebc2ada 100644
--- a/chart/templates/olm/scorecard.yaml
+++ b/chart/templates/olm/scorecard.yaml
@@ -9,7 +9,7 @@ stages:
- entrypoint:
- scorecard-test
- basic-check-spec
- image: quay.io/operator-framework/scorecard-test:v1.36.1
+ image: quay.io/operator-framework/scorecard-test:v1.37.0
labels:
suite: basic
test: basic-check-spec-test
@@ -19,7 +19,7 @@ stages:
- entrypoint:
- scorecard-test
- olm-bundle-validation
- image: quay.io/operator-framework/scorecard-test:v1.36.1
+ image: quay.io/operator-framework/scorecard-test:v1.37.0
labels:
suite: olm
test: olm-bundle-validation-test
@@ -29,7 +29,7 @@ stages:
- entrypoint:
- scorecard-test
- olm-crds-have-validation
- image: quay.io/operator-framework/scorecard-test:v1.36.1
+ image: quay.io/operator-framework/scorecard-test:v1.37.0
labels:
suite: olm
test: olm-crds-have-validation-test
@@ -39,7 +39,7 @@ stages:
- entrypoint:
- scorecard-test
- olm-spec-descriptors
- image: quay.io/operator-framework/scorecard-test:v1.36.1
+ image: quay.io/operator-framework/scorecard-test:v1.37.0
labels:
suite: olm
test: olm-spec-descriptors-test
@@ -49,7 +49,7 @@ stages:
- entrypoint:
- scorecard-test
- olm-status-descriptors
- image: quay.io/operator-framework/scorecard-test:v1.36.1
+ image: quay.io/operator-framework/scorecard-test:v1.37.0
labels:
suite: olm
test: olm-status-descriptors-test
diff --git a/chart/templates/rbac/service_account.yaml b/chart/templates/rbac/service_account.yaml
index 1deb8c2b8..557a5a40f 100644
--- a/chart/templates/rbac/service_account.yaml
+++ b/chart/templates/rbac/service_account.yaml
@@ -8,3 +8,10 @@ metadata:
app.kubernetes.io/managed-by: helm
name: {{ .Values.serviceAccountName }}
namespace: {{ .Release.Namespace }}
+ {{- if .Values.imagePullSecrets }}
+imagePullSecrets:
+ {{- range .Values.imagePullSecrets }}
+ - name: {{ . }}
+ {{- end }}
+ {{- end }}
+
\ No newline at end of file
diff --git a/chart/values.yaml b/chart/values.yaml
index 3c0b2f5a7..ade390a55 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -6,6 +6,8 @@ service:
port: 8443
serviceAccountName: sail-operator
+operatorLogLevel: info
+
csv:
displayName: Sail Operator
categories: OpenShift Optional, Integration & Delivery, Networking, Security
@@ -16,10 +18,10 @@ csv:
This version of the operator supports the following Istio versions:
- - v1.23.0
- - v1.22.3
- - v1.21.5
- - latest (b28bdd77)
+ - v1.23.2
+ - v1.22.5
+ - v1.21.6
+ - latest (1d92787e)
[See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it.
support: Community based
@@ -43,7 +45,27 @@ csv:
features.operators.openshift.io/cni: "true"
features.operators.openshift.io/csi: "false"
image: quay.io/maistra-dev/sail-operator:3.0-latest
-imagePullPolicy: Always
+# We're commenting out the imagePullPolicy to use k8s defaults
+# imagePullPolicy: Always
+proxy:
+ image: gcr.io/kubebuilder/kube-rbac-proxy:v0.16.0
+ # We're commenting out the imagePullPolicy to use k8s defaults
+ # imagePullPolicy: IfNotPresent
+ resources:
+ limits:
+ cpu: 500m
+ memory: 128Mi
+ requests:
+ cpu: 5m
+ memory: 64Mi
+operator:
+ resources:
+ limits:
+ cpu: 500m
+ memory: 512Mi
+ requests:
+ cpu: 10m
+ memory: 64Mi
# setting this to true will add resources required to generate the bundle using operator-sdk
bundleGeneration: false
diff --git a/cmd/main.go b/cmd/main.go
index 9f4452e8b..d4b48d789 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -120,7 +120,7 @@ func main() {
// LeaderElectionReleaseOnCancel: true,
})
if err != nil {
- setupLog.Error(err, "unable to start manager")
+ setupLog.Error(err, "unable to start sail-operator manager")
os.Exit(1)
}
@@ -171,9 +171,9 @@ func main() {
os.Exit(1)
}
- setupLog.Info("starting manager")
+ setupLog.Info("starting sail-operator manager")
if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
- setupLog.Error(err, "problem running manager")
+ setupLog.Error(err, "problem running sail-operator manager")
os.Exit(1)
}
}
diff --git a/common/.commonfiles.sha b/common/.commonfiles.sha
index a874dc931..aebb24f3e 100644
--- a/common/.commonfiles.sha
+++ b/common/.commonfiles.sha
@@ -1 +1 @@
-cdaae915bb35ae5d50de458066ea6d86c1ab3b1c
+82dc68a737b72d394c344d4fd71ff9e9ebf01852
diff --git a/common/scripts/kind_provisioner.sh b/common/scripts/kind_provisioner.sh
index 9c372b9ca..9e9ea59cf 100644
--- a/common/scripts/kind_provisioner.sh
+++ b/common/scripts/kind_provisioner.sh
@@ -34,6 +34,9 @@ set -x
# DEFAULT_KIND_IMAGE is used to set the Kubernetes version for KinD unless overridden in params to setup_kind_cluster(s)
DEFAULT_KIND_IMAGE="gcr.io/istio-testing/kind-node:v1.28.4"
+# the default kind cluster should be ipv4 if not otherwise specified
+IP_FAMILY="${IP_FAMILY:-ipv4}"
+
# COMMON_SCRIPTS contains the directory this file is in.
COMMON_SCRIPTS=$(dirname "${BASH_SOURCE:-$0}")
@@ -174,11 +177,6 @@ function setup_kind_cluster() {
CONFIG=${DEFAULT_CLUSTER_YAML}
fi
- # Configure the ipFamily of the cluster
- if [ -n "${IP_FAMILY}" ]; then
- yq eval ".networking.ipFamily = \"${IP_FAMILY}\"" -i "${CONFIG}"
- fi
-
KIND_WAIT_FLAG="--wait=180s"
KIND_DISABLE_CNI="false"
if [[ -n "${KUBERNETES_CNI:-}" ]]; then
@@ -187,7 +185,8 @@ function setup_kind_cluster() {
fi
# Create KinD cluster
- if ! (yq eval "${CONFIG}" --expression ".networking.disableDefaultCNI = ${KIND_DISABLE_CNI}" | \
+ if ! (yq eval "${CONFIG}" --expression ".networking.disableDefaultCNI = ${KIND_DISABLE_CNI}" \
+ --expression ".networking.ipFamily = \"${IP_FAMILY}\"" | \
kind create cluster --name="${NAME}" -v4 --retain --image "${IMAGE}" ${KIND_WAIT_FLAG:+"$KIND_WAIT_FLAG"} --config -); then
echo "Could not setup KinD environment. Something wrong with KinD setup. Exporting logs."
return 9
diff --git a/common/scripts/run.sh b/common/scripts/run.sh
index e9629a39c..9efe2ce03 100755
--- a/common/scripts/run.sh
+++ b/common/scripts/run.sh
@@ -36,7 +36,7 @@ MOUNT_DEST="${MOUNT_DEST:-/work}"
read -ra DOCKER_RUN_OPTIONS <<< "${DOCKER_RUN_OPTIONS:-}"
-[[ -t 1 ]] && DOCKER_RUN_OPTIONS+=("-it")
+[[ -t 0 ]] && DOCKER_RUN_OPTIONS+=("-it")
[[ ${UID} -ne 0 ]] && DOCKER_RUN_OPTIONS+=(-u "${UID}:${DOCKER_GID}")
# $CONTAINER_OPTIONS becomes an empty arg when quoted, so SC2086 is disabled for the
diff --git a/common/scripts/setup_env.sh b/common/scripts/setup_env.sh
index ee932a946..c63f1fa33 100755
--- a/common/scripts/setup_env.sh
+++ b/common/scripts/setup_env.sh
@@ -75,7 +75,7 @@ fi
TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io}
PROJECT_ID=${PROJECT_ID:-istio-testing}
if [[ "${IMAGE_VERSION:-}" == "" ]]; then
- IMAGE_VERSION=master-0aa2afb4bac9a4fd1bfe50a929c077a643066b3a
+ IMAGE_VERSION=master-4759bf88d40172234fc6a0b9e11a4c5f1ea58a90
fi
if [[ "${IMAGE_NAME:-}" == "" ]]; then
IMAGE_NAME=build-tools
diff --git a/controllers/istio/istio_controller.go b/controllers/istio/istio_controller.go
index f7644e0d8..b46119796 100644
--- a/controllers/istio/istio_controller.go
+++ b/controllers/istio/istio_controller.go
@@ -207,6 +207,7 @@ func (r *Reconciler) determineStatus(ctx context.Context, istio *v1alpha1.Istio,
})
status.State = v1alpha1.IstioReasonReconcileError
} else {
+ status.ActiveRevisionName = getActiveRevisionName(istio)
rev, err := r.getActiveRevision(ctx, istio)
if apierrors.IsNotFound(err) {
revisionNotFound := func(conditionType v1alpha1.IstioConditionType) v1alpha1.IstioCondition {
diff --git a/controllers/istio/istio_controller_test.go b/controllers/istio/istio_controller_test.go
index 020529823..fe8e199fb 100644
--- a/controllers/istio/istio_controller_test.go
+++ b/controllers/istio/istio_controller_test.go
@@ -367,6 +367,7 @@ func TestDetermineStatus(t *testing.T) {
Message: "ready message",
},
},
+ ActiveRevisionName: istioKey.Name,
Revisions: v1alpha1.RevisionSummary{
Total: 2,
Ready: 1,
@@ -378,7 +379,7 @@ func TestDetermineStatus(t *testing.T) {
name: "shows correct revision counts",
wantErr: false,
revisions: []v1alpha1.IstioRevision{
- // owned by the Istio under test; 3 todal, 2 ready, 1 in use
+ // owned by the Istio under test; 3 total, 2 ready, 1 in use
revision(istioKey.Name, ownedByIstio, true, true, true),
revision(istioKey.Name+"-old1", ownedByIstio, true, true, false),
revision(istioKey.Name+"-old2", ownedByIstio, true, false, false),
@@ -398,6 +399,7 @@ func TestDetermineStatus(t *testing.T) {
Status: metav1.ConditionTrue,
},
},
+ ActiveRevisionName: istioKey.Name,
Revisions: v1alpha1.RevisionSummary{
Total: 3,
Ready: 2,
@@ -425,6 +427,7 @@ func TestDetermineStatus(t *testing.T) {
Message: "active IstioRevision not found",
},
},
+ ActiveRevisionName: istioKey.Name,
},
},
{
@@ -455,7 +458,8 @@ func TestDetermineStatus(t *testing.T) {
Message: "failed to get active IstioRevision: get failed: simulated error",
},
},
- Revisions: v1alpha1.RevisionSummary{},
+ ActiveRevisionName: istioKey.Name,
+ Revisions: v1alpha1.RevisionSummary{},
},
},
{
@@ -486,6 +490,7 @@ func TestDetermineStatus(t *testing.T) {
Message: "active IstioRevision not found",
},
},
+ ActiveRevisionName: istioKey.Name,
Revisions: v1alpha1.RevisionSummary{
Total: -1,
Ready: -1,
@@ -587,6 +592,7 @@ func TestUpdateStatus(t *testing.T) {
Message: "active IstioRevision not found",
},
},
+ ActiveRevisionName: istioKey.Name,
Revisions: v1alpha1.RevisionSummary{
Total: -1,
Ready: -1,
@@ -625,6 +631,7 @@ func TestUpdateStatus(t *testing.T) {
LastTransitionTime: *oneMinuteAgo,
},
},
+ ActiveRevisionName: istioKey.Name,
},
},
revisions: []v1alpha1.IstioRevision{
@@ -673,6 +680,7 @@ func TestUpdateStatus(t *testing.T) {
Message: "ready message",
},
},
+ ActiveRevisionName: istioKey.Name,
},
disallowWrites: true,
wantErr: false,
diff --git a/controllers/remoteistio/remoteistio_controller.go b/controllers/remoteistio/remoteistio_controller.go
index 32b2ac028..31c70a51c 100644
--- a/controllers/remoteistio/remoteistio_controller.go
+++ b/controllers/remoteistio/remoteistio_controller.go
@@ -206,6 +206,7 @@ func (r *Reconciler) determineStatus(ctx context.Context, istio *v1alpha1.Remote
})
status.State = v1alpha1.RemoteIstioReasonReconcileError
} else {
+ status.ActiveRevisionName = getActiveRevisionName(istio)
rev, err := r.getActiveRevision(ctx, istio)
if apierrors.IsNotFound(err) {
revisionNotFound := func(conditionType v1alpha1.RemoteIstioConditionType) v1alpha1.RemoteIstioCondition {
diff --git a/controllers/remoteistio/remoteistio_controller_test.go b/controllers/remoteistio/remoteistio_controller_test.go
index 9e4f3732c..c9ff33f0a 100644
--- a/controllers/remoteistio/remoteistio_controller_test.go
+++ b/controllers/remoteistio/remoteistio_controller_test.go
@@ -367,6 +367,7 @@ func TestDetermineStatus(t *testing.T) {
Message: "ready message",
},
},
+ ActiveRevisionName: istioKey.Name,
Revisions: v1alpha1.RevisionSummary{
Total: 2,
Ready: 1,
@@ -398,6 +399,7 @@ func TestDetermineStatus(t *testing.T) {
Status: metav1.ConditionTrue,
},
},
+ ActiveRevisionName: istioKey.Name,
Revisions: v1alpha1.RevisionSummary{
Total: 3,
Ready: 2,
@@ -425,6 +427,7 @@ func TestDetermineStatus(t *testing.T) {
Message: "active IstioRevision not found",
},
},
+ ActiveRevisionName: istioKey.Name,
},
},
{
@@ -455,7 +458,8 @@ func TestDetermineStatus(t *testing.T) {
Message: "failed to get active IstioRevision: get failed: simulated error",
},
},
- Revisions: v1alpha1.RevisionSummary{},
+ ActiveRevisionName: istioKey.Name,
+ Revisions: v1alpha1.RevisionSummary{},
},
},
{
@@ -486,6 +490,7 @@ func TestDetermineStatus(t *testing.T) {
Message: "active IstioRevision not found",
},
},
+ ActiveRevisionName: istioKey.Name,
Revisions: v1alpha1.RevisionSummary{
Total: -1,
Ready: -1,
@@ -587,6 +592,7 @@ func TestUpdateStatus(t *testing.T) {
Message: "active IstioRevision not found",
},
},
+ ActiveRevisionName: istioKey.Name,
Revisions: v1alpha1.RevisionSummary{
Total: -1,
Ready: -1,
@@ -625,6 +631,7 @@ func TestUpdateStatus(t *testing.T) {
LastTransitionTime: *oneMinuteAgo,
},
},
+ ActiveRevisionName: istioKey.Name,
},
},
revisions: []v1alpha1.IstioRevision{
@@ -673,6 +680,7 @@ func TestUpdateStatus(t *testing.T) {
Message: "ready message",
},
},
+ ActiveRevisionName: istioKey.Name,
},
disallowWrites: true,
wantErr: false,
diff --git a/docs/README.md b/docs/README.md
index 64bdbefdd..3dbb06a24 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -22,6 +22,15 @@
- [RevisionBased](#revisionbased)
- [Example using the RevisionBased strategy](#example-using-the-revisionbased-strategy)
- [Multi-cluster](#multi-cluster)
+ - [Prerequisites](#prerequisites)
+ - [Common Setup](#common-setup)
+ - [Multi-Primary](#multi-primary---multi-network)
+ - [Primary-Remote](#primary-remote---multi-network)
+ - [External Control Plane](#external-control-plane)
+- [Dual-stack Support](#dual-stack-support)
+ - [Prerequisites](#prerequisites-1)
+ - [Installation Steps](#installation-steps)
+ - [Validation](#validation)
- [Addons](#addons)
- [Deploy Prometheus and Jaeger addons](#deploy-prometheus-and-jaeger-addons)
- [Deploy Kiali addon](#deploy-kiali-addon)
@@ -47,7 +56,7 @@ Sail Operator manages the lifecycle of your Istio control planes. Instead of cre
## Concepts
### Istio resource
-The `Istio` resource is used to manage your Istio control planes. It is a cluster-wide resource, as the Istio control plane operates in and requires access to the entire cluster. To select a namespace to run the control plane pods in, you can use the `spec.namespace` field. You can access all helm chart options through the `values` field in the `spec`:
+The `Istio` resource is used to manage your Istio control planes. It is a cluster-wide resource, as the Istio control plane operates in and requires access to the entire cluster. To select a namespace to run the control plane pods in, you can use the `spec.namespace` field. Note that this field is immutable, though: in order to move a control plane to another namespace, you have to remove the Istio resource and recreate it with a different `spec.namespace`. You can access all helm chart options through the `values` field in the `spec`:
```yaml
apiVersion: sailoperator.io/v1alpha1
@@ -260,7 +269,7 @@ When the `InPlace` strategy is used, the existing Istio control plane is replace
Prerequisites:
* Sail Operator is installed.
-* `istioctl` is installed.
+* `istioctl` is [installed](common/install-istioctl-tool.md).
Steps:
1. Create the `istio-system` namespace.
@@ -336,7 +345,7 @@ When the `RevisionBased` strategy is used, a new Istio control plane instance is
Prerequisites:
* Sail Operator is installed.
-* `istioctl` is installed.
+* `istioctl` is [installed](common/install-istioctl-tool.md).
Steps:
@@ -472,13 +481,12 @@ Steps:
You can use the Sail Operator and the Sail CRDs to manage a multi-cluster Istio deployment. The following instructions are adapted from the [Istio multi-cluster documentation](https://istio.io/latest/docs/setup/install/multicluster/) to demonstrate how you can setup the various deployment models with Sail. Please familiarize yourself with the different [deployment models](https://istio.io/latest/docs/ops/deployment/deployment-models/) before starting.
-*Prerequisites*
-
-Each deployment model requires you to install the Sail Operator and the Sail CRDs to every cluster that is part of the mesh.
+### Prerequisites
-- Install [istioctl](https://istio.io/latest/docs/setup/install/istioctl) and have it included in your `$PATH`.
+- Install [istioctl](common/install-istioctl-tool.md).
- Two kubernetes clusters with external lb support. (If using kind, `cloud-provider-kind` is running in the background)
- kubeconfig file with a context for each cluster.
+- Install the Sail Operator and the Sail CRDs to every cluster.
### Common Setup
@@ -502,7 +510,7 @@ These steps are common to every multi-cluster deployment and should be completed
kubectl get ns istio-system --context "${CTX_CLUSTER2}" || kubectl create namespace istio-system --context "${CTX_CLUSTER2}"
```
-2. Create shared trust and add intermediate CAs to each cluster.
+3. Create shared trust and add intermediate CAs to each cluster.
If you already have a [shared trust](https://istio.io/latest/docs/setup/install/multicluster/before-you-begin/#configure-trust) for each cluster you can skip this. Otherwise, you can use the instructions below to create a shared trust and push the intermediate CAs into your clusters.
@@ -868,6 +876,432 @@ In this setup there is a Primary cluster (`cluster1`) and a Remote cluster (`clu
kubectl delete ns sample --context="${CTX_CLUSTER2}"
```
+### External Control Plane
+
+These instructions install an [external control plane](https://istio.io/latest/docs/setup/install/external-controlplane/) Istio deployment using the Sail Operator and Sail CRDs. **Before you begin**, ensure you meet the requirements of the [common setup](#common-setup) and complete **only** the "Setup env vars" step. Unlike other Multi-Cluster deployments, you won't be creating a common CA in this setup.
+
+These installation instructions are adapted from [Istio's external control plane documentation](https://istio.io/latest/docs/setup/install/external-controlplane/) and are intended to be run in a development environment, such as `kind`, rather than in production.
+
+In this setup there is an external control plane cluster (`cluster1`) and a remote cluster (`cluster2`) which are on separate networks.
+
+1. Create an `Istio` resource on `cluster1` to manage the ingress gateways for the external control plane.
+
+ ```sh
+ kubectl create namespace istio-system --context "${CTX_CLUSTER1}"
+ kubectl apply --context "${CTX_CLUSTER1}" -f - < /dev/null || \
+ { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v1.1.0" | kubectl apply -f - --context="${CTX_CLUSTER2}"; }
+ ```
+
+ Expose `helloworld` through the ingress gateway.
+ ```sh
+ kubectl apply -f https://raw.githubusercontent.com/istio/istio/${ISTIO_VERSION}/samples/helloworld/gateway-api/helloworld-gateway.yaml -n sample --context="${CTX_CLUSTER2}"
+ kubectl -n sample --context="${CTX_CLUSTER2}" wait --for=condition=programmed gtw helloworld-gateway
+ ```
+
+ Confirm you can access the `helloworld` application through the ingress gateway created in the Remote cluster.
+ ```sh
+ curl -s "http://$(kubectl -n sample --context="${CTX_CLUSTER2}" get gtw helloworld-gateway -o jsonpath='{.status.addresses[0].value}'):80/hello"
+ ```
+ You should see a response from the `helloworld` application:
+ ```sh
+ Hello version: v1, instance: helloworld-v1-6d65866976-jb6qc
+ ```
+
+15. Cleanup
+
+ ```sh
+ kubectl delete istios default --context="${CTX_CLUSTER1}"
+ kubectl delete ns istio-system --context="${CTX_CLUSTER1}"
+ kubectl delete istios external-istiod --context="${CTX_CLUSTER1}"
+ kubectl delete ns external-istiod --context="${CTX_CLUSTER1}"
+ kubectl delete remoteistios external-istiod --context="${CTX_CLUSTER2}"
+ kubectl delete ns external-istiod --context="${CTX_CLUSTER2}"
+ kubectl delete ns sample --context="${CTX_CLUSTER2}"
+ ```
+
+## Dual-stack Support
+
+Kubernetes supports dual-stack networking as a stable feature starting from
+[v1.23](https://kubernetes.io/docs/concepts/services-networking/dual-stack/), allowing clusters to handle both
+IPv4 and IPv6 traffic. With many cloud providers also beginning to offer dual-stack Kubernetes clusters, it's easier
+than ever to run services that function across both address types. Istio introduced dual-stack as an experimental
+feature in version 1.17, and it's expected to be promoted to [Alpha](https://github.com/istio/istio/issues/47998) in
+version 1.24. With Istio in dual-stack mode, services can communicate over both IPv4 and IPv6 endpoints, which helps
+organizations transition to IPv6 while still maintaining compatibility with their existing IPv4 infrastructure.
+
+When Kubernetes is configured for dual-stack, it automatically assigns an IPv4 and an IPv6 address to each pod,
+enabling them to communicate over both IP families. For services, however, you can control how they behave using
+the `ipFamilyPolicy` setting.
+
+Service.Spec.ipFamilyPolicy can take the following values
+- SingleStack: Only one IP family is configured for the service, which can be either IPv4 or IPv6.
+- PreferDualStack: Both IPv4 and IPv6 cluster IPs are assigned to the Service when dual-stack is enabled.
+ However, if dual-stack is not enabled or supported, it falls back to singleStack behavior.
+- RequireDualStack: The service will be created only if both IPv4 and IPv6 addresses can be assigned.
+
+This allows you to specify the type of service, providing flexibility in managing your network configuration.
+For more details, you can refer to the Kubernetes [documentation](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services).
+
+### Prerequisites
+
+- Kubernetes 1.23 or later configured with dual-stack support.
+- Sail Operator is installed.
+
+### Installation Steps
+
+You can use any existing Kind cluster that supports dual-stack networking or, alternatively, install one using the following command.
+
+```sh
+kind create cluster --name istio-ds --config - <=. This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. | | |
| `repairPods` _boolean_ | The Repair controller has 3 modes (labelPods, deletePods, and repairPods). Pick which one meets your use cases. Note only one may be used. The mode defines the action the controller will take when a pod is detected as broken. If repairPods is true, the controller will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. This requires no RBAC privilege, but will require the CNI agent to run as a privileged pod. | | |
-| `createEvents` _string_ | No longer used. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | |
+| `createEvents` _string_ | No longer used. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | |
| `deletePods` _boolean_ | The Repair controller has 3 modes (labelPods, deletePods, and repairPods). Pick which one meets your use cases. Note only one may be used. The mode defines the action the controller will take when a pod is detected as broken. If deletePods is true, the controller will delete the broken pod. The pod will then be rescheduled, hopefully onto a node that is fully ready. Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. | | |
| `brokenPodLabelKey` _string_ | The label key to apply to a broken pod when the controller is in labelPods mode. | | |
| `brokenPodLabelValue` _string_ | The label value to apply to a broken pod when the controller is in labelPods mode. | | |
@@ -292,7 +293,7 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `address` _string_ | Address of the server implementing the Istio Mesh Configuration protocol (MCP). Can be IP address or a fully qualified DNS name. Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or fs:/// to specify a file-based backend with absolute path to the directory. | | |
-| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the tls_settings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. | | |
+| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the tlsSettings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. | | |
| `subscribedResources` _[Resource](#resource) array_ | Describes the source of configuration, if nothing is specified default is MCP | | Enum: [SERVICE_REGISTRY] |
@@ -341,7 +342,7 @@ _Appears in:_
_Underlying type:_ _string_
ForwardClientCertDetails controls how the x-forwarded-client-cert (XFCC)
-header is handled by the gateway proxy.
+header is handled by a proxy.
See [Envoy XFCC](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html#enum-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-forwardclientcertdetails)
header handling for more details.
@@ -355,10 +356,10 @@ _Appears in:_
| Field | Description |
| --- | --- |
| `UNDEFINED` | Field is not set |
-| `SANITIZE` | Do not send the XFCC header to the next hop. This is the default value. |
+| `SANITIZE` | Do not send the XFCC header to the next hop. |
| `FORWARD_ONLY` | When the client connection is mTLS (Mutual TLS), forward the XFCC header in the request. |
-| `APPEND_FORWARD` | When the client connection is mTLS, append the client certificate information to the request’s XFCC header and forward it. |
-| `SANITIZE_SET` | When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop. |
+| `APPEND_FORWARD` | When the client connection is mTLS, append the client certificate information to the request’s XFCC header and forward it. This is the default value for sidecar proxies. |
+| `SANITIZE_SET` | When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop. This is the default value for gateway proxies. |
| `ALWAYS_FORWARD_ONLY` | Always forward the XFCC header in the request, regardless of whether the client connection is mTLS. |
@@ -375,13 +376,13 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
-| `arch` _[ArchConfig](#archconfig)_ | Specifies pod scheduling arch(amd64, ppc64le, s390x, arm64) and weight as follows: 0 - Never scheduled 1 - Least preferred 2 - No preference 3 - Most preferred Deprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | |
+| `arch` _[ArchConfig](#archconfig)_ | Specifies pod scheduling arch(amd64, ppc64le, s390x, arm64) and weight as follows: 0 - Never scheduled 1 - Least preferred 2 - No preference 3 - Most preferred Deprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | |
| `certSigners` _string array_ | List of certSigners to allow "approve" action in the ClusterRole | | |
| `configValidation` _boolean_ | Controls whether the server-side validation is enabled. | | |
-| `defaultNodeSelector` _object (keys:string, values:string)_ | Default k8s node selector for all the Istio control plane components See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | |
-| `defaultPodDisruptionBudget` _[DefaultPodDisruptionBudgetConfig](#defaultpoddisruptionbudgetconfig)_ | Specifies the default pod disruption budget configuration. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | |
-| `defaultResources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | Default k8s resources settings for all Istio control plane components. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | |
-| `defaultTolerations` _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#toleration-v1-core) array_ | Default node tolerations to be applied to all deployments so that all pods can be scheduled to nodes with matching taints. Each component can overwrite these default values by adding its tolerations block in the relevant section below and setting the desired values. Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | |
+| `defaultNodeSelector` _object (keys:string, values:string)_ | Default k8s node selector for all the Istio control plane components See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | |
+| `defaultPodDisruptionBudget` _[DefaultPodDisruptionBudgetConfig](#defaultpoddisruptionbudgetconfig)_ | Specifies the default pod disruption budget configuration. | | |
+| `defaultResources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | Default k8s resources settings for all Istio control plane components. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | |
+| `defaultTolerations` _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#toleration-v1-core) array_ | Default node tolerations to be applied to all deployments so that all pods can be scheduled to nodes with matching taints. Each component can overwrite these default values by adding its tolerations block in the relevant section below and setting the desired values. Configure this field in case that all pods of Istio control plane are expected to be scheduled to particular nodes with specified taints. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | |
| `hub` _string_ | Specifies the docker hub for Istio images. | | |
| `imagePullPolicy` _[PullPolicy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#pullpolicy-v1-core)_ | Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | Enum: [Always Never IfNotPresent] |
| `imagePullSecrets` _string array_ | ImagePullSecrets for the control plane ServiceAccount, list of secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. Must be set for any cluster configured with private docker registry. | | |
@@ -395,7 +396,7 @@ _Appears in:_
| `podDNSSearchNamespaces` _string array_ | Custom DNS config for the pod to resolve names of services in other clusters. Use this to add additional search domains, and other settings. see https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config This does not apply to gateway pods as they typically need a different set of DNS settings than the normal application pods (e.g. in multicluster scenarios). | | |
| `omitSidecarInjectorConfigMap` _boolean_ | Controls whether the creation of the sidecar injector ConfigMap should be skipped. Defaults to false. When set to true, the sidecar injector ConfigMap will not be created. | | |
| `operatorManageWebhooks` _boolean_ | Controls whether the WebhookConfiguration resource(s) should be created. The current behavior of Istiod is to manage its own webhook configurations. When this option is set to true, Istio Operator, instead of webhooks, manages the webhook configurations. When this option is set as false, webhooks manage their own webhook configurations. | | |
-| `priorityClassName` _string_ | Specifies the k8s priorityClassName for the istio control plane components. See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | |
+| `priorityClassName` _string_ | Specifies the k8s priorityClassName for the istio control plane components. See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | |
| `proxy` _[ProxyConfig](#proxyconfig)_ | Specifies how proxies are configured within Istio. | | |
| `proxy_init` _[ProxyInitConfig](#proxyinitconfig)_ | Specifies the Configuration for proxy_init container which sets the pods' networking to intercept the inbound/outbound traffic. | | |
| `sds` _[SDSConfig](#sdsconfig)_ | Specifies the Configuration for the SecretDiscoveryService instead of using K8S secrets to mount the certificates. | | |
@@ -405,7 +406,7 @@ _Appears in:_
| `remotePilotAddress` _string_ | Specifies the Istio control plane’s pilot Pod IP address or remote cluster DNS resolvable hostname. | | |
| `istiod` _[IstiodConfig](#istiodconfig)_ | Specifies the configution of istiod | | |
| `pilotCertProvider` _string_ | Configure the Pilot certificate provider. Currently, four providers are supported: "kubernetes", "istiod", "custom" and "none". | | |
-| `jwtPolicy` _string_ | Configure the policy for validating JWT. This is deprecated and has no effect. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | |
+| `jwtPolicy` _string_ | Configure the policy for validating JWT. This is deprecated and has no effect. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | |
| `sts` _[STSConfig](#stsconfig)_ | Specifies the configuration for Security Token Service. | | |
| `revision` _string_ | Configures the revision this control plane is a part of | | |
| `mountMtlsCerts` _boolean_ | Controls whether the in-cluster MTLS key and certs are loaded from the secret volume mounts. | | |
@@ -908,7 +909,7 @@ _Appears in:_
| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.0. | v1.23.0 | Enum: [v1.23.0] |
| `updateStrategy` _[IstioUpdateStrategy](#istioupdatestrategy)_ | Defines the update strategy to use when the version in the Istio CR is updated. | \{ type:InPlace \} | |
| `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. | | Enum: [ambient default demo empty openshift-ambient openshift preview stable] |
-| `namespace` _string_ | Namespace to which the Istio components should be installed. | istio-system | |
+| `namespace` _string_ | Namespace to which the Istio components should be installed. Note that this field is immutable. | istio-system | |
| `values` _[Values](#values)_ | Defines the values to be passed to the Helm charts when installing Istio. | | |
@@ -928,6 +929,7 @@ _Appears in:_
| `observedGeneration` _integer_ | ObservedGeneration is the most recent generation observed for this Istio object. It corresponds to the object's generation, which is updated on mutation by the API Server. The information in the status pertains to this particular generation of the object. | | |
| `conditions` _[IstioCondition](#istiocondition) array_ | Represents the latest available observations of the object's current state. | | |
| `state` _[IstioConditionReason](#istioconditionreason)_ | Reports the current state of the object. | | |
+| `activeRevisionName` _string_ | The name of the active revision. | | |
| `revisions` _[RevisionSummary](#revisionsummary)_ | Reports information about the underlying IstioRevisions. | | |
@@ -976,6 +978,7 @@ _Appears in:_
_Appears in:_
+- [PilotConfig](#pilotconfig)
- [Values](#values)
| Field | Description | Default | Validation |
@@ -983,6 +986,7 @@ _Appears in:_
| `injectionURL` _string_ | URL to use for sidecar injector webhook. | | |
| `injectionPath` _string_ | Path to use for the sidecar injector webhook service. | | |
| `injectionCABundle` _string_ | injector ca bundle | | |
+| `enabled` _boolean_ | Indicates if this cluster/install should consume a "remote" istiod instance, | | |
#### LocalityLoadBalancerSetting
@@ -1128,7 +1132,7 @@ _Appears in:_
| `ingressClass` _string_ | Class of ingress resources to be processed by Istio ingress controller. This corresponds to the value of `kubernetes.io/ingress.class` annotation. | | |
| `ingressService` _string_ | Name of the Kubernetes service used for the istio ingress controller. If no ingress controller is specified, the default value `istio-ingressgateway` is used. | | |
| `ingressControllerMode` _[MeshConfigIngressControllerMode](#meshconfigingresscontrollermode)_ | Defines whether to use Istio ingress controller for annotated or all ingress resources. Default mode is `STRICT`. | | Enum: [UNSPECIFIED OFF DEFAULT STRICT] |
-| `ingressSelector` _string_ | Defines which gateway deployment to use as the Ingress controller. This field corresponds to the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. By default, `ingressgateway` is used, which will select the default IngressGateway as it has the `istio: ingressgateway` labels. It is recommended that this is the same value as ingress_service. | | |
+| `ingressSelector` _string_ | Defines which gateway deployment to use as the Ingress controller. This field corresponds to the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. By default, `ingressgateway` is used, which will select the default IngressGateway as it has the `istio: ingressgateway` labels. It is recommended that this is the same value as ingressService. | | |
| `enableTracing` _boolean_ | Flag to control generation of trace spans and request IDs. Requires a trace span collector defined in the proxy configuration. | | |
| `accessLogFile` _string_ | File address for the proxy access log (e.g. /dev/stdout). Empty value disables access logging. | | |
| `accessLogFormat` _string_ | Format for the proxy access log Empty value results in proxy's default access log format | | |
@@ -1141,11 +1145,11 @@ _Appears in:_
| `configSources` _[ConfigSource](#configsource) array_ | ConfigSource describes a source of configuration data for networking rules, and other Istio configuration artifacts. Multiple data sources can be configured for a single control plane. | | |
| `enableAutoMtls` _boolean_ | This flag is used to enable mutual `TLS` automatically for service to service communication within the mesh, default true. If set to true, and a given service does not have a corresponding `DestinationRule` configured, or its `DestinationRule` does not have ClientTLSSettings specified, Istio configures client side TLS configuration appropriately. More specifically, If the upstream authentication policy is in `STRICT` mode, use Istio provisioned certificate for mutual `TLS` to connect to upstream. If upstream service is in plain text mode, use plain text. If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use mutual `TLS` when server sides are capable of accepting mutual `TLS` traffic. If service `DestinationRule` exists and has `ClientTLSSettings` specified, that is always used instead. | | |
| `trustDomain` _string_ | The trust domain corresponds to the trust root of a system. Refer to [SPIFFE-ID](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain) | | |
-| `trustDomainAliases` _string array_ | The trust domain aliases represent the aliases of `trust_domain`. For example, if we have ```yaml trustDomain: td1 trustDomainAliases: ["td2", "td3"] ``` Any service with the identity `td1/ns/foo/sa/a-service-account`, `td2/ns/foo/sa/a-service-account`, or `td3/ns/foo/sa/a-service-account` will be treated the same in the Istio mesh. | | |
+| `trustDomainAliases` _string array_ | The trust domain aliases represent the aliases of `trustDomain`. For example, if we have ```yaml trustDomain: td1 trustDomainAliases: ["td2", "td3"] ``` Any service with the identity `td1/ns/foo/sa/a-service-account`, `td2/ns/foo/sa/a-service-account`, or `td3/ns/foo/sa/a-service-account` will be treated the same in the Istio mesh. | | |
| `caCertificates` _[MeshConfigCertificateData](#meshconfigcertificatedata) array_ | The extra root certificates for workload-to-workload communication. The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret) are automatically added by Istiod. The CA certificate that signs the workload certificates is automatically added by Istio Agent. | | |
-| `defaultServiceExportTo` _string array_ | The default value for the ServiceEntry.export_to field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are: ``` * - All Namespaces . - Current Namespace ~ - No Namespace ``` If not set the system will use "*" as the default value which implies that services are exported to all namespaces. `All namespaces` is a reasonable default for implementations that don't need to restrict access or visibility of services across namespace boundaries. If that requirement is present it is generally good practice to make the default `Current namespace` so that services are only visible within their own namespaces by default. Operators can then expand the visibility of services to other namespaces as needed. Use of `No Namespace` is expected to be rare but can have utility for deployments where dependency management needs to be precise even within the scope of a single namespace. For further discussion see the reference documentation for `ServiceEntry`, `Sidecar`, and `Gateway`. | | |
-| `defaultVirtualServiceExportTo` _string array_ | The default value for the VirtualService.export_to field. Has the same syntax as `default_service_export_to`. If not set the system will use "*" as the default value which implies that virtual services are exported to all namespaces | | |
-| `defaultDestinationRuleExportTo` _string array_ | The default value for the `DestinationRule.export_to` field. Has the same syntax as `default_service_export_to`. If not set the system will use "*" as the default value which implies that destination rules are exported to all namespaces | | |
+| `defaultServiceExportTo` _string array_ | The default value for the ServiceEntry.exportTo field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are: ``` * - All Namespaces . - Current Namespace ~ - No Namespace ``` If not set the system will use "*" as the default value which implies that services are exported to all namespaces. `All namespaces` is a reasonable default for implementations that don't need to restrict access or visibility of services across namespace boundaries. If that requirement is present it is generally good practice to make the default `Current namespace` so that services are only visible within their own namespaces by default. Operators can then expand the visibility of services to other namespaces as needed. Use of `No Namespace` is expected to be rare but can have utility for deployments where dependency management needs to be precise even within the scope of a single namespace. For further discussion see the reference documentation for `ServiceEntry`, `Sidecar`, and `Gateway`. | | |
+| `defaultVirtualServiceExportTo` _string array_ | The default value for the VirtualService.exportTo field. Has the same syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that virtual services are exported to all namespaces | | |
+| `defaultDestinationRuleExportTo` _string array_ | The default value for the `DestinationRule.exportTo` field. Has the same syntax as `defaultServiceExportTo`. If not set the system will use "*" as the default value which implies that destination rules are exported to all namespaces | | |
| `rootNamespace` _string_ | The namespace to treat as the administrative root namespace for Istio configuration. When processing a leaf namespace Istio will search for declarations in that namespace first and if none are found it will search in the root namespace. Any matching declaration found in the root namespace is processed as if it were declared in the leaf namespace. The precise semantics of this processing are documented on each resource type. | | |
| `localityLbSetting` _[LocalityLoadBalancerSetting](#localityloadbalancersetting)_ | Locality based load balancing distribution or failover settings. If unspecified, locality based load balancing will be enabled by default. However, this requires outlierDetection to actually take effect for a particular service, see https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/failover/ | | |
| `dnsRefreshRate` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | Configures DNS refresh rate for Envoy clusters of type `STRICT_DNS` Default refresh rate is `60s`. | | |
@@ -1159,7 +1163,7 @@ _Appears in:_
| `pathNormalization` _[MeshConfigProxyPathNormalization](#meshconfigproxypathnormalization)_ | ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are normalized by the sidecars and gateways. The normalized paths will be used in all aspects through the requests' lifetime on the sidecars and gateways, which includes routing decisions in outbound direction (client proxy), authorization policy match and enforcement in inbound direction (server proxy), and the URL path proxied to the upstream service. If not set, the NormalizationType.DEFAULT configuration will be used. | | |
| `defaultHttpRetryPolicy` _[HTTPRetry](#httpretry)_ | Configure the default HTTP retry policy. The default number of retry attempts is set at 2 for these errors: "connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes". Setting the number of attempts to 0 disables retry policy globally. This setting can be overridden on a per-host basis using the Virtual Service API. All settings in the retry policy except `perTryTimeout` can currently be configured globally via this field. | | |
| `meshMTLS` _[MeshConfigTLSConfig](#meshconfigtlsconfig)_ | The below configuration parameters can be used to specify TLSConfig for mesh traffic. For example, a user could enable min TLS version for ISTIO_MUTUAL traffic and specify a curve for non ISTIO_MUTUAL traffic like below: ```yaml meshConfig: meshMTLS: minProtocolVersion: TLSV1_3 tlsDefaults: Note: applicable only for non ISTIO_MUTUAL scenarios ecdhCurves: - P-256 - P-512 ``` Configuration of mTLS for traffic between workloads with ISTIO_MUTUAL TLS traffic. Note: Mesh mTLS does not respect ECDH curves. | | |
-| `tlsDefaults` _[MeshConfigTLSConfig](#meshconfigtlsconfig)_ | Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. Currently, this supports configuration of ecdh_curves and cipher_suites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. | | |
+| `tlsDefaults` _[MeshConfigTLSConfig](#meshconfigtlsconfig)_ | Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. Currently, this supports configuration of ecdhCurves and cipherSuites only. For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. | | |
#### MeshConfigAccessLogEncoding
@@ -1196,9 +1200,9 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `address` _string_ | REQUIRED. Address of the CA server implementing the Istio CA gRPC API. Can be IP address or a fully qualified DNS name with port Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000 | | Required: \{\} |
-| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the tls_settings to specify the tls mode to use. Regarding tls_settings: - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. DISABLE MODE can also be used for testing - TLS MUTUAL MODE be on by default. If the CA certificates (cert bundle to verify the CA server's certificate) is omitted, Istiod will use the system root certs to verify the CA server's certificate. | | |
+| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the tlsSettings to specify the tls mode to use. Regarding tlsSettings: - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. DISABLE MODE can also be used for testing - TLS MUTUAL MODE be on by default. If the CA certificates (cert bundle to verify the CA server's certificate) is omitted, Istiod will use the system root certs to verify the CA server's certificate. | | |
| `requestTimeout` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | timeout for forward CSR requests from Istiod to External CA Default: 10s | | |
-| `istiodSide` _boolean_ | Use istiod_side to specify CA Server integrate to Istiod side or Agent side Default: true | | |
+| `istiodSide` _boolean_ | Use istiodSide to specify CA Server integrate to Istiod side or Agent side Default: true | | |
#### MeshConfigCertificateData
@@ -1217,7 +1221,7 @@ _Appears in:_
| `pem` _string_ | The PEM data of the certificate. | | |
| `spiffeBundleUrl` _string_ | The SPIFFE bundle endpoint URL that complies to: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle The endpoint should support authentication based on Web PKI: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki The certificate is retrieved from the endpoint. | | |
| `certSigners` _string array_ | when Istiod is acting as RA(registration authority) If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers. | | |
-| `trustDomains` _string array_ | Optional. Specify the list of trust domains to which this trustAnchor data belongs. If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain and its aliases. Note that we can have multiple trustAnchor data for a same trust_domain. In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers. If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers. If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains. If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains. | | |
+| `trustDomains` _string array_ | Optional. Specify the list of trust domains to which this trustAnchor data belongs. If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain and its aliases. Note that we can have multiple trustAnchor data for a same trustDomain. In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains. | | |
#### MeshConfigDefaultProviders
@@ -1228,7 +1232,7 @@ Holds the name references to the providers that will be used by default
in other Istio configuration resources if the provider is not specified.
-These names must match a provider defined in `extension_providers` that is
+These names must match a provider defined in `extensionProviders` that is
one of the supported tracing providers.
@@ -1304,7 +1308,7 @@ _Appears in:_
| --- | --- | --- | --- |
| `service` _string_ | REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service. The format is `[/]`. The specification of `` is required only when it is insufficient to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry. Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com". | | Required: \{\} |
| `port` _integer_ | REQUIRED. Specifies the port of the service. | | Required: \{\} |
-| `timeout` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. In this situation, the response sent back to the client will depend on the configured `fail_open` field. | | |
+| `timeout` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. In this situation, the response sent back to the client will depend on the configured `failOpen` field. | | |
| `failOpen` _boolean_ | If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, or if the authorization service has returned a HTTP 5xx error. Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately. | | |
| `statusOnError` _string_ | Sets the HTTP status that is returned to the client when there is a network error to the authorization service. The default status is "403" (HTTP Forbidden). | | |
| `includeRequestBodyInCheck` _[MeshConfigExtensionProviderEnvoyExternalAuthorizationRequestBody](#meshconfigextensionproviderenvoyexternalauthorizationrequestbody)_ | If set, the client request body will be included in the authorization request sent to the authorization service. | | |
@@ -1325,13 +1329,13 @@ _Appears in:_
| --- | --- | --- | --- |
| `service` _string_ | REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service. The format is `[/]`. The specification of `` is required only when it is insufficient to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry. Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com". | | Required: \{\} |
| `port` _integer_ | REQUIRED. Specifies the port of the service. | | Required: \{\} |
-| `timeout` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. In this situation, the response sent back to the client will depend on the configured `fail_open` field. | | |
+| `timeout` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). When this timeout condition is met, the proxy marks the communication to the authorization service as failure. In this situation, the response sent back to the client will depend on the configured `failOpen` field. | | |
| `pathPrefix` _string_ | Sets a prefix to the value of authorization request header *Path*. For example, setting this to "/check" for an original user request at path "/admin" will cause the authorization check request to be sent to the authorization service at the path "/check/admin" instead of "/admin". | | |
| `failOpen` _boolean_ | If true, the user request will be allowed even if the communication with the authorization service has failed, or if the authorization service has returned a HTTP 5xx error. Default is false and the request will be rejected with "Forbidden" response. | | |
| `statusOnError` _string_ | Sets the HTTP status that is returned to the client when there is a network error to the authorization service. The default status is "403" (HTTP Forbidden). | | |
-| `includeHeadersInCheck` _string array_ | DEPRECATED. Use include_request_headers_in_check instead. Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. | | |
-| `includeRequestHeadersInCheck` _string array_ | List of client request headers that should be included in the authorization request sent to the authorization service. Note that in addition to the headers specified here following headers are included by default: 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization request can include the buffered client request body (controlled by include_request_body_in_check setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. Exact, prefix and suffix matches are supported (similar to the [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) except the presence match): - Exact match: "abc" will match on value "abc". - Prefix match: "abc*" will match on value "abc" and "abcd". - Suffix match: "*abc" will match on value "abc" and "xabc". | | |
-| `includeAdditionalHeadersInCheck` _object (keys:string, values:string)_ | Set of additional fixed headers that should be included in the authorization request sent to the authorization service. Key is the header name and value is the header value. Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden. | | |
+| `includeHeadersInCheck` _string array_ | DEPRECATED. Use includeRequestHeadersInCheck instead. Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. | | |
+| `includeRequestHeadersInCheck` _string array_ | List of client request headers that should be included in the authorization request sent to the authorization service. Note that in addition to the headers specified here following headers are included by default: 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. Exact, prefix and suffix matches are supported (similar to the [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) except the presence match): - Exact match: "abc" will match on value "abc". - Prefix match: "abc*" will match on value "abc" and "abcd". - Suffix match: "*abc" will match on value "abc" and "xabc". | | |
+| `includeAdditionalHeadersInCheck` _object (keys:string, values:string)_ | Set of additional fixed headers that should be included in the authorization request sent to the authorization service. Key is the header name and value is the header value. Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden. | | |
| `includeRequestBodyInCheck` _[MeshConfigExtensionProviderEnvoyExternalAuthorizationRequestBody](#meshconfigextensionproviderenvoyexternalauthorizationrequestbody)_ | If set, the client request body will be included in the authorization request sent to the authorization service. | | |
| `headersToUpstreamOnAllow` _string array_ | List of headers from the authorization service that should be added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code 200). If not specified, the original request will not be modified and forwarded to backend as-is. Note, any existing headers will be overridden. Exact, prefix and suffix matches are supported (similar to the [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) except the presence match): - Exact match: "abc" will match on value "abc". - Prefix match: "abc*" will match on value "abc" and "abcd". - Suffix match: "*abc" will match on value "abc" and "xabc". | | |
| `headersToDownstreamOnDeny` _string array_ | List of headers from the authorization service that should be forwarded to downstream when the authorization check result is not allowed (HTTP code other than 200). If not specified, all the authorization response headers, except *Authority (Host)* will be in the response to the downstream. When a header is included in this list, *Path*, *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are automatically added. Note, the body from the authorization service is always included in the response to downstream. Exact, prefix and suffix matches are supported (similar to the [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) except the presence match): - Exact match: "abc" will match on value "abc". - Prefix match: "abc*" will match on value "abc" and "abcd". - Suffix match: "*abc" will match on value "abc" and "xabc". | | |
@@ -1424,6 +1428,8 @@ _Appears in:_
| `filterStateObjectsToLog` _string array_ | Optional. Additional filter state objects to log. | | |
+
+
#### MeshConfigExtensionProviderHttpHeader
@@ -1433,6 +1439,7 @@ _Appears in:_
_Appears in:_
+- [MeshConfigExtensionProviderGrpcService](#meshconfigextensionprovidergrpcservice)
- [MeshConfigExtensionProviderHttpService](#meshconfigextensionproviderhttpservice)
| Field | Description | Default | Validation |
@@ -1513,8 +1520,9 @@ _Appears in:_
| `port` _integer_ | REQUIRED. Specifies the port of the service. | | Required: \{\} |
| `maxTagLength` _integer_ | Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag. | | |
| `http` _[MeshConfigExtensionProviderHttpService](#meshconfigextensionproviderhttpservice)_ | Optional. Specifies the configuration for exporting OTLP traces via HTTP. When empty, traces will be exported via gRPC. The following example shows how to configure the OpenTelemetry ExtensionProvider to export via HTTP: 1. Add/change the OpenTelemetry extension provider in `MeshConfig` ```yaml - name: otel-tracing opentelemetry: port: 443 service: my.olly-backend.com http: path: "/api/otlp/traces" timeout: 10s headers: - name: "my-custom-header" value: "some value" ``` 2. Deploy a `ServiceEntry` for the observability back-end ```yaml apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: my-olly-backend spec: hosts: - my.olly-backend.com ports: - number: 443 name: https-port protocol: HTTPS resolution: DNS location: MESH_EXTERNAL --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: my-olly-backend spec: host: my.olly-backend.com trafficPolicy: portLevelSettings: - port: number: 443 tls: mode: SIMPLE ``` | | |
-| `resourceDetectors` _[MeshConfigExtensionProviderResourceDetectors](#meshconfigextensionproviderresourcedetectors)_ | Optional. Specifies [Resource Detectors](https://opentelemetry.io/docs/specs/otel/resource/sdk/) to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged according to the OpenTelemetry [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#merge). The following example shows how to configure the Environment Resource Detector, that will read the attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES`: ```yaml - name: otel-tracing opentelemetry: port: 443 service: my.olly-backend.com resource_detectors: environment: \{\} ``` | | |
-| `dynatraceSampler` _[MeshConfigExtensionProviderOpenTelemetryTracingProviderDynatraceSampler](#meshconfigextensionprovideropentelemetrytracingproviderdynatracesampler)_ | The Dynatrace adaptive traffic management (ATM) sampler. Example configuration: ```yaml - name: otel-tracing opentelemetry: port: 443 service: "\{your-environment-id\}.live.dynatrace.com" http: path: "/api/v2/otlp/v1/traces" timeout: 10s headers: - name: "Authorization" value: "Api-Token dt0c01." resource_detectors: dynatrace: \{\} dynatrace_sampler: tenant: "\{your-environment-id\}" cluster_id: 1234 | | |
+| `grpc` _[MeshConfigExtensionProviderGrpcService](#meshconfigextensionprovidergrpcservice)_ | Optional. Specifies the configuration for exporting OTLP traces via GRPC. When empty, traces will check whether HTTP is set. If not, traces will use default GRPC configurations. The following example shows how to configure the OpenTelemetry ExtensionProvider to export via GRPC: 1. Add/change the OpenTelemetry extension provider in `MeshConfig` ```yaml - name: opentelemetry opentelemetry: port: 8090 service: tracing.example.com grpc: timeout: 10s initialMetadata: - name: "Authentication" value: "token-xxxxx" ``` 2. Deploy a `ServiceEntry` for the observability back-end ```yaml apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: tracing-grpc spec: hosts: - tracing.example.com ports: - number: 8090 name: grpc-port protocol: GRPC resolution: DNS location: MESH_EXTERNAL ``` | | |
+| `resourceDetectors` _[MeshConfigExtensionProviderResourceDetectors](#meshconfigextensionproviderresourcedetectors)_ | Optional. Specifies [Resource Detectors](https://opentelemetry.io/docs/specs/otel/resource/sdk/) to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged according to the OpenTelemetry [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#merge). The following example shows how to configure the Environment Resource Detector, that will read the attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES`: ```yaml - name: otel-tracing opentelemetry: port: 443 service: my.olly-backend.com resourceDetectors: environment: \{\} ``` | | |
+| `dynatraceSampler` _[MeshConfigExtensionProviderOpenTelemetryTracingProviderDynatraceSampler](#meshconfigextensionprovideropentelemetrytracingproviderdynatracesampler)_ | The Dynatrace adaptive traffic management (ATM) sampler. Example configuration: ```yaml - name: otel-tracing opentelemetry: port: 443 service: "\{your-environment-id\}.live.dynatrace.com" http: path: "/api/v2/otlp/v1/traces" timeout: 10s headers: - name: "Authorization" value: "Api-Token dt0c01." resourceDetectors: dynatrace: \{\} dynatraceSampler: tenant: "\{your-environment-id\}" clusterId: 1234 | | |
@@ -1647,6 +1655,7 @@ _Appears in:_
| `port` _integer_ | REQUIRED. Specifies the port of the service. | | Required: \{\} |
| `maxTagLength` _integer_ | Optional. Controls the overall path length allowed in a reported span. NOTE: currently only controls max length of the path tag. | | |
| `enable64bitTraceId` _boolean_ | Optional. A 128 bit trace id will be used in Istio. If true, will result in a 64 bit trace id being used. | | |
+| `path` _string_ | Optional. Specifies the endpoint of Zipkin API. The default value is "/api/v2/spans". | | |
#### MeshConfigH2UpgradePolicy
@@ -1717,8 +1726,8 @@ _Appears in:_
| --- | --- |
| `UNSPECIFIED` | Unspecified Istio ingress controller. |
| `OFF` | Disables Istio ingress controller. |
-| `DEFAULT` | Istio ingress controller will act on ingress resources that do not contain any annotation or whose annotations match the value specified in the ingress_class parameter described earlier. Use this mode if Istio ingress controller will be the default ingress controller for the entire Kubernetes cluster. |
-| `STRICT` | Istio ingress controller will only act on ingress resources whose annotations match the value specified in the ingress_class parameter described earlier. Use this mode if Istio ingress controller will be a secondary ingress controller (e.g., in addition to a cloud-provided ingress controller). |
+| `DEFAULT` | Istio ingress controller will act on ingress resources that do not contain any annotation or whose annotations match the value specified in the ingressClass parameter described earlier. Use this mode if Istio ingress controller will be the default ingress controller for the entire Kubernetes cluster. |
+| `STRICT` | Istio ingress controller will only act on ingress resources whose annotations match the value specified in the ingressClass parameter described earlier. Use this mode if Istio ingress controller will be a secondary ingress controller (e.g., in addition to a cloud-provided ingress controller). |
#### MeshConfigOutboundTrafficPolicy
@@ -1820,7 +1829,7 @@ _Appears in:_
| `statusPort` _integer_ | Port on which the agent should listen for administrative commands such as readiness probe. Default is set to port `15020`. | | |
| `extraStatTags` _string array_ | An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be added by configuring the telemetry extension. Each additional tag needs to be present in this list. Extra tags emitted by the telemetry extensions must be listed here so that they can be processed and exposed as Prometheus metrics. Deprecated: `istio.stats` is a native filter now, this field is no longer needed. | | |
| `gatewayTopology` _[Topology](#topology)_ | Topology encapsulates the configuration which describes where the proxy is located i.e. behind a (or N) trusted proxy (proxies) or directly exposed to the internet. This configuration only effects gateways and is applied to all the gateways in the cluster unless overridden via annotations of the gateway workloads. | | |
-| `terminationDrainDuration` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | The amount of time allowed for connections to complete on proxy shutdown. On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, discouraging any new connections and allowing existing connections to complete. It then sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes. If not set, a default of `5s` will be applied. | | |
+| `terminationDrainDuration` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | The amount of time allowed for connections to complete on proxy shutdown. On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, discouraging any new connections and allowing existing connections to complete. It then sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes. If not set, a default of `5s` will be applied. | | |
| `meshId` _string_ | The unique identifier for the [service mesh](https://istio.io/docs/reference/glossary/#service-mesh) All control planes running in the same service mesh should specify the same mesh ID. Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together. | | |
| `readinessProbe` _[Probe](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#probe-v1-core)_ | VM Health Checking readiness probe. This health check config exactly mirrors the kubernetes readiness probe configuration both in schema and logic. Only one health check method of 3 can be set at a time. | | |
| `proxyStatsMatcher` _[ProxyConfigProxyStatsMatcher](#proxyconfigproxystatsmatcher)_ | Proxy stats matcher defines configuration for reporting custom Envoy stats. To reduce memory and CPU overhead from Envoy stats system, Istio proxies by default create and expose only a subset of Envoy stats. This option is to control creation of additional Envoy stats with prefix, suffix, and regex expressions match on the name of the stats. This replaces the stats inclusion annotations (`sidecar.istio.io/statsInclusionPrefixes`, `sidecar.istio.io/statsInclusionRegexps`, and `sidecar.istio.io/statsInclusionSuffixes`). For example, to enable stats for circuit breakers, request retries, upstream connections, and request timeouts, you can specify stats matcher as follows: ```yaml proxyStatsMatcher: inclusionRegexps: - .*outlier_detection.* - .*upstream_rq_retry.* - .*upstream_cx_.* inclusionSuffixes: - upstream_rq_timeout ``` Note including more Envoy stats might increase number of time series collected by prometheus significantly. Care needs to be taken on Prometheus resource provision and configuration to reduce cardinality. | | |
@@ -2006,7 +2015,7 @@ adding the `ISTIO_META_NETWORK` environment variable to the sidecar.
a. By matching the registry name with one of the "fromRegistry"
- in the mesh config. A "from_registry" can only be assigned to a
+ in the mesh config. A "fromRegistry" can only be assigned to a
single network.
@@ -2066,22 +2075,22 @@ _Appears in:_
| `autoscaleMin` _integer_ | Minimum number of replicas in the HorizontalPodAutoscaler for Pilot. | | |
| `autoscaleMax` _integer_ | Maximum number of replicas in the HorizontalPodAutoscaler for Pilot. | | |
| `autoscaleBehavior` _[HorizontalPodAutoscalerBehavior](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#horizontalpodautoscalerbehavior-v2-autoscaling)_ | See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior | | |
-| `replicaCount` _integer_ | Number of replicas in the Pilot Deployment. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | |
+| `replicaCount` _integer_ | Number of replicas in the Pilot Deployment. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | |
| `image` _string_ | Image name used for Pilot. This can be set either to image name if hub is also set, or can be set to the full hub:name string. Examples: custom-pilot, docker.io/someuser:custom-pilot | | |
| `traceSampling` _float_ | Trace sampling fraction. Used to set the fraction of time that traces are sampled. Higher values are more accurate but add CPU overhead. Allowed values: 0.0 to 1.0 | | |
-| `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | K8s resources settings. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | |
-| `cpu` _[TargetUtilizationConfig](#targetutilizationconfig)_ | Target CPU utilization used in HorizontalPodAutoscaler. See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | |
-| `nodeSelector` _object (keys:string, values:string)_ | K8s node selector. See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | |
+| `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | K8s resources settings. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | |
+| `cpu` _[TargetUtilizationConfig](#targetutilizationconfig)_ | Target CPU utilization used in HorizontalPodAutoscaler. See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | |
+| `nodeSelector` _object (keys:string, values:string)_ | K8s node selector. See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | |
| `keepaliveMaxServerConnectionAge` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#duration-v1-meta)_ | Maximum duration that a sidecar can be connected to a pilot. This setting balances out load across pilot instances, but adds some resource overhead. Examples: 300s, 30m, 1h | | |
| `deploymentLabels` _object (keys:string, values:string)_ | Labels that are added to Pilot deployment. See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ | | |
| `podLabels` _object (keys:string, values:string)_ | Labels that are added to Pilot pods. See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ | | |
| `configMap` _boolean_ | Configuration settings passed to Pilot as a ConfigMap. This controls whether the mesh config map, generated from values.yaml is generated. If false, pilot wil use default values or user-supplied values, in that order of preference. | | |
| `env` _object (keys:string, values:string)_ | Environment variables passed to the Pilot container. Examples: env: ENV_VAR_1: value1 ENV_VAR_2: value2 | | |
| `affinity` _[Affinity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#affinity-v1-core)_ | K8s affinity to set on the Pilot Pods. | | |
-| `rollingMaxSurge` _[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#intorstring-intstr-util)_ | K8s rolling update strategy Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | XIntOrString: \{\} |
-| `rollingMaxUnavailable` _[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#intorstring-intstr-util)_ | The number of pods that can be unavailable during a rolling update (see `strategy.rollingUpdate.maxUnavailable` here: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/deployment-v1/#DeploymentSpec). May be specified as a number of pods or as a percent of the total number of pods at the start of the update. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | XIntOrString: \{\} |
-| `tolerations` _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#toleration-v1-core) array_ | The node tolerations to be applied to the Pilot deployment so that it can be scheduled to particular nodes with matching taints. More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | |
-| `podAnnotations` _object (keys:string, values:string)_ | K8s annotations for pods. See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | |
+| `rollingMaxSurge` _[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#intorstring-intstr-util)_ | K8s rolling update strategy Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | XIntOrString: \{\} |
+| `rollingMaxUnavailable` _[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#intorstring-intstr-util)_ | The number of pods that can be unavailable during a rolling update (see `strategy.rollingUpdate.maxUnavailable` here: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/deployment-v1/#DeploymentSpec). May be specified as a number of pods or as a percent of the total number of pods at the start of the update. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | XIntOrString: \{\} |
+| `tolerations` _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#toleration-v1-core) array_ | The node tolerations to be applied to the Pilot deployment so that it can be scheduled to particular nodes with matching taints. More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | |
+| `podAnnotations` _object (keys:string, values:string)_ | K8s annotations for pods. See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | |
| `serviceAnnotations` _object (keys:string, values:string)_ | K8s annotations for the Service. See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | | |
| `serviceAccountAnnotations` _object (keys:string, values:string)_ | K8s annotations for the service account | | |
| `jwksResolverExtraRootCA` _string_ | Specifies an extra root certificate in PEM format. This certificate will be trusted by pilot when resolving JWKS URIs. | | |
@@ -2095,10 +2104,11 @@ _Appears in:_
| `volumes` _[Volume](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#volume-v1-core) array_ | Additional volumes to add to the Pilot Pod. | | |
| `ipFamilies` _string array_ | Defines which IP family to use for single stack or the order of IP families for dual-stack. Valid list items are "IPv4", "IPv6". More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | | |
| `ipFamilyPolicy` _string_ | Controls whether Services are configured to use IPv4, IPv6, or both. Valid options are PreferDualStack, RequireDualStack, and SingleStack. More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services | | |
-| `memory` _[TargetUtilizationConfig](#targetutilizationconfig)_ | Target memory utilization used in HorizontalPodAutoscaler. See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | |
+| `memory` _[TargetUtilizationConfig](#targetutilizationconfig)_ | Target memory utilization used in HorizontalPodAutoscaler. See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | |
| `cni` _[CNIUsageConfig](#cniusageconfig)_ | Configures whether to use an existing CNI installation for workloads | | |
| `taint` _[PilotTaintControllerConfig](#pilottaintcontrollerconfig)_ | | | |
| `trustedZtunnelNamespace` _string_ | If set, `istiod` will allow connections from trusted node proxy ztunnels in the provided namespace. | | |
+| `istiodRemote` _[IstiodRemoteConfig](#istiodremoteconfig)_ | Configuration for the istio-discovery chart when istiod is running in a remote cluster (e.g. "remote control plane"). | | |
@@ -2186,7 +2196,7 @@ _Appears in:_
| `autoInject` _string_ | Controls the 'policy' in the sidecar injector. | | |
| `clusterDomain` _string_ | Domain for the cluster, default: "cluster.local". K8s allows this to be customized, see https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/ | | |
| `componentLogLevel` _string_ | Per Component log level for proxy, applies to gateways and sidecars. If a component level is not set, then the global "logLevel" will be used. If left empty, "misc:error" is used. | | |
-| `enableCoreDump` _boolean_ | Enables core dumps for newly injected sidecars. If set, newly injected sidecars will have core dumps enabled. | | |
+| `enableCoreDump` _boolean_ | Enables core dumps for newly injected sidecars. If set, newly injected sidecars will have core dumps enabled. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | |
| `excludeInboundPorts` _string_ | Specifies the Istio ingress ports not to capture. | | |
| `excludeIPRanges` _string_ | Lists the excluded IP ranges of Istio egress traffic that the sidecar captures. | | |
| `image` _string_ | Image name or path for the proxy, default: "proxyv2". If registry or tag are not specified, global.hub and global.tag are used. Examples: my-proxy (uses global.hub/tag), docker.io/myrepo/my-proxy:v1.0.0 | | |
@@ -2199,11 +2209,11 @@ _Appears in:_
| `readinessFailureThreshold` _integer_ | Sets the number of successive failed probes before indicating readiness failure. | | |
| `startupProbe` _[StartupProbe](#startupprobe)_ | Configures the startup probe for the istio-proxy container. | | |
| `statusPort` _integer_ | Default port used for the Pilot agent's health checks. | | |
-| `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | K8s resources settings. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | |
+| `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | K8s resources settings. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | |
| `tracer` _[Tracer](#tracer)_ | Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. | | Enum: [zipkin lightstep datadog stackdriver openCensusAgent none] |
| `excludeOutboundPorts` _string_ | A comma separated list of outbound ports to be excluded from redirection to Envoy. | | |
| `lifecycle` _[Lifecycle](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#lifecycle-v1-core)_ | The k8s lifecycle hooks definition (pod.spec.containers.lifecycle) for the proxy container. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks | | |
-| `holdApplicationUntilProxyStarts` _boolean_ | Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | |
+| `holdApplicationUntilProxyStarts` _boolean_ | Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | |
| `includeInboundPorts` _string_ | A comma separated list of inbound ports for which traffic is to be redirected to Envoy. The wildcard character '*' can be used to configure redirection for all ports. | | |
| `includeOutboundPorts` _string_ | A comma separated list of outbound ports for which traffic is to be redirected to Envoy, regardless of the destination IP. | | |
@@ -2243,6 +2253,7 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `forwardedClientCert` _[ForwardClientCertDetails](#forwardclientcertdetails)_ | Controls the `X-Forwarded-Client-Cert` header for inbound sidecar requests. To set this on gateways, use the `Topology` setting. To disable the header, configure either `SANITIZE` (to always remove the header, if present) or `FORWARD_ONLY` (to leave the header as-is). By default, `APPEND_FORWARD` will be used. | | Enum: [UNDEFINED SANITIZE FORWARD_ONLY APPEND_FORWARD SANITIZE_SET ALWAYS_FORWARD_ONLY] |
+| `setCurrentClientCertDetails` _[ProxyConfigProxyHeadersSetCurrentClientCertDetails](#proxyconfigproxyheaderssetcurrentclientcertdetails)_ | This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET and the client connection is mTLS. It specifies the fields in the client certificate to be forwarded. Note that `Hash` is always set, and `By` is always set when the client certificate presents the URI type Subject Alternative Name value. | | |
| `requestId` _[ProxyConfigProxyHeadersRequestId](#proxyconfigproxyheadersrequestid)_ | Controls the `X-Request-Id` header. If enabled, a request ID is generated for each request if one is not already set. This applies to all types of traffic (inbound, outbound, and gateways). If disabled, no request ID will be generate for the request. If it is already present, it will be preserved. Warning: request IDs are a critical component to mesh tracing and logging, so disabling this is not recommended. This header is enabled by default if not configured. | | |
| `server` _[ProxyConfigProxyHeadersServer](#proxyconfigproxyheadersserver)_ | Controls the `server` header. If enabled, the `Server: istio-envoy` header is set in response headers for inbound traffic (including gateways). If disabled, the `Server` header is not modified. If it is already present, it will be preserved. | | |
| `attemptCount` _[ProxyConfigProxyHeadersAttemptCount](#proxyconfigproxyheadersattemptcount)_ | Controls the `X-Envoy-Attempt-Count` header. If enabled, this header will be added on outbound request headers (including gateways) that have retries configured. If disabled, this header will not be set. If it is already present, it will be preserved. This header is enabled by default if not configured. | | |
@@ -2312,6 +2323,19 @@ _Underlying type:_ _[struct{Disabled *bool "json:\"disabled,omitempty\""; Value
+_Appears in:_
+- [ProxyConfigProxyHeaders](#proxyconfigproxyheaders)
+
+
+
+#### ProxyConfigProxyHeadersSetCurrentClientCertDetails
+
+_Underlying type:_ _[struct{Subject *bool "json:\"subject,omitempty\""; Cert *bool "json:\"cert,omitempty\""; Chain *bool "json:\"chain,omitempty\""; Dns *bool "json:\"dns,omitempty\""; Uri *bool "json:\"uri,omitempty\""}](#struct{subject-*bool-"json:\"subject,omitempty\"";-cert-*bool-"json:\"cert,omitempty\"";-chain-*bool-"json:\"chain,omitempty\"";-dns-*bool-"json:\"dns,omitempty\"";-uri-*bool-"json:\"uri,omitempty\""})_
+
+
+
+
+
_Appears in:_
- [ProxyConfigProxyHeaders](#proxyconfigproxyheaders)
@@ -2341,7 +2365,7 @@ _Appears in:_
_Underlying type:_ _string_
Allows specification of various Istio-supported naming schemes for the
-Envoy `service_cluster` value. The `servce_cluster` value is primarily used
+Envoy `service_cluster` value. The `service_cluster` value is primarily used
by Envoys to provide service names for tracing spans.
_Validation:_
@@ -2390,7 +2414,7 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `image` _string_ | Specifies the image for the proxy_init container. | | |
-| `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | K8s resources settings. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | |
+| `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | K8s resources settings. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | |
#### RemoteIstio
@@ -2533,6 +2557,7 @@ _Appears in:_
| `observedGeneration` _integer_ | ObservedGeneration is the most recent generation observed for this RemoteIstio object. It corresponds to the object's generation, which is updated on mutation by the API Server. The information in the status pertains to this particular generation of the object. | | |
| `conditions` _[RemoteIstioCondition](#remoteistiocondition) array_ | Represents the latest available observations of the object's current state. | | |
| `state` _[RemoteIstioConditionReason](#remoteistioconditionreason)_ | Reports the current state of the object. | | |
+| `activeRevisionName` _string_ | The name of the active revision. | | |
| `revisions` _[RevisionSummary](#revisionsummary)_ | Reports information about the underlying IstioRevisions. | | |
@@ -2550,7 +2575,7 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `address` _string_ | Address of a remove service used for various purposes (access log receiver, metrics receiver, etc.). Can be IP address or a fully qualified DNS name. | | |
-| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the `tls_settings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. | | |
+| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the `tlsSettings` to specify the tls mode to use. If the remote service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. | | |
| `tcpKeepalive` _[ConnectionPoolSettingsTCPSettingsTcpKeepalive](#connectionpoolsettingstcpsettingstcpkeepalive)_ | If set then set `SO_KEEPALIVE` on the socket to enable TCP Keepalives. | | |
@@ -2624,7 +2649,7 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
-| `token` _[SDSConfigToken](#sdsconfigtoken)_ | Deprecated: Marked as deprecated in pkg/apis/istio/v1alpha1/values_types.proto. | | |
+| `token` _[SDSConfigToken](#sdsconfigtoken)_ | Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | |
#### SDSConfigToken
@@ -2804,7 +2829,7 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
-| `numTrustedProxies` _integer_ | Number of trusted proxies deployed in front of the Istio gateway proxy. When this option is set to value N greater than zero, the trusted client address is assumed to be the Nth address from the right end of the X-Forwarded-For (XFF) header from the incoming request. If the X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the gateway proxy falls back to using the immediate downstream connection's source address as the trusted client address. Note that the gateway proxy will append the downstream connection's source address to the X-Forwarded-For (XFF) address and set the X-Envoy-External-Address header to the trusted client address before forwarding it to the upstream services in the cluster. The default value of num_trusted_proxies is 0. See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) header handling for more details. | | |
+| `numTrustedProxies` _integer_ | Number of trusted proxies deployed in front of the Istio gateway proxy. When this option is set to value N greater than zero, the trusted client address is assumed to be the Nth address from the right end of the X-Forwarded-For (XFF) header from the incoming request. If the X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the gateway proxy falls back to using the immediate downstream connection's source address as the trusted client address. Note that the gateway proxy will append the downstream connection's source address to the X-Forwarded-For (XFF) address and set the X-Envoy-External-Address header to the trusted client address before forwarding it to the upstream services in the cluster. The default value of numTrustedProxies is 0. See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) header handling for more details. | | |
| `forwardClientCertDetails` _[ForwardClientCertDetails](#forwardclientcertdetails)_ | Configures how the gateway proxy handles x-forwarded-client-cert (XFCC) header in the incoming request. | | Enum: [UNDEFINED SANITIZE FORWARD_ONLY APPEND_FORWARD SANITIZE_SET ALWAYS_FORWARD_ONLY] |
| `proxyProtocol` _[TopologyProxyProtocolConfiguration](#topologyproxyprotocolconfiguration)_ | Enables [PROXY protocol](http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt) for downstream connections on a gateway. | | |
@@ -2949,7 +2974,7 @@ _Appears in:_
| `stackdriver` _[TracingStackdriver](#tracingstackdriver)_ | Use a Stackdriver tracer. | | |
| `openCensusAgent` _[TracingOpenCensusAgent](#tracingopencensusagent)_ | Use an OpenCensus tracer exporting to an OpenCensus agent. | | |
| `sampling` _float_ | The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, if not requested by the client or not forced. Default is 1.0. | | |
-| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the tls_settings to specify the tls mode to use. If the remote tracing service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. | | |
+| `tlsSettings` _[ClientTLSSettings](#clienttlssettings)_ | Use the tlsSettings to specify the tls mode to use. If the remote tracing service uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS mode as `ISTIO_MUTUAL`. | | |
@@ -3063,7 +3088,7 @@ _Appears in:_
| `revision` _string_ | Identifies the revision this installation is associated with. | | |
| `meshConfig` _[MeshConfig](#meshconfig)_ | Defines runtime configuration of components, including Istiod and istio-agent behavior. See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options. TODO can this import the real mesh config API? | | |
| `base` _[BaseConfig](#baseconfig)_ | Configuration for the base component. | | |
-| `istiodRemote` _[IstiodRemoteConfig](#istiodremoteconfig)_ | Configuration for istiod-remote. | | |
+| `istiodRemote` _[IstiodRemoteConfig](#istiodremoteconfig)_ | Configuration for istiod-remote. DEPRECATED - istiod-remote chart is removed and replaced with `istio-discovery --set values.istiodRemote.enabled=true` Deprecated: Marked as deprecated in pkg/apis/values_types.proto. | | |
| `revisionTags` _string array_ | Specifies the aliases for the Istio control plane revision. A MutatingWebhookConfiguration is created for each alias. | | |
| `defaultRevision` _string_ | The name of the default revision in the cluster. | | |
| `profile` _string_ | Specifies which installation configuration profile to apply. | | |
@@ -3085,6 +3110,10 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `resources` _[ResourceRequirements](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcerequirements-v1-core)_ | K8s resource settings. See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container | | |
+| `affinity` _[Affinity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#affinity-v1-core)_ | K8s affinity settings for waypoint pods. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity | | |
+| `topologySpreadConstraints` _[TopologySpreadConstraint](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#topologyspreadconstraint-v1-core) array_ | K8s topology spread constraints settings. See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ | | |
+| `nodeSelector` _[NodeSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#nodeselector-v1-core)_ | K8s node labels settings. See https://kubernetes.io/docs/user-guide/node-selection/ | | |
+| `toleration` _[Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#toleration-v1-core) array_ | K8s tolerations settings. See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ | | |
diff --git a/docs/common/create-and-configure-gateways.md b/docs/common/create-and-configure-gateways.md
new file mode 100644
index 000000000..29e35bd75
--- /dev/null
+++ b/docs/common/create-and-configure-gateways.md
@@ -0,0 +1,84 @@
+## Creating and Configuring Gateways
+
+The Sail Operator does not deploy Ingress or Egress Gateways. Gateways are not
+part of the control plane. As a security best-practice, Ingress and Egress
+Gateways should be deployed in a different namespace than the namespace that
+contains the control plane.
+
+You can deploy gateways using either the Gateway API or Gateway Injection methods.
+
+
+### Option 1: Istio Gateway Injection
+
+Gateway Injection uses the same mechanisms as Istio sidecar injection to create
+a gateway from a `Deployment` resource that is paired with a `Service` resource
+that can be made accessible from outside the cluster. For more information, see
+[Installing Gateways](https://preliminary.istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway).
+
+To configure gateway injection with the `bookinfo` application, we have provided
+a [sample gateway configuration](../../chart/samples/ingress-gateway.yaml?raw=1) that should be applied in the namespace
+where the application is installed:
+
+1. Create the `istio-ingressgateway` deployment and service:
+
+ ```sh
+ $ oc apply -f -n ingress-gateway.yaml
+ ```
+
+2. Configure the `bookinfo` application with the new gateway:
+
+ ```sh
+ $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/networking/bookinfo-gateway.yaml
+ ```
+
+3. On OpenShift, you can use a [Route](https://docs.openshift.com/container-platform/4.13/networking/routes/route-configuration.html) to expose the gateway externally:
+
+ ```sh
+ $ oc expose service istio-ingressgateway
+ ```
+
+4. Finally, obtain the gateway host name and the URL of the product page:
+
+ ```sh
+ $ HOST=$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}')
+ $ echo http://$HOST/productpage
+ ```
+
+Verify that the `productpage` is accessible from a web browser.
+
+
+### Option 2: Kubernetes Gateway API
+
+Istio includes support for Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) and intends to make it
+the default API for [traffic management in the future](https://istio.io/latest/blog/2022/gateway-api-beta/). For more
+information, see Istio's [Kubernetes Gateway API](https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/) page.
+
+As of Kubernetes 1.28 and OpenShift 4.14, the Kubernetes Gateway API CRDs are
+not available by default and must be enabled to be used. This can be done with
+the command:
+
+```sh
+$ oc get crd gateways.gateway.networking.k8s.io &> /dev/null || { oc kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v1.0.0" | oc apply -f -; }
+```
+
+To configure `bookinfo` with a gateway using `Gateway API`:
+
+1. Create and configure a gateway using a `Gateway` and `HTTPRoute` resource:
+
+ ```sh
+ $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/gateway-api/bookinfo-gateway.yaml
+ ```
+
+2. Retrieve the host, port and gateway URL:
+
+ ```sh
+ $ export INGRESS_HOST=$(oc get gtw bookinfo-gateway -o jsonpath='{.status.addresses[0].value}')
+ $ export INGRESS_PORT=$(oc get gtw bookinfo-gateway -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
+ $ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
+ ```
+
+3. Obtain the `productpage` URL and check that you can visit it from a browser:
+
+ ```sh
+ $ echo "http://${GATEWAY_URL}/productpage"
+ ```
diff --git a/docs/common/install-bookinfo-app.md b/docs/common/install-bookinfo-app.md
new file mode 100644
index 000000000..0026b4d8e
--- /dev/null
+++ b/docs/common/install-bookinfo-app.md
@@ -0,0 +1,30 @@
+## Installing the Bookinfo Application
+
+You can use the `bookinfo` example application to explore service mesh features.
+Using the `bookinfo` application, you can easily confirm that requests from a
+web browser pass through the mesh and reach the application.
+
+The `bookinfo` application displays information about a book, similar to a
+single catalog entry of an online book store. The application displays a page
+that describes the book, lists book details (ISBN, number of pages, and other
+information), and book reviews.
+
+The `bookinfo` application is exposed through the mesh, and the mesh configuration
+determines how the microservices comprising the application are used to serve
+requests. The review information comes from one of three services: `reviews-v1`,
+`reviews-v2` or `reviews-v3`. If you deploy the `bookinfo` application without
+defining the `reviews` virtual service, then the mesh uses a round-robin rule to
+route requests to a service.
+
+By deploying the `reviews` virtual service, you can specify a different behavior.
+For example, you can specify that if a user logs into the `bookinfo` application,
+then the mesh routes requests to the `reviews-v2` service, and the application
+displays reviews with black stars. If a user does not log into the `bookinfo`
+application, then the mesh routes requests to the `reviews-v3` service, and the
+application displays reviews with red stars.
+
+For more information, see [Bookinfo Application](https://istio.io/latest/docs/examples/bookinfo/) in the upstream Istio documentation.
+
+After following the instructions for [Deploying the application](https://istio.io/latest/docs/examples/bookinfo/#start-the-application-services), **you
+will need to create and configure a gateway** for the `bookinfo` application to
+be accessible outside the cluster.
diff --git a/docs/common/install-istioctl-tool.md b/docs/common/install-istioctl-tool.md
new file mode 100644
index 000000000..68fa0dcf3
--- /dev/null
+++ b/docs/common/install-istioctl-tool.md
@@ -0,0 +1,51 @@
+## Installing the istioctl tool
+
+The `istioctl` tool is a configuration command line utility that allows service
+operators to debug and diagnose Istio service mesh deployments.
+
+
+### Prerequisites
+
+Use an `istioctl` version that is the same version as the Istio control plane
+for the Service Mesh deployment. See [Istio Releases](https://github.com/istio/istio/releases) for a list of valid
+releases, including Beta releases.
+
+### Procedure
+
+1. Confirm if you have `istioctl` installed, and if so which version, by running
+the following command at the terminal:
+
+ ```sh
+ $ istioctl version
+ ```
+
+2. Confirm the version of Istio you are using by running the following command
+at the terminal:
+
+ ```sh
+ $ oc get istio
+ ```
+
+3. Install `istioctl` by running the following command at the terminal:
+
+ ```sh
+ $ curl -sL https://istio.io/downloadIstioctl | ISTIO_VERSION= sh -
+ ```
+ Replace `` with the version of Istio you are using.
+
+4. Put the `istioctl` directory on path by running the following command at the terminal:
+
+ ```sh
+ $ export PATH=$HOME/.istioctl/bin:$PATH
+ ```
+
+5. Confirm that the `istioctl` client version and the Istio control plane
+version now match (or are within one version) by running the following command
+at the terminal:
+
+ ```sh
+ $ istioctl version
+ ```
+For more information on usage, see the [Istioctl documentation](https://istio.io/latest/docs/ops/diagnostic-tools/istioctl/).
+
+*Note*: `istioctl install` is not supported. The Sail Operator installs Istio.
diff --git a/docs/common/istio-addons-integrations.md b/docs/common/istio-addons-integrations.md
new file mode 100644
index 000000000..36f0ee1da
--- /dev/null
+++ b/docs/common/istio-addons-integrations.md
@@ -0,0 +1,119 @@
+## Istio Addons Integrations
+
+Istio can be integrated with other software to provide additional functionality
+(More information can be found in: https://istio.io/latest/docs/ops/integrations/).
+The following addons are for demonstration or development purposes only and
+should not be used in production environments:
+
+
+### Prometheus
+
+`Prometheus` is an open-source systems monitoring and alerting toolkit. You can
+use `Prometheus` with the Sail Operator to keep an eye on how healthy Istio and
+the apps in the service mesh are, for more information, see [Prometheus](https://istio.io/latest/docs/ops/integrations/prometheus/).
+
+To install Prometheus, perform the following steps:
+
+1. Deploy `Prometheus`:
+
+ ```sh
+ $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/prometheus.yaml
+ ```
+2. Access to `Prometheus`console:
+
+ * Expose the `Prometheus` service externally:
+
+ ```sh
+ $ oc expose service prometheus -n istio-system
+ ```
+ * Get the route of the service and open the URL in the web browser
+
+ ```sh
+ $ oc get route prometheus -o jsonpath='{.spec.host}' -n istio-system
+ ```
+
+
+### Grafana
+
+`Grafana` is an open-source platform for monitoring and observability. You can
+use `Grafana` with the Sail Operator to configure dashboards for istio, see
+[Grafana](https://istio.io/latest/docs/ops/integrations/grafana/) for more information.
+
+To install Grafana, perform the following steps:
+
+1. Deploy `Grafana`:
+
+ ```sh
+ $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/grafana.yaml
+ ```
+
+2. Access to `Grafana`console:
+
+ * Expose the `Grafana` service externally
+
+ ```sh
+ $ oc expose service grafana -n istio-system
+ ```
+ * Get the route of the service and open the URL in the web browser
+
+ ```sh
+ $ oc get route grafana -o jsonpath='{.spec.host}' -n istio-system
+ ```
+
+
+### Jaeger
+
+`Jaeger` is an open-source end-to-end distributed tracing system. You can use
+`Jaeger` with the Sail Operator to monitor and troubleshoot transactions in
+complex distributed systems, see [Jaeger](https://istio.io/latest/docs/ops/integrations/jaeger/) for more information.
+
+To install Jaeger, perform the following steps:
+
+1. Deploy `Jaeger`:
+
+ ```sh
+ $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/jaeger.yaml
+ ```
+2. Access to `Jaeger` console:
+
+ * Expose the `Jaeger` service externally:
+
+ ```sh
+ $ oc expose svc/tracing -n istio-system
+ ```
+
+ * Get the route of the service and open the URL in the web browser
+
+ ```sh
+ $ oc get route tracing -o jsonpath='{.spec.host}' -n istio-system
+ ```
+*Note*: if you want to see some traces you can refresh several times the product
+page of bookinfo app to start generating traces.
+
+
+### Kiali
+
+`Kiali` is an open-source project that provides a graphical user interface to
+visualize the service mesh topology, see [Kiali](https://istio.io/latest/docs/ops/integrations/kiali/) for more information.
+
+To install Kiali, perform the following steps:
+
+1. Deploy `Kiali`:
+
+ ```sh
+ $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/addons/kiali.yaml
+ ```
+
+2. Access to `Kiali` console:
+
+ * Expose the `Kiali` service externally:
+
+ ```sh
+ $ oc expose service kiali -n istio-system
+ ```
+
+ * Get the route of the service and open the URL in the web browser
+
+ ```sh
+ $ oc get route kiali -o jsonpath='{.spec.host}' -n istio-system
+ ```
diff --git a/docs/multicluster/controlplane-gateway.yaml b/docs/multicluster/controlplane-gateway.yaml
new file mode 100644
index 000000000..33689f854
--- /dev/null
+++ b/docs/multicluster/controlplane-gateway.yaml
@@ -0,0 +1,355 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app: istio-ingressgateway
+ install.operator.istio.io/owning-resource: unknown
+ istio: ingressgateway
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ name: istio-ingressgateway-service-account
+ namespace: istio-system
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: istio-ingressgateway
+ install.operator.istio.io/owning-resource: unknown
+ istio: ingressgateway
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ name: istio-ingressgateway
+ namespace: istio-system
+spec:
+ selector:
+ matchLabels:
+ app: istio-ingressgateway
+ istio: ingressgateway
+ strategy:
+ rollingUpdate:
+ maxSurge: 100%
+ maxUnavailable: 25%
+ template:
+ metadata:
+ annotations:
+ istio.io/rev: default
+ prometheus.io/path: /stats/prometheus
+ prometheus.io/port: "15020"
+ prometheus.io/scrape: "true"
+ sidecar.istio.io/inject: "false"
+ labels:
+ app: istio-ingressgateway
+ chart: gateways
+ heritage: Tiller
+ install.operator.istio.io/owning-resource: unknown
+ istio: ingressgateway
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ service.istio.io/canonical-name: istio-ingressgateway
+ service.istio.io/canonical-revision: latest
+ sidecar.istio.io/inject: "false"
+ spec:
+ affinity:
+ nodeAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution: null
+ requiredDuringSchedulingIgnoredDuringExecution: null
+ containers:
+ - args:
+ - proxy
+ - router
+ - --domain
+ - $(POD_NAMESPACE).svc.cluster.local
+ - --proxyLogLevel=warning
+ - --proxyComponentLogLevel=misc:error
+ - --log_output_level=default:info
+ env:
+ - name: PILOT_CERT_PROVIDER
+ value: istiod
+ - name: CA_ADDR
+ value: istiod.istio-system.svc:15012
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: spec.nodeName
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: istio-ingressgateway
+ - name: ISTIO_META_OWNER
+ value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway
+ - name: ISTIO_META_MESH_ID
+ value: cluster.local
+ - name: TRUST_DOMAIN
+ value: cluster.local
+ - name: ISTIO_META_UNPRIVILEGED_POD
+ value: "true"
+ - name: ISTIO_META_CLUSTER_ID
+ value: Kubernetes
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ image: docker.io/istio/proxyv2:1.22.1
+ name: istio-proxy
+ ports:
+ - containerPort: 15021
+ protocol: TCP
+ - containerPort: 15012
+ protocol: TCP
+ - containerPort: 15017
+ protocol: TCP
+ - containerPort: 15090
+ name: http-envoy-prom
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 1
+ periodSeconds: 2
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ limits:
+ cpu: 2000m
+ memory: 1024Mi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ volumeMounts:
+ - mountPath: /var/run/secrets/workload-spiffe-uds
+ name: workload-socket
+ - mountPath: /var/run/secrets/credential-uds
+ name: credential-socket
+ - mountPath: /var/run/secrets/workload-spiffe-credentials
+ name: workload-certs
+ - mountPath: /etc/istio/proxy
+ name: istio-envoy
+ - mountPath: /etc/istio/config
+ name: config-volume
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ readOnly: true
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ - mountPath: /etc/istio/pod
+ name: podinfo
+ - mountPath: /etc/istio/ingressgateway-certs
+ name: ingressgateway-certs
+ readOnly: true
+ - mountPath: /etc/istio/ingressgateway-ca-certs
+ name: ingressgateway-ca-certs
+ readOnly: true
+ securityContext:
+ runAsGroup: 1337
+ runAsNonRoot: true
+ runAsUser: 1337
+ serviceAccountName: istio-ingressgateway-service-account
+ volumes:
+ - emptyDir: {}
+ name: workload-socket
+ - emptyDir: {}
+ name: credential-socket
+ - emptyDir: {}
+ name: workload-certs
+ - configMap:
+ name: istio-ca-root-cert
+ name: istiod-ca-cert
+ - downwardAPI:
+ items:
+ - fieldRef:
+ fieldPath: metadata.labels
+ path: labels
+ - fieldRef:
+ fieldPath: metadata.annotations
+ path: annotations
+ name: podinfo
+ - emptyDir: {}
+ name: istio-envoy
+ - emptyDir: {}
+ name: istio-data
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ audience: istio-ca
+ expirationSeconds: 43200
+ path: istio-token
+ - configMap:
+ name: istio
+ optional: true
+ name: config-volume
+ - name: ingressgateway-certs
+ secret:
+ optional: true
+ secretName: istio-ingressgateway-certs
+ - name: ingressgateway-ca-certs
+ secret:
+ optional: true
+ secretName: istio-ingressgateway-ca-certs
+
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ labels:
+ app: istio-ingressgateway
+ install.operator.istio.io/owning-resource: unknown
+ istio: ingressgateway
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ name: istio-ingressgateway
+ namespace: istio-system
+spec:
+ minAvailable: 1
+ selector:
+ matchLabels:
+ app: istio-ingressgateway
+ istio: ingressgateway
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ labels:
+ install.operator.istio.io/owning-resource: unknown
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ name: istio-ingressgateway-sds
+ namespace: istio-system
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - watch
+ - list
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels:
+ install.operator.istio.io/owning-resource: unknown
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ name: istio-ingressgateway-sds
+ namespace: istio-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: istio-ingressgateway-sds
+subjects:
+- kind: ServiceAccount
+ name: istio-ingressgateway-service-account
+
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+ labels:
+ app: istio-ingressgateway
+ install.operator.istio.io/owning-resource: unknown
+ istio: ingressgateway
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ name: istio-ingressgateway
+ namespace: istio-system
+spec:
+ maxReplicas: 5
+ metrics:
+ - resource:
+ name: cpu
+ target:
+ averageUtilization: 80
+ type: Utilization
+ type: Resource
+ minReplicas: 1
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: istio-ingressgateway
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ annotations: null
+ labels:
+ app: istio-ingressgateway
+ install.operator.istio.io/owning-resource: unknown
+ istio: ingressgateway
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ name: istio-ingressgateway
+ namespace: istio-system
+spec:
+ ports:
+ - name: status-port
+ port: 15021
+ protocol: TCP
+ targetPort: 15021
+ - name: tls-xds
+ port: 15012
+ protocol: TCP
+ targetPort: 15012
+ - name: tls-webhook
+ port: 15017
+ protocol: TCP
+ targetPort: 15017
+ selector:
+ app: istio-ingressgateway
+ istio: ingressgateway
+ type: LoadBalancer
+
+---
diff --git a/docs/multicluster/setup-multi-primary.sh b/docs/multicluster/setup-multi-primary.sh
index 4463c3719..53589089f 100755
--- a/docs/multicluster/setup-multi-primary.sh
+++ b/docs/multicluster/setup-multi-primary.sh
@@ -25,6 +25,7 @@ while [ $# -gt 0 ]; do
exit 0
;;
esac
+ shift
done
set -euo pipefail
@@ -96,7 +97,7 @@ kubectl get secret -n istio-system --context "${CTX_CLUSTER2}" cacerts || kubect
# 4. Create Sail CR on east
kubectl apply --context "${CTX_CLUSTER1}" -f - < github.com/imdario/mergo v0.3.5
require (
+ github.com/Masterminds/semver/v3 v3.3.0
github.com/elastic/crd-ref-docs v0.1.0
github.com/go-logr/logr v1.4.2
github.com/google/go-cmp v0.6.0
github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.4.0
github.com/magiconair/properties v1.8.7
- github.com/onsi/ginkgo/v2 v2.17.3
- github.com/onsi/gomega v1.33.1
- github.com/prometheus/common v0.55.0
- golang.org/x/mod v0.19.0
- golang.org/x/text v0.16.0
- golang.org/x/tools v0.23.0
+ github.com/onsi/ginkgo/v2 v2.20.1
+ github.com/onsi/gomega v1.34.2
+ github.com/prometheus/common v0.60.0
+ github.com/stretchr/testify v1.9.0
+ golang.org/x/mod v0.20.0
+ golang.org/x/text v0.18.0
+ golang.org/x/tools v0.24.0
gomodules.xyz/jsonpatch/v2 v2.4.0
gopkg.in/yaml.v3 v3.0.1
- helm.sh/helm/v3 v3.15.1
- istio.io/client-go v1.23.0-alpha.0.0.20240809192551-f32a7326ae19
- istio.io/istio v0.0.0-20240813230019-b191b039631b
- k8s.io/api v0.30.3
- k8s.io/apiextensions-apiserver v0.30.3
- k8s.io/apimachinery v0.30.3
- k8s.io/cli-runtime v0.30.3
- k8s.io/client-go v0.30.3
- sigs.k8s.io/controller-runtime v0.18.3
+ helm.sh/helm/v3 v3.16.1
+ istio.io/client-go v1.23.0-alpha.0.0.20241016001849-29f61837a029
+ istio.io/istio v0.0.0-20241016035750-1d92787e64d8
+ k8s.io/api v0.31.1
+ k8s.io/apiextensions-apiserver v0.31.1
+ k8s.io/apimachinery v0.31.1
+ k8s.io/cli-runtime v0.31.1
+ k8s.io/client-go v0.31.1
+ sigs.k8s.io/controller-runtime v0.19.0
)
require (
+ dario.cat/mergo v1.0.1 // indirect
github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
github.com/BurntSushi/toml v1.3.2 // indirect
github.com/MakeNowJust/heredoc v1.0.0 // indirect
github.com/Masterminds/goutils v1.1.1 // indirect
github.com/Masterminds/semver v1.5.0 // indirect
- github.com/Masterminds/semver/v3 v3.2.1 // indirect
github.com/Masterminds/sprig v2.22.0+incompatible // indirect
- github.com/Masterminds/sprig/v3 v3.2.3 // indirect
+ github.com/Masterminds/sprig/v3 v3.3.0 // indirect
github.com/Masterminds/squirrel v1.5.4 // indirect
github.com/Microsoft/hcsshim v0.11.4 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/beorn7/perks v1.0.1 // indirect
+ github.com/blang/semver/v4 v4.0.0 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/chai2010/gettext-go v1.0.2 // indirect
github.com/containerd/containerd v1.7.12 // indirect
github.com/containerd/log v0.1.0 // indirect
- github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+ github.com/cyphar/filepath-securejoin v0.3.1 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/distribution/reference v0.5.0 // indirect
- github.com/docker/cli v27.1.1+incompatible // indirect
+ github.com/docker/cli v27.3.1+incompatible // indirect
github.com/docker/distribution v2.8.3+incompatible // indirect
github.com/docker/docker v26.0.2+incompatible // indirect
- github.com/docker/docker-credential-helpers v0.8.1 // indirect
+ github.com/docker/docker-credential-helpers v0.8.2 // indirect
github.com/docker/go-connections v0.5.0 // indirect
github.com/docker/go-metrics v0.0.1 // indirect
github.com/emicklei/go-restful/v3 v3.12.0 // indirect
@@ -65,6 +68,7 @@ require (
github.com/fatih/color v1.17.0 // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/fsnotify/fsnotify v1.7.0 // indirect
+ github.com/fxamacker/cbor/v2 v2.7.0 // indirect
github.com/go-errors/errors v1.5.1 // indirect
github.com/go-gorp/gorp/v3 v3.1.0 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
@@ -82,11 +86,11 @@ require (
github.com/google/btree v1.1.2 // indirect
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/gofuzz v1.2.0 // indirect
- github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 // indirect
+ github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 // indirect
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/gorilla/mux v1.8.1 // indirect
- github.com/gorilla/websocket v1.5.1 // indirect
+ github.com/gorilla/websocket v1.5.3 // indirect
github.com/gosuri/uitable v0.0.4 // indirect
github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
@@ -94,10 +98,10 @@ require (
github.com/huandu/xstrings v1.5.0 // indirect
github.com/imdario/mergo v1.0.0 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
- github.com/jmoiron/sqlx v1.3.5 // indirect
+ github.com/jmoiron/sqlx v1.4.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
- github.com/klauspost/compress v1.17.8 // indirect
+ github.com/klauspost/compress v1.17.9 // indirect
github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
github.com/lib/pq v1.10.9 // indirect
@@ -110,7 +114,7 @@ require (
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/moby/locker v1.0.1 // indirect
- github.com/moby/spdystream v0.2.0 // indirect
+ github.com/moby/spdystream v0.4.0 // indirect
github.com/moby/term v0.5.0 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
@@ -118,59 +122,62 @@ require (
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
- github.com/opencontainers/image-spec v1.1.0-rc6 // indirect
+ github.com/opencontainers/image-spec v1.1.0 // indirect
github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
github.com/pkg/errors v0.9.1 // indirect
- github.com/prometheus/client_golang v1.19.1 // indirect
+ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+ github.com/prometheus/client_golang v1.20.4 // indirect
github.com/prometheus/client_model v0.6.1 // indirect
github.com/prometheus/procfs v0.15.1 // indirect
github.com/rivo/uniseg v0.4.6 // indirect
- github.com/rubenv/sql-migrate v1.5.2 // indirect
+ github.com/rubenv/sql-migrate v1.7.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
- github.com/shopspring/decimal v1.3.1 // indirect
+ github.com/shopspring/decimal v1.4.0 // indirect
github.com/sirupsen/logrus v1.9.3 // indirect
- github.com/spf13/cast v1.6.0 // indirect
+ github.com/spf13/cast v1.7.0 // indirect
github.com/spf13/cobra v1.8.1 // indirect
github.com/spf13/pflag v1.0.5 // indirect
+ github.com/x448/float16 v0.8.4 // indirect
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
github.com/xeipuuv/gojsonschema v1.2.0 // indirect
github.com/xlab/treeprint v1.2.0 // indirect
- go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0 // indirect
- go.opentelemetry.io/otel v1.28.0 // indirect
- go.opentelemetry.io/otel/metric v1.28.0 // indirect
- go.opentelemetry.io/otel/trace v1.28.0 // indirect
+ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
+ go.opentelemetry.io/otel v1.30.0 // indirect
+ go.opentelemetry.io/otel/metric v1.30.0 // indirect
+ go.opentelemetry.io/otel/trace v1.30.0 // indirect
go.starlark.net v0.0.0-20231121155337-90ade8b19d09 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
- golang.org/x/crypto v0.25.0 // indirect
- golang.org/x/exp v0.0.0-20240716175740-e3f259677ff7 // indirect
- golang.org/x/net v0.27.0 // indirect
- golang.org/x/oauth2 v0.21.0 // indirect
- golang.org/x/sync v0.7.0 // indirect
- golang.org/x/sys v0.22.0 // indirect
- golang.org/x/term v0.22.0 // indirect
- golang.org/x/time v0.5.0 // indirect
+ golang.org/x/crypto v0.27.0 // indirect
+ golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
+ golang.org/x/net v0.29.0 // indirect
+ golang.org/x/oauth2 v0.23.0 // indirect
+ golang.org/x/sync v0.8.0 // indirect
+ golang.org/x/sys v0.25.0 // indirect
+ golang.org/x/term v0.24.0 // indirect
+ golang.org/x/time v0.6.0 // indirect
golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 // indirect
- google.golang.org/genproto/googleapis/api v0.0.0-20240711142825-46eb208f015d // indirect
- google.golang.org/genproto/googleapis/rpc v0.0.0-20240711142825-46eb208f015d // indirect
- google.golang.org/grpc v1.65.0 // indirect
+ google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f // indirect
+ google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f // indirect
+ google.golang.org/grpc v1.67.1 // indirect
google.golang.org/protobuf v1.34.2 // indirect
+ gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gotest.tools/v3 v3.5.1 // indirect
- istio.io/api v1.23.0-alpha.0.0.20240809192158-5302fff8a801 // indirect
- k8s.io/apiserver v0.30.3 // indirect
- k8s.io/component-base v0.30.3 // indirect
+ istio.io/api v1.23.0-alpha.0.0.20241016001450-1e82bd43199b // indirect
+ k8s.io/apiserver v0.31.1 // indirect
+ k8s.io/component-base v0.31.1 // indirect
k8s.io/klog/v2 v2.130.1 // indirect
k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108 // indirect
- k8s.io/kubectl v0.30.3 // indirect
- k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect
+ k8s.io/kubectl v0.31.1 // indirect
+ k8s.io/utils v0.0.0-20240921022957-49e7df575cb6 // indirect
oras.land/oras-go v1.2.5 // indirect
sigs.k8s.io/controller-tools v0.15.0 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
- sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect
- sigs.k8s.io/kustomize/kyaml v0.16.0 // indirect
+ sigs.k8s.io/kustomize/api v0.17.2 // indirect
+ sigs.k8s.io/kustomize/kyaml v0.17.1 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
sigs.k8s.io/yaml v1.4.0 // indirect
)
diff --git a/go.sum b/go.sum
index 21e138aac..02ff9a929 100644
--- a/go.sum
+++ b/go.sum
@@ -1,3 +1,7 @@
+dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
+dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
+filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk=
github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
@@ -12,13 +16,12 @@ github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJ
github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
-github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
-github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0=
-github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
+github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0=
+github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
github.com/Masterminds/sprig v2.22.0+incompatible h1:z4yfnGrZ7netVz+0EDJ0Wi+5VZCSYp4Z0m2dk6cEM60=
github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o=
-github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA=
-github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM=
+github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs=
+github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0=
github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8afzqM=
github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10=
github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
@@ -37,6 +40,8 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24
github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
+github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
github.com/bshuster-repo/logrus-logstash-hook v1.0.0 h1:e+C0SB5R1pu//O4MQ3f9cFuPGoOVeF2fE4Og9otCc70=
github.com/bshuster-repo/logrus-logstash-hook v1.0.0/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk=
github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd h1:rFt+Y/IK1aEZkEHchZRSq9OQbsSzIT/OrI8YFFmRIng=
@@ -60,8 +65,8 @@ github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3
github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
-github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/cyphar/filepath-securejoin v0.3.1 h1:1V7cHiaW+C+39wEfpH6XlLBQo3j/PciWFrgfCLS8XrE=
+github.com/cyphar/filepath-securejoin v0.3.1/go.mod h1:F7i41x/9cBF7lzCrVsYs9fuzwRZm4NQsGTBdpp6mETc=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -70,14 +75,14 @@ github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2 h1:aB
github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2/go.mod h1:WHNsWjnIn2V1LYOrME7e8KxSeKunYHsxEm4am0BUtcI=
github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0=
github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE=
-github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v27.3.1+incompatible h1:qEGdFBF3Xu6SCvCYhc7CzaQTlBmqDuzxPDpigSyeKQQ=
+github.com/docker/cli v27.3.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
github.com/docker/docker v26.0.2+incompatible h1:yGVmKUFGgcxA6PXWAokO0sQL22BrQ67cgVjko8tGdXE=
github.com/docker/docker v26.0.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker-credential-helpers v0.8.1 h1:j/eKUktUltBtMzKqmfLB0PAgqYyMHOp5vfsD1807oKo=
-github.com/docker/docker-credential-helpers v0.8.1/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
+github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
+github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8=
@@ -100,12 +105,14 @@ github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4=
github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI=
github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI=
-github.com/foxcpp/go-mockdns v1.0.0/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4=
+github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI=
+github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk=
github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
+github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk=
github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs=
@@ -132,19 +139,13 @@ github.com/go-playground/universal-translator v0.17.0 h1:icxd5fm+REJzpZx7ZfpaD87
github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA=
github.com/go-playground/validator/v10 v10.4.1 h1:pH2c5ADXtd66mxoE0Zm9SUhxE20r7aM3F26W0hOn+GE=
github.com/go-playground/validator/v10 v10.4.1/go.mod h1:nlOn6nFhuKACm19sB/8EGNn9GlaMV7XkbRSipzJ0Ii4=
-github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE=
-github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
+github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
+github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
github.com/gobuffalo/flect v1.0.2 h1:eqjPGSo2WmjgY2XlpGwo2NXgL3RucAKo4k4qQMNA5sA=
github.com/gobuffalo/flect v1.0.2/go.mod h1:A5msMlrHtLqh9umBSnvabjsMrCcCpAyzglnDvkbYKHs=
-github.com/gobuffalo/logger v1.0.6 h1:nnZNpxYo0zx+Aj9RfMPBm+x9zAU2OayFh/xrAWi34HU=
-github.com/gobuffalo/logger v1.0.6/go.mod h1:J31TBEHR1QLV2683OXTAItYIg8pv2JMHnF/quuAbMjs=
-github.com/gobuffalo/packd v1.0.1 h1:U2wXfRr4E9DH8IdsDLlRFwTZTK7hLfq9qT/QHXGVe/0=
-github.com/gobuffalo/packd v1.0.1/go.mod h1:PP2POP3p3RXGz7Jh6eYEf93S7vA2za6xM7QT85L4+VY=
-github.com/gobuffalo/packr/v2 v2.8.3 h1:xE1yzvnO56cUC0sTpKR3DIbxZgB54AftTFMhB2XEWlY=
-github.com/gobuffalo/packr/v2 v2.8.3/go.mod h1:0SahksCVcx4IMnigTjiFuyldmTrdTctXsOdiU5KwbKc=
github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
github.com/goccy/go-yaml v1.12.0 h1:/1WHjnMsI1dlIBQutrvSMGZRQufVO3asrHfTwfACoPM=
@@ -172,20 +173,18 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg=
-github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
+github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5 h1:5iH8iuqE5apketRbSFBy+X1V0o+l+8NF1avt4HWl7cA=
+github.com/google/pprof v0.0.0-20240827171923-fa2c70bbbfe5/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
-github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4=
github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
-github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY=
-github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY=
+github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
+github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY=
github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo=
github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA=
@@ -197,15 +196,14 @@ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+l
github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
-github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q=
github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/jmoiron/sqlx v1.3.5 h1:vFFPA71p1o5gAeqtEAwLU4dnX2napprKtHr7PYIcN3g=
-github.com/jmoiron/sqlx v1.3.5/go.mod h1:nRVWtLre0KfCLJvgxzCsLVMogSvQ1zNJtpYr2Ccp0mQ=
+github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o=
+github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY=
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
@@ -215,25 +213,24 @@ github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHm
github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.4.0 h1:VzM3TYHDgqPkettiP6I6q2jOeQFL4nrJM+UcAc4f6Fs=
github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.4.0/go.mod h1:nqCI7aelBJU61wiBeeZWJ6oi4bJy5nrjkM6lWIMA4j0=
-github.com/karrick/godirwalk v1.16.1 h1:DynhcF+bztK8gooS0+NDJFrdNZjJ3gzVzC545UNA9iw=
-github.com/karrick/godirwalk v1.16.1/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk=
github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0NAMnU=
-github.com/klauspost/compress v1.17.8/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
+github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA=
+github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 h1:SOEGU9fKiNWd/HOJuq6+3iTQz8KNCLtVX6idSoTLdUw=
github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtBTC4WfIxhKZfyBF/HBFgRZSWwZ9g/He9o=
github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 h1:P6pPBnrTSX3DEVR4fDembhRWSsG5rVo6hYhAB/ADZrk=
github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0/go.mod h1:vmVJ0l/dxyfGW6FmdpVm2joNMFikkuWg0EoCKLGUMNw=
github.com/leodido/go-urn v1.2.0 h1:hpXL4XnriNwQ/ABnpepYM/1vCLWNDfUNts8dX3xTG6Y=
github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII=
-github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0=
@@ -242,12 +239,6 @@ github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0V
github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
-github.com/markbates/errx v1.1.0 h1:QDFeR+UP95dO12JgW+tgi2UVfo0V8YBHiUIOaeBPiEI=
-github.com/markbates/errx v1.1.0/go.mod h1:PLa46Oex9KNbVDZhKel8v1OT7hD5JZ2eI7AHhA0wswc=
-github.com/markbates/oncer v1.0.0 h1:E83IaVAHygyndzPimgUYJjbshhDTALZyXxvk9FOlQRY=
-github.com/markbates/oncer v1.0.0/go.mod h1:Z59JA581E9GP6w96jai+TGqafHPW+cPfRxz2aSZ0mcI=
-github.com/markbates/safe v1.0.1 h1:yjZkbvRM6IzKj9tlu/zMJLS0n/V351OZWRnF3QfaUxI=
-github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0=
github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
@@ -255,24 +246,21 @@ github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWE
github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
-github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
-github.com/mattn/go-sqlite3 v1.14.15 h1:vfoHhTN1af61xCRSWzFIWzx2YskyMTwHLrExkBOjvxI=
-github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
+github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
+github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/miekg/dns v1.1.59 h1:C9EXc/UToRwKLhK5wKU/I4QVsBUc8kE6MkHBkeypWZs=
-github.com/miekg/dns v1.1.59/go.mod h1:nZpewl5p6IvctfgrckopVx2OlSEHPRO/U4SYkRklrEk=
-github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
+github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
+github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
-github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
-github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8=
-github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
+github.com/moby/spdystream v0.4.0 h1:Vy79D6mHeJJjiPdFEL2yku1kl0chZpJfZcPpb16BRl8=
+github.com/moby/spdystream v0.4.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI=
github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vygl78=
github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
@@ -295,14 +283,14 @@ github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
-github.com/onsi/ginkgo/v2 v2.17.3 h1:oJcvKpIb7/8uLpDDtnQuf18xVnwKp8DTD7DQ6gTd/MU=
-github.com/onsi/ginkgo/v2 v2.17.3/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc=
-github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk=
-github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0=
+github.com/onsi/ginkgo/v2 v2.20.1 h1:YlVIbqct+ZmnEph770q9Q7NVAz4wwIiVNahee6JyUzo=
+github.com/onsi/ginkgo/v2 v2.20.1/go.mod h1:lG9ey2Z29hR41WMVthyJBGUBcBhGOtoPF2VFMvBXFCI=
+github.com/onsi/gomega v1.34.2 h1:pNCwDkzrsv7MS9kpaQvVb1aVLahQXyJ/Tv5oAZMI3i8=
+github.com/onsi/gomega v1.34.2/go.mod h1:v1xfxRgk0KIsG+QOdm7p8UosrOzPYRo60fd3B/1Dukc=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.0-rc6 h1:XDqvyKsJEbRtATzkgItUqBA7QHk58yxX1Ov9HERHNqU=
-github.com/opencontainers/image-spec v1.1.0-rc6/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
+github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
+github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI=
@@ -318,16 +306,16 @@ github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjz
github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g=
-github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
-github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
+github.com/prometheus/client_golang v1.20.4 h1:Tgh3Yr67PaOv/uTqloMsCEdeuFTatm5zIq5+qNN23vI=
+github.com/prometheus/client_golang v1.20.4/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc=
-github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc=
-github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8=
+github.com/prometheus/common v0.60.0 h1:+V9PAREWNvJMAuJ1x1BaWl9dewMW4YrHZQbx0sJNllA=
+github.com/prometheus/common v0.60.0/go.mod h1:h0LYf1R1deLSKtD4Vdg8gy4RuOvENW2J/h19V5NADQw=
github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
@@ -336,23 +324,21 @@ github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoG
github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
github.com/rivo/uniseg v0.4.6 h1:Sovz9sDSwbOz9tgUy8JpT+KgCkPYJEN/oYzlJiYTNLg=
github.com/rivo/uniseg v0.4.6/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
-github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
-github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
-github.com/rubenv/sql-migrate v1.5.2 h1:bMDqOnrJVV/6JQgQ/MxOpU+AdO8uzYYA/TxFUBzFtS0=
-github.com/rubenv/sql-migrate v1.5.2/go.mod h1:H38GW8Vqf8F0Su5XignRyaRcbXbJunSWxs+kmzlg0Is=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/rubenv/sql-migrate v1.7.0 h1:HtQq1xyTN2ISmQDggnh0c9U3JlP8apWh8YO2jzlXpTI=
+github.com/rubenv/sql-migrate v1.7.0/go.mod h1:S4wtDEG1CKn+0ShpTtzWhFpHHI5PvCUtiGI+C+Z2THE=
github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
-github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
-github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
-github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8=
-github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
+github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
+github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
+github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
+github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
-github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
-github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
+github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w=
+github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
@@ -365,7 +351,6 @@ github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
@@ -373,6 +358,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
@@ -384,7 +371,6 @@ github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ=
github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0=
github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 h1:+lm10QQTNSBd8DVTNGHx7o/IKu9HYDvLMffDhbyLccI=
github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs=
github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50 h1:hlE8//ciYMztlGpl/VA+Zm1AcTPHYkHJPbHqE6WJUXE=
@@ -393,14 +379,14 @@ github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f h1
github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg=
go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0 h1:cEPbyTSEHlQR89XVlyo78gqluF8Y3oMeBkXGWzQsfXY=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0/go.mod h1:DKdbWcT4GH1D0Y3Sqt/PFXt2naRKDWtU+eE6oLdFNA8=
-go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo=
-go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4=
-go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q=
-go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s=
-go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g=
-go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg=
+go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts=
+go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc=
+go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w=
+go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ=
+go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc=
+go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o=
go.starlark.net v0.0.0-20231121155337-90ade8b19d09 h1:hzy3LFnSN8kuQK8h9tHl4ndF6UruMj47OqwqsS+/Ai4=
go.starlark.net v0.0.0-20231121155337-90ade8b19d09/go.mod h1:LcLNIzVOMp4oV+uusnpk+VU+SzXaJakUuBjoCSWH5dM=
go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
@@ -415,75 +401,57 @@ golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnf
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
-golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
-golang.org/x/exp v0.0.0-20240716175740-e3f259677ff7 h1:wDLEX9a7YQoKdKNQt88rtydkqDxeGaBUTnIYc3iG/mA=
-golang.org/x/exp v0.0.0-20240716175740-e3f259677ff7/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
+golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
+golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8=
-golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.20.0 h1:utOm6MM3R3dnawAiJgn0y+xvuYRsm1RKM/4giyfDgV0=
+golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
-golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
-golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
-golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
+golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
+golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
+golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
-golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
-golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk=
-golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
+golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
+golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.24.0 h1:Mh5cbb+Zk2hqqXNO7S1iTjEphVL+jb8ZWaqh/g+JWkM=
+golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
+golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
+golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg=
-golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI=
+golang.org/x/tools v0.24.0 h1:J1shsA93PJUEVaUSaay7UXAyE8aimq3GW0pjlolpa24=
+golang.org/x/tools v0.24.0/go.mod h1:YhNqVBIfWHdzvTLs0d8LCuMhkKUgSUKldakyV7W/WDQ=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -492,24 +460,25 @@ golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 h1:LLhsEBxRTBLuKlQxFBYUO
golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
-google.golang.org/genproto/googleapis/api v0.0.0-20240711142825-46eb208f015d h1:kHjw/5UfflP/L5EbledDrcG4C2597RtymmGRZvHiCuY=
-google.golang.org/genproto/googleapis/api v0.0.0-20240711142825-46eb208f015d/go.mod h1:mw8MG/Qz5wfgYr6VqVCiZcHe/GJEfI+oGGDCohaVgB0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240711142825-46eb208f015d h1:JU0iKnSg02Gmb5ZdV8nYsKEKsP6o/FGVWTrw4i1DA9A=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240711142825-46eb208f015d/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY=
-google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc=
-google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ=
+google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f h1:jTm13A2itBi3La6yTGqn8bVSrc3ZZ1r8ENHlIXBfnRA=
+google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f/go.mod h1:CLGoBuH1VHxAUXVPP8FfPwPEVJB6lz3URE5mY2SuayE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f h1:cUMEy+8oS78BWIH9OWazBkzbr090Od9tWBNtZHkOhf0=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
+google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E=
+google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
+gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
@@ -518,48 +487,48 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
-helm.sh/helm/v3 v3.15.1 h1:22ztacHz4gMqhXNqCQ9NAg6BFWoRUryNLvnkz6OVyw0=
-helm.sh/helm/v3 v3.15.1/go.mod h1:fvfoRcB8UKRUV5jrIfOTaN/pG1TPhuqSb56fjYdTKXg=
-istio.io/api v1.23.0-alpha.0.0.20240809192158-5302fff8a801 h1:7cxaHipka0v7rK9/kcthjmIucVnV3jHEROUBHONYeCo=
-istio.io/api v1.23.0-alpha.0.0.20240809192158-5302fff8a801/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I=
-istio.io/client-go v1.23.0-alpha.0.0.20240809192551-f32a7326ae19 h1:NwuYY0d6HZLNLHBrgtfZ6Q/dw+DwGYTFPtqoP7XNx7g=
-istio.io/client-go v1.23.0-alpha.0.0.20240809192551-f32a7326ae19/go.mod h1:VarGlJP6p95t2P7KKKAPKpnG5XA4fv/y8V6EfgcYRcw=
-istio.io/istio v0.0.0-20240813230019-b191b039631b h1:1EWcxrdpcuaNKqOf93hcxS42+n23bfMRJWQHc7MtTOw=
-istio.io/istio v0.0.0-20240813230019-b191b039631b/go.mod h1:4YypioCIdszSllDb9Vo+U79ThLw6ilpnsmlJxvVaJ9c=
-k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ=
-k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04=
-k8s.io/apiextensions-apiserver v0.30.3 h1:oChu5li2vsZHx2IvnGP3ah8Nj3KyqG3kRSaKmijhB9U=
-k8s.io/apiextensions-apiserver v0.30.3/go.mod h1:uhXxYDkMAvl6CJw4lrDN4CPbONkF3+XL9cacCT44kV4=
-k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc=
-k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
-k8s.io/apiserver v0.30.3 h1:QZJndA9k2MjFqpnyYv/PH+9PE0SHhx3hBho4X0vE65g=
-k8s.io/apiserver v0.30.3/go.mod h1:6Oa88y1CZqnzetd2JdepO0UXzQX4ZnOekx2/PtEjrOg=
-k8s.io/cli-runtime v0.30.3 h1:aG69oRzJuP2Q4o8dm+f5WJIX4ZBEwrvdID0+MXyUY6k=
-k8s.io/cli-runtime v0.30.3/go.mod h1:hwrrRdd9P84CXSKzhHxrOivAR9BRnkMt0OeP5mj7X30=
-k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k=
-k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U=
-k8s.io/component-base v0.30.3 h1:Ci0UqKWf4oiwy8hr1+E3dsnliKnkMLZMVbWzeorlk7s=
-k8s.io/component-base v0.30.3/go.mod h1:C1SshT3rGPCuNtBs14RmVD2xW0EhRSeLvBh7AGk1quA=
+helm.sh/helm/v3 v3.16.1 h1:cER6tI/8PgUAsaJaQCVBUg3VI9KN4oVaZJgY60RIc0c=
+helm.sh/helm/v3 v3.16.1/go.mod h1:r+xBHHP20qJeEqtvBXMf7W35QDJnzY/eiEBzt+TfHps=
+istio.io/api v1.23.0-alpha.0.0.20241016001450-1e82bd43199b h1:M4Jl9GaT7FW0m4L8GRSip6M5hdUBZYXHyMFMGof0AIs=
+istio.io/api v1.23.0-alpha.0.0.20241016001450-1e82bd43199b/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I=
+istio.io/client-go v1.23.0-alpha.0.0.20241016001849-29f61837a029 h1:b8K9SSN06AfSMBKy37sS+/VFaUQCnDnHCOJBOXHwYKo=
+istio.io/client-go v1.23.0-alpha.0.0.20241016001849-29f61837a029/go.mod h1:EiGjBEP+sbj1M/xdkXX60aVsLmJunLQqMpl2YjmHgS4=
+istio.io/istio v0.0.0-20241016035750-1d92787e64d8 h1:v4NkEKghPMy/N32RVARizxMHfJNpQVSHc5Nmu76v4E0=
+istio.io/istio v0.0.0-20241016035750-1d92787e64d8/go.mod h1:OjXgkrdrI5myoxr0eDxoWm+q5kFrcgLNlJLRvGd5ZIk=
+k8s.io/api v0.31.1 h1:Xe1hX/fPW3PXYYv8BlozYqw63ytA92snr96zMW9gWTU=
+k8s.io/api v0.31.1/go.mod h1:sbN1g6eY6XVLeqNsZGLnI5FwVseTrZX7Fv3O26rhAaI=
+k8s.io/apiextensions-apiserver v0.31.1 h1:L+hwULvXx+nvTYX/MKM3kKMZyei+UiSXQWciX/N6E40=
+k8s.io/apiextensions-apiserver v0.31.1/go.mod h1:tWMPR3sgW+jsl2xm9v7lAyRF1rYEK71i9G5dRtkknoQ=
+k8s.io/apimachinery v0.31.1 h1:mhcUBbj7KUjaVhyXILglcVjuS4nYXiwC+KKFBgIVy7U=
+k8s.io/apimachinery v0.31.1/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
+k8s.io/apiserver v0.31.1 h1:Sars5ejQDCRBY5f7R3QFHdqN3s61nhkpaX8/k1iEw1c=
+k8s.io/apiserver v0.31.1/go.mod h1:lzDhpeToamVZJmmFlaLwdYZwd7zB+WYRYIboqA1kGxM=
+k8s.io/cli-runtime v0.31.1 h1:/ZmKhmZ6hNqDM+yf9s3Y4KEYakNXUn5sod2LWGGwCuk=
+k8s.io/cli-runtime v0.31.1/go.mod h1:pKv1cDIaq7ehWGuXQ+A//1OIF+7DI+xudXtExMCbe9U=
+k8s.io/client-go v0.31.1 h1:f0ugtWSbWpxHR7sjVpQwuvw9a3ZKLXX0u0itkFXufb0=
+k8s.io/client-go v0.31.1/go.mod h1:sKI8871MJN2OyeqRlmA4W4KM9KBdBUpDLu/43eGemCg=
+k8s.io/component-base v0.31.1 h1:UpOepcrX3rQ3ab5NB6g5iP0tvsgJWzxTyAo20sgYSy8=
+k8s.io/component-base v0.31.1/go.mod h1:WGeaw7t/kTsqpVTaCoVEtillbqAhF2/JgvO0LDOMa0w=
k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108 h1:Q8Z7VlGhcJgBHJHYugJ/K/7iB8a2eSxCyxdVjJp+lLY=
k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98=
-k8s.io/kubectl v0.30.3 h1:YIBBvMdTW0xcDpmrOBzcpUVsn+zOgjMYIu7kAq+yqiI=
-k8s.io/kubectl v0.30.3/go.mod h1:IcR0I9RN2+zzTRUa1BzZCm4oM0NLOawE6RzlDvd1Fpo=
-k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A=
-k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/kubectl v0.31.1 h1:ih4JQJHxsEggFqDJEHSOdJ69ZxZftgeZvYo7M/cpp24=
+k8s.io/kubectl v0.31.1/go.mod h1:aNuQoR43W6MLAtXQ/Bu4GDmoHlbhHKuyD49lmTC8eJM=
+k8s.io/utils v0.0.0-20240921022957-49e7df575cb6 h1:MDF6h2H/h4tbzmtIKTuctcwZmY0tY9mD9fNT47QO6HI=
+k8s.io/utils v0.0.0-20240921022957-49e7df575cb6/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
oras.land/oras-go v1.2.5 h1:XpYuAwAb0DfQsunIyMfeET92emK8km3W4yEzZvUbsTo=
oras.land/oras-go v1.2.5/go.mod h1:PuAwRShRZCsZb7g8Ar3jKKQR/2A/qN+pkYxIOd/FAoo=
-sigs.k8s.io/controller-runtime v0.18.3 h1:B5Wmmo8WMWK7izei+2LlXLVDGzMwAHBNLX68lwtlSR4=
-sigs.k8s.io/controller-runtime v0.18.3/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg=
+sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q=
+sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4=
sigs.k8s.io/controller-tools v0.15.0 h1:4dxdABXGDhIa68Fiwaif0vcu32xfwmgQ+w8p+5CxoAI=
sigs.k8s.io/controller-tools v0.15.0/go.mod h1:8zUSS2T8Hx0APCNRhJWbS3CAQEbIxLa07khzh7pZmXM=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
-sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 h1:XX3Ajgzov2RKUdc5jW3t5jwY7Bo7dcRm+tFxT+NfgY0=
-sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3/go.mod h1:9n16EZKMhXBNSiUC5kSdFQJkdH3zbxS/JoO619G1VAY=
-sigs.k8s.io/kustomize/kyaml v0.16.0 h1:6J33uKSoATlKZH16unr2XOhDI+otoe2sR3M8PDzW3K0=
-sigs.k8s.io/kustomize/kyaml v0.16.0/go.mod h1:xOK/7i+vmE14N2FdFyugIshB8eF6ALpy7jI87Q2nRh4=
+sigs.k8s.io/kustomize/api v0.17.2 h1:E7/Fjk7V5fboiuijoZHgs4aHuexi5Y2loXlVOAVAG5g=
+sigs.k8s.io/kustomize/api v0.17.2/go.mod h1:UWTz9Ct+MvoeQsHcJ5e+vziRRkwimm3HytpZgIYqye0=
+sigs.k8s.io/kustomize/kyaml v0.17.1 h1:TnxYQxFXzbmNG6gOINgGWQt09GghzgTP6mIurOgrLCQ=
+sigs.k8s.io/kustomize/kyaml v0.17.1/go.mod h1:9V0mCjIEYjlXuCdYsSXvyoy2BTsLESH7TlGV81S282U=
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
diff --git a/hack/api-docs/templates/asciidoctor/gv_details.tpl b/hack/api-docs/templates/asciidoctor/gv_details.tpl
new file mode 100644
index 000000000..ebb8912b4
--- /dev/null
+++ b/hack/api-docs/templates/asciidoctor/gv_details.tpl
@@ -0,0 +1,19 @@
+{{- define "gvDetails" -}}
+{{- $gv := . -}}
+[id="{{ asciidocGroupVersionID $gv | asciidocRenderAnchorID }}"]
+=== {{ $gv.GroupVersionString }}
+
+{{ $gv.Doc }}
+
+{{- if $gv.Kinds }}
+.Resource Types
+{{- range $gv.SortedKinds }}
+- {{ $gv.TypeForKind . | asciidocRenderTypeLink }}
+{{- end }}
+{{ end }}
+
+{{ range $gv.SortedTypes }}
+{{ template "type" . }}
+{{ end }}
+
+{{- end -}}
\ No newline at end of file
diff --git a/hack/api-docs/templates/asciidoctor/gv_list.tpl b/hack/api-docs/templates/asciidoctor/gv_list.tpl
new file mode 100644
index 000000000..7417e4399
--- /dev/null
+++ b/hack/api-docs/templates/asciidoctor/gv_list.tpl
@@ -0,0 +1,16 @@
+{{- define "gvList" -}}
+{{- $groupVersions := . -}}
+
+[id="{p}-api-reference"]
+== API Reference
+
+.Packages
+{{- range $groupVersions }}
+- {{ asciidocRenderGVLink . }}
+{{- end }}
+
+{{ range $groupVersions }}
+{{ template "gvDetails" . }}
+{{ end }}
+
+{{- end -}}
\ No newline at end of file
diff --git a/hack/api-docs/templates/asciidoctor/type.tpl b/hack/api-docs/templates/asciidoctor/type.tpl
new file mode 100644
index 000000000..5b9489963
--- /dev/null
+++ b/hack/api-docs/templates/asciidoctor/type.tpl
@@ -0,0 +1,58 @@
+{{- define "type" -}}
+{{- $type := . -}}
+{{- if asciidocShouldRenderType $type -}}
+{{- if not $type.Markers.hidefromdoc -}}
+
+[id="{{ asciidocTypeID $type | asciidocRenderAnchorID }}"]
+==== {{ $type.Name }}
+
+{{ if $type.IsAlias }}_Underlying type:_ _{{ asciidocRenderTypeLink $type.UnderlyingType }}_{{ end }}
+
+{{ $type.Doc }}
+
+{{ if $type.Validation -}}
+.Validation:
+{{- range $type.Validation }}
+- {{ . }}
+{{- end }}
+{{- end }}
+
+{{ if $type.References -}}
+.Appears In:
+****
+{{- range $type.SortedReferences }}
+- {{ asciidocRenderTypeLink . }}
+{{- end }}
+****
+{{- end }}
+
+{{ if $type.Members -}}
+[cols="20a,50a,15a,15a", options="header"]
+|===
+| Field | Description | Default | Validation
+{{ if $type.GVK -}}
+| *`apiVersion`* __string__ | `{{ $type.GVK.Group }}/{{ $type.GVK.Version }}` | |
+| *`kind`* __string__ | `{{ $type.GVK.Kind }}` | |
+{{ end -}}
+
+{{ range $type.Members -}}
+{{ with .Markers.hidefromdoc -}}
+{{ else -}}
+| *`{{ .Name }}`* __{{ asciidocRenderType .Type }}__ | {{ template "type_members" . }} | {{ .Default }} | {{ range .Validation -}} {{ asciidocRenderValidation . }} +{{ end }}
+{{ end }}
+{{ end -}}
+|===
+{{ end -}}
+
+{{ if $type.EnumValues -}}
+|===
+| Field | Description |
+{{ range $type.EnumValues -}}
+| `{{ .Name }}` | {{ asciidocRenderFieldDoc .Doc }} +
+{{ end -}}
+|===
+{{ end -}}
+
+{{- end -}}
+{{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/hack/api-docs/templates/asciidoctor/type_members.tpl b/hack/api-docs/templates/asciidoctor/type_members.tpl
new file mode 100644
index 000000000..754d209d6
--- /dev/null
+++ b/hack/api-docs/templates/asciidoctor/type_members.tpl
@@ -0,0 +1,8 @@
+{{- define "type_members" -}}
+{{- $field := . -}}
+{{- if eq $field.Name "metadata" -}}
+Refer to Kubernetes API documentation for fields of `metadata`.
+{{ else -}}
+{{ asciidocRenderFieldDoc $field.Doc }}
+{{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/hack/api_transformer/transform.yaml b/hack/api_transformer/transform.yaml
index 4c5ed04bd..5a9a0c95a 100644
--- a/hack/api_transformer/transform.yaml
+++ b/hack/api_transformer/transform.yaml
@@ -42,8 +42,10 @@ globalTransformations:
inputFiles:
- module: istio.io/istio
- path: /operator/pkg/apis/istio/v1alpha1/values_types.pb.go
+ path: /operator/pkg/apis/values_types.pb.go
transformations:
+ renameImports:
+ v1: k8sv1
removeTypes:
- EgressGatewayConfig
- IngressGatewayConfig
diff --git a/hack/extract-istio-crds.sh b/hack/extract-istio-crds.sh
index d693be103..6045c8a57 100755
--- a/hack/extract-istio-crds.sh
+++ b/hack/extract-istio-crds.sh
@@ -16,7 +16,11 @@
set -euo pipefail
-INPUT_FILE="$(go list -m -f '{{.Dir}}' istio.io/istio)/manifests/charts/base/crds/crd-all.gen.yaml"
+INPUT_FILE="$(go list -m -f '{{.Dir}}' istio.io/istio)/manifests/charts/base/files/crd-all.gen.yaml"
+# check if the file exists and adjust the file path if necessary (this is needed because older Istio versions have the CRDs in a different location)
+if [ ! -f "${INPUT_FILE}" ]; then
+ INPUT_FILE="$(go list -m -f '{{.Dir}}' istio.io/istio)/manifests/charts/base/crds/crd-all.gen.yaml"
+fi
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
REPO_ROOT=$(dirname "${SCRIPT_DIR}")
diff --git a/hack/helm-artifacts.sh b/hack/helm-artifacts.sh
new file mode 100755
index 000000000..248d81c40
--- /dev/null
+++ b/hack/helm-artifacts.sh
@@ -0,0 +1,123 @@
+#!/bin/bash
+# shellcheck disable=SC1091
+
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -euo pipefail
+
+CUR_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+source "${CUR_DIR}"/validate_semver.sh
+
+GITHUB_TOKEN="${GITHUB_TOKEN:-}"
+
+GIT_CONFIG_USER_NAME="${GIT_CONFIG_USER_NAME:-}"
+GIT_CONFIG_USER_EMAIL="${GIT_CONFIG_USER_EMAIL:-}"
+
+UPSTREAM_OPERATOR_NAME="${UPSTREAM_OPERATOR_NAME:-"sail-operator"}"
+OWNER="${OWNER:-"istio-ecosystem"}"
+HUB_REPO_URL="${HUB_REPO_URL:-github.com/${OWNER}/${UPSTREAM_OPERATOR_NAME}}"
+HUB_HELM_BRANCH="${HUB_HIVE_BRANCH:-"gh-pages"}"
+HUB_HELM_ARTIFACT_URL="https://${HUB_REPO_URL}/releases/download/${OPERATOR_VERSION}"/
+
+: "${OPERATOR_VERSION:?"Missing OPERATOR_VERSION variable"}"
+
+show_help() {
+ cat < /dev/null; then
+ die "Helm command is missing"
+ fi
+
+ TMP_DIR=$(mktemp -d)
+ trap 'rm -rf "${TMP_DIR}"' EXIT
+
+ git clone --single-branch --depth=1 --branch "${HUB_HELM_BRANCH}" "https://${GIT_USER}:${GITHUB_TOKEN}@${HUB_REPO_URL}" "${TMP_DIR}/${UPSTREAM_OPERATOR_NAME}"
+ cd "${TMP_DIR}/${UPSTREAM_OPERATOR_NAME}"
+
+ if ! git config user.name; then
+ git config user.name "${GIT_CONFIG_USER_NAME}"
+ fi
+
+ if ! git config user.email; then
+ git config user.email "${GIT_CONFIG_USER_EMAIL}"
+ fi
+}
+
+function fetch_released_artifact() {
+ echo "Fetch released helm artifact"
+
+ wget "${HUB_HELM_ARTIFACT_URL}/${UPSTREAM_OPERATOR_NAME}-${OPERATOR_VERSION}.tgz"
+}
+
+function update_helm_repo_index() {
+ echo "Update index of Helm repo"
+ local helm_branch="update_helm_artifact_${OPERATOR_VERSION}"
+
+ git checkout -b "$helm_branch"
+ helm repo index --merge index.yaml . --url "${HUB_HELM_ARTIFACT_URL}"
+ git add index.yaml
+ git commit -m "Add new sail-operator chart release - ${OPERATOR_VERSION}"
+ git push origin "$helm_branch"
+
+ PAYLOAD="${TMP_DIR}/PAYLOAD"
+
+ jq -c -n \
+ --arg msg "Add new sail-operator chart release - ${OPERATOR_VERSION}" \
+ --arg head "${OWNER}:${helm_branch}" \
+ --arg base "${HUB_HELM_BRANCH}" \
+ --arg title "Helm artifact ${OPERATOR_VERSION}" \
+ '{head: $head, base: $base, title: $title, body: $msg }' > "${PAYLOAD}"
+
+ curl --fail-with-body -X POST \
+ -H "Authorization: token ${GITHUB_TOKEN}" \
+ -H "Accept: application/vnd.github.v3+json" \
+ https://api.github.com/repos/"${OWNER}/${UPSTREAM_OPERATOR_NAME}"/pulls \
+ --data-binary "@${PAYLOAD}"
+}
+
+while test $# -gt 0; do
+ case "$1" in
+ -h|--help)
+ show_help
+ exit 0
+ ;;
+ *)
+ echo "Unknown param $1"
+ exit 1
+ ;;
+ esac
+done
+
+prepare_repo
+fetch_released_artifact
+update_helm_repo_index
diff --git a/hack/operatorhub/publish-bundle.sh b/hack/operatorhub/publish-bundle.sh
index 59fbe2785..e72e12858 100755
--- a/hack/operatorhub/publish-bundle.sh
+++ b/hack/operatorhub/publish-bundle.sh
@@ -23,6 +23,9 @@ source "${CUR_DIR}"/../validate_semver.sh
GITHUB_TOKEN="${GITHUB_TOKEN:-}"
GIT_USER="${GIT_USER:-}"
+GIT_CONFIG_USER_NAME="${GIT_CONFIG_USER_NAME:-}"
+GIT_CONFIG_USER_EMAIL="${GIT_CONFIG_USER_EMAIL:-}"
+
# The OPERATOR_NAME is defined in Makefile
: "${OPERATOR_NAME:?"Missing OPERATOR_NAME variable"}"
: "${OPERATOR_VERSION:?"Missing OPERATOR_VERSION variable"}"
@@ -96,6 +99,14 @@ BUNDLE_DIR="${CUR_DIR}"/../../bundle
mkdir -p "${OPERATORS_DIR}"
cp -a "${BUNDLE_DIR}"/. "${OPERATORS_DIR}"
+if ! git config --global user.name; then
+ skipInDryRun git config --global user.name "${GIT_CONFIG_USER_NAME}"
+fi
+
+if ! git config --global user.email; then
+ skipInDryRun git config --global user.email "${GIT_CONFIG_USER_EMAIL}"
+fi
+
TITLE="operator ${OPERATOR_NAME} (${OPERATOR_VERSION})"
skipInDryRun git add .
skipInDryRun git commit -s -m"${TITLE}"
diff --git a/hack/patch-csv.sh b/hack/patch-csv.sh
index 10225cac5..a5f5cfbd2 100755
--- a/hack/patch-csv.sh
+++ b/hack/patch-csv.sh
@@ -52,28 +52,42 @@ function get_field() {
component_dir="istiod"
fi
- # Set if non null order from the component most specific to the most generic
+ # The following code tries to find the field in several places:
+
# 1) .defaults..
+ field="$(${YQ} ".defaults.${COMPONENTS[$component_name]}.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")"
# 2) .defaults.global..
+ if is_empty_or_null "${field}"; then
+ field="$(${YQ} ".defaults.global.${COMPONENTS[$component_name]}.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")"
+ fi
# 3) .defaults.
+ if is_empty_or_null "${field}"; then
+ field="$(${YQ} ".defaults.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")"
+ fi
# 4) .defaults.global.
- # Example:
- # .defaults.istiod.hub == null
- # .defaults.global.istiod.hub == null
- # .defaults.hub == null
- # .defaults.global.hub == "gcr.io/istio-testing"
-
- field="$(${YQ} ".defaults.${COMPONENTS[$component_name]}.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)"
if is_empty_or_null "${field}"; then
- field="$(${YQ} ".defaults.global.${COMPONENTS[$component_name]}.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)"
- if is_empty_or_null "${field}"; then
- field="$(${YQ} ".defaults.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)"
- if is_empty_or_null "${field}"; then
- field="$(${YQ} ".defaults.global.${field_name}" resources/"${version}"/charts/"${component_dir}"/values.yaml)"
- fi
- fi
+ field="$(${YQ} ".defaults.global.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")"
+ fi
+ # 5) ._internal_defaults_do_not_set..
+ if is_empty_or_null "${field}"; then
+ field="$(${YQ} "._internal_defaults_do_not_set.${COMPONENTS[$component_name]}.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")"
+ fi
+ # 6) ._internal_defaults_do_not_set.global..
+ if is_empty_or_null "${field}"; then
+ field="$(${YQ} "._internal_defaults_do_not_set.global.${COMPONENTS[$component_name]}.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")"
+ fi
+ # 7) ._internal_defaults_do_not_set.
+ if is_empty_or_null "${field}"; then
+ field="$(${YQ} "._internal_defaults_do_not_set.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")"
+ fi
+ # 8) ._internal_defaults_do_not_set.global.
+ if is_empty_or_null "${field}"; then
+ field="$(${YQ} "._internal_defaults_do_not_set.global.${field_name}" "resources/${version}/charts/${component_dir}/values.yaml")"
fi
+ if is_empty_or_null "${field}"; then
+ field=""
+ fi
echo "${field}"
}
@@ -94,6 +108,11 @@ for version in ${versions}; do
image=$(get_field "${version}" "image" "${component_name}")
tag=$(get_field "${version}" "tag" "${component_name}")
+ if [ -z "${hub}" ] || [ -z "${image}" ] || [ -z "${tag}" ]; then
+ echo "Missing hub, image or tag for version ${version}, component ${component_name}"
+ exit 1
+ fi
+
# Add .spec.install.spec.deployments[0].spec.template.metadata.annotations with olm.relatedImage
${YQ} -i '.spec.install.spec.deployments[0].spec.template.metadata.annotations |= (. + {"images.'"${name}"'": "'"${hub}"'/'"${image}"':'"${tag}"'"})' "${clusterserviceversion_file_path}"
diff --git a/hack/update-istio.sh b/hack/update-istio.sh
index 80f76cf1c..b85508e7e 100755
--- a/hack/update-istio.sh
+++ b/hack/update-istio.sh
@@ -110,22 +110,18 @@ function update_latest() {
done
echo
- FULL_VERSION=$(curl -sSfL "${URL}")
- echo Full version: "${FULL_VERSION}"
-
- PARTIAL_VERSION="${FULL_VERSION%.*}"
- echo Partial version: "${PARTIAL_VERSION}"
+ VERSION=$(curl -sSfL "${URL}")
+ echo Version: "${VERSION}"
yq -i '
- (.versions[] | select(.name == "latest") | .version) = "'"${PARTIAL_VERSION}"'" |
+ (.versions[] | select(.name == "latest") | .version) = "'"${VERSION}"'" |
(.versions[] | select(.name == "latest") | .commit) = "'"${COMMIT}"'" |
(.versions[] | select(.name == "latest") | .charts) = [
- "https://storage.googleapis.com/istio-build/dev/'"${FULL_VERSION}"'/helm/base-'"${FULL_VERSION}"'.tgz",
- "https://storage.googleapis.com/istio-build/dev/'"${FULL_VERSION}"'/helm/cni-'"${FULL_VERSION}"'.tgz",
- "https://storage.googleapis.com/istio-build/dev/'"${FULL_VERSION}"'/helm/gateway-'"${FULL_VERSION}"'.tgz",
- "https://storage.googleapis.com/istio-build/dev/'"${FULL_VERSION}"'/helm/istiod-'"${FULL_VERSION}"'.tgz",
- "https://storage.googleapis.com/istio-build/dev/'"${FULL_VERSION}"'/helm/istiod-remote-'"${FULL_VERSION}"'.tgz",
- "https://storage.googleapis.com/istio-build/dev/'"${FULL_VERSION}"'/helm/ztunnel-'"${FULL_VERSION}"'.tgz"
+ "https://storage.googleapis.com/istio-build/dev/'"${VERSION}"'/helm/base-'"${VERSION}"'.tgz",
+ "https://storage.googleapis.com/istio-build/dev/'"${VERSION}"'/helm/cni-'"${VERSION}"'.tgz",
+ "https://storage.googleapis.com/istio-build/dev/'"${VERSION}"'/helm/gateway-'"${VERSION}"'.tgz",
+ "https://storage.googleapis.com/istio-build/dev/'"${VERSION}"'/helm/istiod-'"${VERSION}"'.tgz",
+ "https://storage.googleapis.com/istio-build/dev/'"${VERSION}"'/helm/ztunnel-'"${VERSION}"'.tgz"
]' "${VERSIONS_YAML_FILE}"
}
diff --git a/ossm/values.yaml b/ossm/values.yaml
index 22394a369..9da42e4e3 100644
--- a/ossm/values.yaml
+++ b/ossm/values.yaml
@@ -2,12 +2,12 @@ name: servicemeshoperator3
deployment:
name: servicemesh-operator3
annotations:
- images.v1_23_0.istiod: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9:1.23.0.tp.1
- images.v1_23_0.proxy: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9:3.0.0.tp.1
- images.v1_23_0.cni: registry.redhat.io/openshift-service-mesh/istio-cni-rhel9:1.23.0.tp.1
+ images.v1_23_2.istiod: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9:1.23.2.tp.1
+ images.v1_23_2.proxy: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9:3.0.0.tp.1
+ images.v1_23_2.cni: registry.redhat.io/openshift-service-mesh/istio-cni-rhel9:1.23.2.tp.1
# TODO insert ztunnel image name once we're shipping ztunnel
- images.v1_23_0.ztunnel: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9:1.23.0.tp.1
- images.v1_23_0.must-gather: registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9:3.0.0.tp.1
+ images.v1_23_2.ztunnel: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9:1.23.2.tp.1
+ images.v1_23_2.must-gather: registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9:3.0.0.tp.1
service:
port: 8443
serviceAccountName: servicemesh-operator3
diff --git a/pkg/enqueuelogger/queue.go b/pkg/enqueuelogger/queue.go
index f0f3b4b55..b8c76d522 100644
--- a/pkg/enqueuelogger/queue.go
+++ b/pkg/enqueuelogger/queue.go
@@ -18,22 +18,19 @@ import (
"time"
"k8s.io/client-go/util/workqueue"
+ "sigs.k8s.io/controller-runtime/pkg/reconcile"
)
// AdditionNotifierQueue is a queue that calls an onAdd function whenever an item is added to the queue.
// It is meant to be used in conjunction with EnqueueEventLogger to log items enqueued by a handler.
type AdditionNotifierQueue struct {
- delegate workqueue.RateLimitingInterface
- onAdd func(item any)
+ delegate workqueue.TypedRateLimitingInterface[reconcile.Request]
+ onAdd func(item reconcile.Request)
}
-var _ workqueue.RateLimitingInterface = &AdditionNotifierQueue{}
+var _ workqueue.TypedRateLimitingInterface[reconcile.Request] = &AdditionNotifierQueue{}
-func NewAdditionNotifierQueue(delegate workqueue.RateLimitingInterface, onAddFunc func(item any)) *AdditionNotifierQueue {
- return &AdditionNotifierQueue{delegate: delegate}
-}
-
-func (q *AdditionNotifierQueue) Add(item interface{}) {
+func (q *AdditionNotifierQueue) Add(item reconcile.Request) {
q.delegate.Add(item)
q.onAdd(item)
}
@@ -42,11 +39,11 @@ func (q *AdditionNotifierQueue) Len() int {
return q.delegate.Len()
}
-func (q *AdditionNotifierQueue) Get() (item interface{}, shutdown bool) {
+func (q *AdditionNotifierQueue) Get() (item reconcile.Request, shutdown bool) {
return q.delegate.Get()
}
-func (q *AdditionNotifierQueue) Done(item interface{}) {
+func (q *AdditionNotifierQueue) Done(item reconcile.Request) {
q.delegate.Done(item)
}
@@ -62,20 +59,20 @@ func (q *AdditionNotifierQueue) ShuttingDown() bool {
return q.delegate.ShuttingDown()
}
-func (q *AdditionNotifierQueue) AddAfter(item interface{}, duration time.Duration) {
+func (q *AdditionNotifierQueue) AddAfter(item reconcile.Request, duration time.Duration) {
q.delegate.AddAfter(item, duration)
q.onAdd(item)
}
-func (q *AdditionNotifierQueue) AddRateLimited(item interface{}) {
+func (q *AdditionNotifierQueue) AddRateLimited(item reconcile.Request) {
q.delegate.AddRateLimited(item)
q.onAdd(item)
}
-func (q *AdditionNotifierQueue) Forget(item interface{}) {
+func (q *AdditionNotifierQueue) Forget(item reconcile.Request) {
q.delegate.Forget(item)
}
-func (q *AdditionNotifierQueue) NumRequeues(item interface{}) int {
+func (q *AdditionNotifierQueue) NumRequeues(item reconcile.Request) int {
return q.delegate.NumRequeues(item)
}
diff --git a/pkg/enqueuelogger/wrapper.go b/pkg/enqueuelogger/wrapper.go
index 6aae8122e..f7c20472d 100644
--- a/pkg/enqueuelogger/wrapper.go
+++ b/pkg/enqueuelogger/wrapper.go
@@ -40,27 +40,28 @@ type EnqueueEventLogger struct {
var _ handler.EventHandler = &EnqueueEventLogger{}
-func (h *EnqueueEventLogger) Create(ctx context.Context, e event.TypedCreateEvent[client.Object], q workqueue.RateLimitingInterface) {
+func (h *EnqueueEventLogger) Create(ctx context.Context, e event.TypedCreateEvent[client.Object], q workqueue.TypedRateLimitingInterface[reconcile.Request]) {
h.delegate.Create(ctx, e, h.wrapQueue(q, "Create", e.Object))
}
-func (h *EnqueueEventLogger) Update(ctx context.Context, e event.TypedUpdateEvent[client.Object], q workqueue.RateLimitingInterface) {
+func (h *EnqueueEventLogger) Update(ctx context.Context, e event.TypedUpdateEvent[client.Object], q workqueue.TypedRateLimitingInterface[reconcile.Request]) {
h.delegate.Update(ctx, e, h.wrapQueue(q, "Update", e.ObjectNew))
}
-func (h *EnqueueEventLogger) Delete(ctx context.Context, e event.TypedDeleteEvent[client.Object], q workqueue.RateLimitingInterface) {
+func (h *EnqueueEventLogger) Delete(ctx context.Context, e event.TypedDeleteEvent[client.Object], q workqueue.TypedRateLimitingInterface[reconcile.Request]) {
h.delegate.Delete(ctx, e, h.wrapQueue(q, "Delete", e.Object))
}
-func (h *EnqueueEventLogger) Generic(ctx context.Context, e event.TypedGenericEvent[client.Object], q workqueue.RateLimitingInterface) {
+func (h *EnqueueEventLogger) Generic(ctx context.Context, e event.TypedGenericEvent[client.Object], q workqueue.TypedRateLimitingInterface[reconcile.Request]) {
h.delegate.Generic(ctx, e, h.wrapQueue(q, "Generic", e.Object))
}
-func (h *EnqueueEventLogger) wrapQueue(q workqueue.RateLimitingInterface, eventType string, obj client.Object) workqueue.RateLimitingInterface {
+func (h *EnqueueEventLogger) wrapQueue(
+ q workqueue.TypedRateLimitingInterface[reconcile.Request], eventType string, obj client.Object,
+) workqueue.TypedRateLimitingInterface[reconcile.Request] {
return &AdditionNotifierQueue{
delegate: q,
- onAdd: func(item any) {
- request := item.(reconcile.Request)
+ onAdd: func(request reconcile.Request) {
requestSummary := ObjectSummary{
Kind: h.kind,
Namespace: request.Namespace,
diff --git a/pkg/kube/key.go b/pkg/kube/key.go
index 116359fd3..98e3f1946 100644
--- a/pkg/kube/key.go
+++ b/pkg/kube/key.go
@@ -16,7 +16,7 @@ package kube
import "sigs.k8s.io/controller-runtime/pkg/client"
-// key returns the client.ObjectKey for the given name and namespace. If no namespace is provided, it returns a key cluster scoped
+// Key returns the client.ObjectKey for the given name and namespace. If no namespace is provided, it returns a key cluster scoped
func Key(name string, namespace ...string) client.ObjectKey {
if len(namespace) > 1 {
panic("you can only provide one namespace")
diff --git a/pkg/reconciler/reconciler.go b/pkg/reconciler/reconciler.go
index 1502f5f0c..d61cf03e7 100644
--- a/pkg/reconciler/reconciler.go
+++ b/pkg/reconciler/reconciler.go
@@ -32,7 +32,7 @@ type ReconcileFunc[T client.Object] func(ctx context.Context, obj T) (ctrl.Resul
// FinalizeFunc is a function that finalizes an object. It does not remove the finalizer.
type FinalizeFunc[T client.Object] func(ctx context.Context, obj T) error
-// StandardRecociler encapsulates common reconciler behavior, allowing you to
+// StandardReconciler encapsulates common reconciler behavior, allowing you to
// implement a reconciler simply by providing a ReconcileFunc and an optional
// FinalizeFunc. These functions are invoked at the appropriate time and are
// passed the object being reconciled.
diff --git a/pkg/test/util/supportedversion/supportedversion.go b/pkg/test/util/supportedversion/supportedversion.go
index 59cd44e56..86a89013e 100644
--- a/pkg/test/util/supportedversion/supportedversion.go
+++ b/pkg/test/util/supportedversion/supportedversion.go
@@ -18,12 +18,14 @@ import (
"os"
"path/filepath"
+ "github.com/Masterminds/semver/v3"
"github.com/istio-ecosystem/sail-operator/pkg/test/project"
"gopkg.in/yaml.v3"
)
var (
List []VersionInfo
+ Map map[string]VersionInfo
Default string
Old string
New string
@@ -41,18 +43,28 @@ func init() {
panic(err)
}
+ List, Default, Old, New = mustParseVersionsYaml(versionsBytes)
+
+ Map = make(map[string]VersionInfo)
+ for _, v := range List {
+ Map[v.Name] = v
+ }
+}
+
+func mustParseVersionsYaml(yamlBytes []byte) (list []VersionInfo, defaultVersion string, oldVersion string, newVersion string) {
versions := Versions{}
- err = yaml.Unmarshal(versionsBytes, &versions)
+ err := yaml.Unmarshal(yamlBytes, &versions)
if err != nil {
panic(err)
}
- List = versions.Versions
- Default = List[0].Name
- if len(List) > 1 {
- Old = List[1].Name
+ list = versions.Versions
+ defaultVersion = list[0].Name
+ if len(list) > 1 {
+ oldVersion = list[1].Name
}
- New = List[0].Name
+ newVersion = list[0].Name
+ return list, defaultVersion, oldVersion, newVersion
}
type Versions struct {
@@ -60,10 +72,10 @@ type Versions struct {
}
type VersionInfo struct {
- Name string `json:"name"`
- Version string `json:"version"`
- Repo string `json:"repo"`
- Branch string `json:"branch,omitempty"`
- Commit string `json:"commit"`
- Charts []string `json:"charts,omitempty"`
+ Name string `json:"name"`
+ Version *semver.Version `json:"version"`
+ Repo string `json:"repo"`
+ Branch string `json:"branch,omitempty"`
+ Commit string `json:"commit"`
+ Charts []string `json:"charts,omitempty"`
}
diff --git a/pkg/test/util/supportedversion/supportedversion_test.go b/pkg/test/util/supportedversion/supportedversion_test.go
new file mode 100644
index 000000000..a850ebbae
--- /dev/null
+++ b/pkg/test/util/supportedversion/supportedversion_test.go
@@ -0,0 +1,78 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package supportedversion
+
+import (
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+)
+
+func TestInit(t *testing.T) {
+ // no need to call init(), since it's called automatically
+ assert.True(t, len(List) > 0, "List should not be empty")
+ assert.True(t, len(Map) > 0, "M should not be empty")
+ assert.True(t, Default != "", "Default should not be empty")
+ assert.True(t, Old != "", "Default should not be empty")
+ assert.True(t, New != "", "Default should not be empty")
+
+ assert.Equal(t, len(List), len(Map), "Map should be same size as List")
+ for _, vi := range List {
+ assert.Equal(t, vi, Map[vi.Name])
+ }
+}
+
+func TestParseVersionsYaml_ValidYaml(t *testing.T) {
+ yamlBytes := []byte(`
+versions:
+ - name: "1.0.0"
+ repo: "repo1"
+ commit: "commit1"
+ - name: "2.0.0"
+ repo: "repo2"
+ commit: "commit2"
+`)
+
+ list, defaultVersion, oldVersion, newVersion := mustParseVersionsYaml(yamlBytes)
+
+ assert.Len(t, list, 2)
+ assert.Equal(t, "1.0.0", defaultVersion)
+ assert.Equal(t, "2.0.0", oldVersion)
+ assert.Equal(t, "1.0.0", newVersion)
+}
+
+func TestParseVersionsYaml_SingleVersion(t *testing.T) {
+ yamlBytes := []byte(`
+versions:
+ - name: "1.0.0"
+ repo: "repo1"
+ commit: "commit1"
+`)
+
+ list, defaultVersion, oldVersion, newVersion := mustParseVersionsYaml(yamlBytes)
+
+ assert.Len(t, list, 1)
+ assert.Equal(t, "1.0.0", defaultVersion)
+ assert.Equal(t, "", oldVersion)
+ assert.Equal(t, "1.0.0", newVersion)
+}
+
+func TestParseVersionsYaml_InvalidYaml(t *testing.T) {
+ yamlBytes := []byte(`invalid yaml`)
+
+ assert.Panics(t, func() {
+ mustParseVersionsYaml(yamlBytes)
+ })
+}
diff --git a/tests/e2e/common-operator-integ-suite.sh b/tests/e2e/common-operator-integ-suite.sh
index dd5625bb8..8ad6b80c5 100755
--- a/tests/e2e/common-operator-integ-suite.sh
+++ b/tests/e2e/common-operator-integ-suite.sh
@@ -29,6 +29,7 @@ parse_flags() {
SKIP_DEPLOY=${SKIP_DEPLOY:-false}
OLM=${OLM:-false}
DESCRIBE=false
+ MULTICLUSTER=false
while [ $# -gt 0 ]; do
case "$1" in
--ocp)
@@ -39,6 +40,10 @@ parse_flags() {
shift
OCP=false
;;
+ --multicluster)
+ shift
+ MULTICLUSTER=true
+ ;;
--skip-build)
shift
SKIP_BUILD=true
@@ -80,6 +85,10 @@ parse_flags() {
echo "Running on kind"
fi
+ if [ "${MULTICLUSTER}" == "true" ]; then
+ echo "Running on multicluster"
+ fi
+
if [ "${SKIP_BUILD}" == "true" ]; then
echo "Skipping build"
fi
@@ -108,8 +117,10 @@ initialize_variables() {
COMMAND="kubectl"
ARTIFACTS="${ARTIFACTS:-$(mktemp -d)}"
KUBECONFIG="${KUBECONFIG:-"${ARTIFACTS}/config"}"
+ ISTIOCTL="${ISTIOCTL:-"istioctl"}"
LOCALBIN="${LOCALBIN:-${HOME}/bin}"
OPERATOR_SDK=${LOCALBIN}/operator-sdk
+ IP_FAMILY=${IP_FAMILY:-ipv4}
if [ "${OCP}" == "true" ]; then
COMMAND="oc"
@@ -234,10 +245,27 @@ if [ "${SKIP_BUILD}" == "false" ]; then
# Install OLM in the cluster because it's not available by default in kind.
${OPERATOR_SDK} olm install
+ # Wait for for the CatalogSource to be CatalogSource.status.connectionState.lastObservedState == READY
+ ${COMMAND} wait catalogsource operatorhubio-catalog -n olm --for 'jsonpath={.status.connectionState.lastObservedState}=READY' --timeout=5m
+
# Create operator namespace
${COMMAND} create ns "${NAMESPACE}" || echo "Creation of namespace ${NAMESPACE} failed with the message: $?"
# Deploy the operator using OLM
- ${OPERATOR_SDK} run bundle "${BUNDLE_IMG}" -n "${NAMESPACE}" --skip-tls
+ ${OPERATOR_SDK} run bundle "${BUNDLE_IMG}" -n "${NAMESPACE}" --skip-tls --timeout 5m || {
+ echo "****** run bundle failed, running debug information"
+ # Get all the pods in the namespace
+ ${COMMAND} get pods -n "${NAMESPACE}"
+
+ # Get all the pods in olm namespace
+ ${COMMAND} get pods -n olm
+
+ # Describe all the olm pods by iterating over the pods
+ for pod in $(${COMMAND} get pods -n olm -o name); do
+ echo "*** Describing pod: ${pod}"
+ ${COMMAND} describe "${pod}"
+ done
+ exit 1
+ }
# Wait for the operator to be ready
${COMMAND} wait --for=condition=available deployment/"${DEPLOYMENT_NAME}" -n "${NAMESPACE}" --timeout=5m
@@ -257,7 +285,7 @@ fi
# Run the go test passing the env variables defined that are going to be used in the operator tests
# shellcheck disable=SC2086
-IMAGE="${HUB}/${IMAGE_BASE}:${TAG}" SKIP_DEPLOY="${SKIP_DEPLOY}" OCP="${OCP}" ISTIO_MANIFEST="${ISTIO_MANIFEST}" \
-NAMESPACE="${NAMESPACE}" CONTROL_PLANE_NS="${CONTROL_PLANE_NS}" DEPLOYMENT_NAME="${DEPLOYMENT_NAME}" \
-ISTIO_NAME="${ISTIO_NAME}" COMMAND="${COMMAND}" VERSIONS_YAML_FILE="${VERSIONS_YAML_FILE}" KUBECONFIG="${KUBECONFIG}" \
+IMAGE="${HUB}/${IMAGE_BASE}:${TAG}" SKIP_DEPLOY="${SKIP_DEPLOY}" OCP="${OCP}" IP_FAMILY="${IP_FAMILY}" ISTIO_MANIFEST="${ISTIO_MANIFEST}" \
+NAMESPACE="${NAMESPACE}" CONTROL_PLANE_NS="${CONTROL_PLANE_NS}" DEPLOYMENT_NAME="${DEPLOYMENT_NAME}" MULTICLUSTER="${MULTICLUSTER}" ARTIFACTS="${ARTIFACTS}" \
+ISTIO_NAME="${ISTIO_NAME}" COMMAND="${COMMAND}" VERSIONS_YAML_FILE="${VERSIONS_YAML_FILE}" KUBECONFIG="${KUBECONFIG}" ISTIOCTL_PATH="${ISTIOCTL}" \
go run github.com/onsi/ginkgo/v2/ginkgo -tags e2e --timeout 30m --junit-report=report.xml ${GINKGO_FLAGS} "${WD}"/...
diff --git a/tests/e2e/config/default.yaml b/tests/e2e/config/default.yaml
index 58c947c9e..9f160497d 100644
--- a/tests/e2e/config/default.yaml
+++ b/tests/e2e/config/default.yaml
@@ -27,9 +27,4 @@ containerdConfigPatches:
- |-
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5000"]
endpoint = ["http://kind-registry:5000"]
-networking:
- # MAISTRA specific:
- # our prow cluster uses serviceSubnet 10.96.0.0/12, so the kind cluster must use other subnet to correctly route traffic;
- # in this case, address 10.224.0.0 is chosen randomly from available set of subnets.
- serviceSubnet: "10.224.0.0/12"
- ipFamily: ipv4
+
diff --git a/tests/e2e/config/multicluster.json b/tests/e2e/config/multicluster.json
new file mode 100644
index 000000000..247824a37
--- /dev/null
+++ b/tests/e2e/config/multicluster.json
@@ -0,0 +1,14 @@
+[
+ {
+ "cluster_name": "primary",
+ "pod_subnet": "10.10.0.0/16",
+ "svc_subnet": "10.255.10.0/24",
+ "network_id": "0"
+ },
+ {
+ "cluster_name": "remote",
+ "pod_subnet": "10.20.0.0/16",
+ "svc_subnet": "10.255.20.0/24",
+ "network_id": "1"
+ }
+]
\ No newline at end of file
diff --git a/tests/e2e/controlplane/control_plane_suite_test.go b/tests/e2e/controlplane/control_plane_suite_test.go
index 1603b380e..a1b573984 100644
--- a/tests/e2e/controlplane/control_plane_suite_test.go
+++ b/tests/e2e/controlplane/control_plane_suite_test.go
@@ -20,7 +20,9 @@ import (
"testing"
k8sclient "github.com/istio-ecosystem/sail-operator/tests/e2e/util/client"
- env "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
"sigs.k8s.io/controller-runtime/pkg/client"
@@ -30,28 +32,36 @@ var (
cl client.Client
err error
ocp = env.GetBool("OCP", false)
- namespace = env.Get("NAMESPACE", "sail-operator")
+ namespace = common.OperatorNamespace
deploymentName = env.Get("DEPLOYMENT_NAME", "sail-operator")
controlPlaneNamespace = env.Get("CONTROL_PLANE_NS", "istio-system")
istioName = env.Get("ISTIO_NAME", "default")
istioCniNamespace = env.Get("ISTIOCNI_NAMESPACE", "istio-cni")
istioCniName = env.Get("ISTIOCNI_NAME", "default")
- image = env.Get("IMAGE", "quay.io/maistra-dev/sail-operator:latest")
skipDeploy = env.GetBool("SKIP_DEPLOY", false)
expectedRegistry = env.Get("EXPECTED_REGISTRY", "^docker\\.io|^gcr\\.io")
bookinfoNamespace = env.Get("BOOKINFO_NAMESPACE", "bookinfo")
+ multicluster = env.GetBool("MULTICLUSTER", false)
+ ipFamily = env.Get("IP_FAMILY", "ipv4")
+
+ k kubectl.Kubectl
)
func TestInstall(t *testing.T) {
+ if ipFamily == "dual" || multicluster {
+ t.Skip("Skipping the control plane tests")
+ }
RegisterFailHandler(Fail)
setup()
- RunSpecs(t, "Control Plane Suite")
+ RunSpecs(t, "Control Plane Test Suite")
}
func setup() {
GinkgoWriter.Println("************ Running Setup ************")
GinkgoWriter.Println("Initializing k8s client")
- cl, err = k8sclient.InitK8sClient()
+ cl, err = k8sclient.InitK8sClient("")
Expect(err).NotTo(HaveOccurred())
+
+ k = kubectl.New()
}
diff --git a/tests/e2e/controlplane/control_plane_test.go b/tests/e2e/controlplane/control_plane_test.go
index ab3007e2f..20c52e872 100644
--- a/tests/e2e/controlplane/control_plane_test.go
+++ b/tests/e2e/controlplane/control_plane_test.go
@@ -18,20 +18,16 @@ package controlplane
import (
"fmt"
- "path/filepath"
- "regexp"
"strings"
"time"
+ "github.com/Masterminds/semver/v3"
"github.com/istio-ecosystem/sail-operator/api/v1alpha1"
"github.com/istio-ecosystem/sail-operator/pkg/kube"
- "github.com/istio-ecosystem/sail-operator/pkg/test/project"
. "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo"
"github.com/istio-ecosystem/sail-operator/pkg/test/util/supportedversion"
- common "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common"
. "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega"
- "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm"
- "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
"github.com/onsi/gomega/types"
@@ -43,20 +39,13 @@ import (
"istio.io/istio/pkg/ptr"
)
-// version can have one of the following formats:
-// - 1.22.2
-// - 1.23.0-rc.1
-// - 1.24-alpha
-var istiodVersionRegex = regexp.MustCompile(`Version:"(\d+\.\d+(\.\d+)?(-\w+(\.\d+)?)?)`)
-
var _ = Describe("Control Plane Installation", Ordered, func() {
SetDefaultEventuallyTimeout(180 * time.Second)
SetDefaultEventuallyPollingInterval(time.Second)
-
debugInfoLogged := false
BeforeAll(func(ctx SpecContext) {
- Expect(kubectl.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created")
+ Expect(k.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created")
extraArg := ""
if ocp {
@@ -66,7 +55,7 @@ var _ = Describe("Control Plane Installation", Ordered, func() {
if skipDeploy {
Success("Skipping operator installation because it was deployed externally")
} else {
- Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, extraArg)).
+ Expect(common.InstallOperatorViaHelm(extraArg)).
To(Succeed(), "Operator failed to be deployed")
}
@@ -86,7 +75,7 @@ kind: IstioCNI
metadata:
name: default
` + spec
- Expect(kubectl.CreateFromString(yaml)).To(Succeed(), "IstioCNI creation failed")
+ Expect(k.CreateFromString(yaml)).To(Succeed(), "IstioCNI creation failed")
Success("IstioCNI created")
cni := &v1alpha1.IstioCNI{}
@@ -110,7 +99,7 @@ kind: Istio
metadata:
name: default
` + spec
- Expect(kubectl.CreateFromString(yaml)).To(Succeed(), "Istio creation failed")
+ Expect(k.CreateFromString(yaml)).To(Succeed(), "Istio creation failed")
Success("Istio created")
istio := &v1alpha1.Istio{}
@@ -133,8 +122,8 @@ metadata:
Context(version.Name, func() {
BeforeAll(func() {
- Expect(kubectl.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Istio namespace failed to be created")
- Expect(kubectl.CreateNamespace(istioCniNamespace)).To(Succeed(), "IstioCNI namespace failed to be created")
+ Expect(k.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Istio namespace failed to be created")
+ Expect(k.CreateNamespace(istioCniNamespace)).To(Succeed(), "IstioCNI namespace failed to be created")
})
When("the IstioCNI CR is created", func() {
@@ -149,7 +138,7 @@ spec:
namespace: %s`
yaml = fmt.Sprintf(yaml, version.Name, istioCniNamespace)
Log("IstioCNI YAML:", indent(2, yaml))
- Expect(kubectl.CreateFromString(yaml)).To(Succeed(), "IstioCNI creation failed")
+ Expect(k.CreateFromString(yaml)).To(Succeed(), "IstioCNI creation failed")
Success("IstioCNI created")
})
@@ -181,9 +170,9 @@ spec:
})
It("doesn't continuously reconcile the IstioCNI CR", func() {
- Eventually(kubectl.Logs).WithArguments(namespace, "deploy/"+deploymentName, ptr.Of(30*time.Second)).
- ShouldNot(ContainSubstring("Reconciliation done"), "Istio Operator is continuously reconciling")
- Success("Istio Operator stopped reconciling")
+ Eventually(k.WithNamespace(namespace).Logs).WithArguments("deploy/"+deploymentName, ptr.Of(30*time.Second)).
+ ShouldNot(ContainSubstring("Reconciliation done"), "IstioCNI is continuously reconciling")
+ Success("IstioCNI stopped reconciling")
})
})
@@ -199,7 +188,7 @@ spec:
namespace: %s`
istioYAML = fmt.Sprintf(istioYAML, version.Name, controlPlaneNamespace)
Log("Istio YAML:", indent(2, istioYAML))
- Expect(kubectl.CreateFromString(istioYAML)).
+ Expect(k.CreateFromString(istioYAML)).
To(Succeed(), "Istio CR failed to be created")
Success("Istio CR created")
})
@@ -219,7 +208,7 @@ spec:
It("deploys istiod", func(ctx SpecContext) {
Eventually(common.GetObject).WithArguments(ctx, cl, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}).
Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Istiod is not Available; unexpected Condition")
- Expect(getVersionFromIstiod()).To(Equal(version.Version), "Unexpected istiod version")
+ Expect(common.GetVersionFromIstiod()).To(Equal(version.Version), "Unexpected istiod version")
Success("Istiod is deployed in the namespace and Running")
})
@@ -229,16 +218,16 @@ spec:
})
It("doesn't continuously reconcile the Istio CR", func() {
- Eventually(kubectl.Logs).WithArguments(namespace, "deploy/"+deploymentName, ptr.Of(30*time.Second)).
- ShouldNot(ContainSubstring("Reconciliation done"), "Istio Operator is continuously reconciling")
- Success("Istio Operator stopped reconciling")
+ Eventually(k.WithNamespace(namespace).Logs).WithArguments("deploy/"+deploymentName, ptr.Of(30*time.Second)).
+ ShouldNot(ContainSubstring("Reconciliation done"), "Istio CR is continuously reconciling")
+ Success("Istio CR stopped reconciling")
})
})
When("bookinfo is deployed", func() {
BeforeAll(func() {
- Expect(kubectl.CreateNamespace(bookinfoNamespace)).To(Succeed(), "Bookinfo namespace failed to be created")
- Expect(kubectl.Patch("", "namespace", bookinfoNamespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)).
+ Expect(k.CreateNamespace(bookinfoNamespace)).To(Succeed(), "Bookinfo namespace failed to be created")
+ Expect(k.Patch("namespace", bookinfoNamespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)).
To(Succeed(), "Error patching bookinfo namespace")
Expect(deployBookinfo(version)).To(Succeed(), "Error deploying bookinfo")
Success("Bookinfo deployed")
@@ -247,7 +236,7 @@ spec:
bookinfoPods := &corev1.PodList{}
It("updates the pods status to Running", func(ctx SpecContext) {
- cl.List(ctx, bookinfoPods, client.InNamespace(bookinfoNamespace))
+ Expect(cl.List(ctx, bookinfoPods, client.InNamespace(bookinfoNamespace))).To(Succeed())
Expect(bookinfoPods.Items).ToNot(BeEmpty(), "No pods found in bookinfo namespace")
for _, pod := range bookinfoPods.Items {
@@ -260,22 +249,22 @@ spec:
It("has sidecars with the correct istio version", func(ctx SpecContext) {
for _, pod := range bookinfoPods.Items {
sidecarVersion, err := getProxyVersion(pod.Name, bookinfoNamespace)
- Expect(err).To(Succeed(), "Error getting sidecar version")
- Expect(sidecarVersion).To(ContainSubstring(version.Version), "Sidecar Istio version does not match the expected version")
+ Expect(err).NotTo(HaveOccurred(), "Error getting sidecar version")
+ Expect(sidecarVersion).To(Equal(version.Version), "Sidecar Istio version does not match the expected version")
}
Success("Istio sidecar version matches the expected Istio version")
})
AfterAll(func(ctx SpecContext) {
By("Deleting bookinfo")
- Expect(kubectl.DeleteNamespace(bookinfoNamespace)).To(Succeed(), "Bookinfo namespace failed to be deleted")
+ Expect(k.DeleteNamespace(bookinfoNamespace)).To(Succeed(), "Bookinfo namespace failed to be deleted")
Success("Bookinfo deleted")
})
})
When("the Istio CR is deleted", func() {
BeforeEach(func() {
- Expect(kubectl.Delete(controlPlaneNamespace, "istio", istioName)).To(Succeed(), "Istio CR failed to be deleted")
+ Expect(k.WithNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted")
Success("Istio CR deleted")
})
@@ -289,7 +278,7 @@ spec:
When("the IstioCNI CR is deleted", func() {
BeforeEach(func() {
- Expect(kubectl.Delete(istioCniNamespace, "istiocni", istioCniName)).To(Succeed(), "IstioCNI CR failed to be deleted")
+ Expect(k.WithNamespace(istioCniNamespace).Delete("istiocni", istioCniName)).To(Succeed(), "IstioCNI CR failed to be deleted")
Success("IstioCNI deleted")
})
@@ -335,7 +324,7 @@ spec:
}
By("Deleting operator deployment")
- Expect(helm.Uninstall("sail-operator", "--namespace "+namespace)).
+ Expect(common.UninstallOperator()).
To(Succeed(), "Operator failed to be deleted")
GinkgoWriter.Println("Operator uninstalled")
@@ -343,7 +332,7 @@ spec:
Success("Skipping deletion of operator namespace to avoid removal of operator container image from internal registry")
return
}
- Expect(kubectl.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted")
+ Expect(k.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted")
Success("Namespace deleted")
})
})
@@ -356,19 +345,6 @@ func ImageFromRegistry(regexp string) types.GomegaMatcher {
return HaveField("Image", MatchRegexp(regexp))
}
-func getVersionFromIstiod() (string, error) {
- output, err := kubectl.Exec(controlPlaneNamespace, "deploy/istiod", "", "pilot-discovery version")
- if err != nil {
- return "", fmt.Errorf("error getting version from istiod: %w", err)
- }
-
- matches := istiodVersionRegex.FindStringSubmatch(output)
- if len(matches) > 1 && matches[1] != "" {
- return matches[1], nil
- }
- return "", fmt.Errorf("error getting version from istiod: version not found in output: %s", output)
-}
-
func indent(level int, str string) string {
indent := strings.Repeat(" ", level)
return indent + strings.ReplaceAll(str, "\n", "\n"+indent)
@@ -377,17 +353,17 @@ func indent(level int, str string) string {
func forceDeleteIstioResources() error {
// This is a workaround to delete the Istio CRs that are left in the cluster
// This will be improved by splitting the tests into different Nodes with their independent setups and cleanups
- err := kubectl.ForceDelete("", "istio", istioName)
+ err := k.ForceDelete("istio", istioName)
if err != nil && !strings.Contains(err.Error(), "not found") {
return fmt.Errorf("failed to delete %s CR: %w", "istio", err)
}
- err = kubectl.ForceDelete("", "istiorevision", "default")
+ err = k.ForceDelete("istiorevision", "default")
if err != nil && !strings.Contains(err.Error(), "not found") {
return fmt.Errorf("failed to delete %s CR: %w", "istiorevision", err)
}
- err = kubectl.Delete("", "istiocni", istioCniName)
+ err = k.Delete("istiocni", istioCniName)
if err != nil && !strings.Contains(err.Error(), "not found") {
return fmt.Errorf("failed to delete %s CR: %w", "istiocni", err)
}
@@ -408,7 +384,7 @@ func getBookinfoURL(version supportedversion.VersionInfo) string {
func deployBookinfo(version supportedversion.VersionInfo) error {
bookinfoURL := getBookinfoURL(version)
- kubectl.Apply(bookinfoNamespace, bookinfoURL)
+ err := k.WithNamespace(bookinfoNamespace).Apply(bookinfoURL)
if err != nil {
return fmt.Errorf("error deploying bookinfo: %w", err)
}
@@ -416,14 +392,19 @@ func deployBookinfo(version supportedversion.VersionInfo) error {
return nil
}
-func getProxyVersion(podName, namespace string) (string, error) {
- proxyVersion, err := kubectl.Exec(namespace,
+func getProxyVersion(podName, namespace string) (*semver.Version, error) {
+ output, err := k.WithNamespace(namespace).Exec(
podName,
"istio-proxy",
`curl -s http://localhost:15000/server_info | grep "ISTIO_VERSION" | awk -F '"' '{print $4}'`)
if err != nil {
- return "", fmt.Errorf("error getting sidecar version: %w", err)
+ return nil, fmt.Errorf("error getting sidecar version: %w", err)
}
- return proxyVersion, nil
+ versionStr := strings.TrimSpace(output)
+ version, err := semver.NewVersion(versionStr)
+ if err != nil {
+ return version, fmt.Errorf("error parsing sidecar version %q: %w", versionStr, err)
+ }
+ return version, err
}
diff --git a/tests/e2e/dualstack/dualstack_suite_test.go b/tests/e2e/dualstack/dualstack_suite_test.go
new file mode 100644
index 000000000..3dd477ce2
--- /dev/null
+++ b/tests/e2e/dualstack/dualstack_suite_test.go
@@ -0,0 +1,67 @@
+//go:build e2e
+
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package dualstack
+
+import (
+ "testing"
+
+ k8sclient "github.com/istio-ecosystem/sail-operator/tests/e2e/util/client"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl"
+ . "github.com/onsi/ginkgo/v2"
+ . "github.com/onsi/gomega"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+var (
+ cl client.Client
+ err error
+ ocp = env.GetBool("OCP", false)
+ namespace = common.OperatorNamespace
+ deploymentName = env.Get("DEPLOYMENT_NAME", "sail-operator")
+ controlPlaneNamespace = env.Get("CONTROL_PLANE_NS", "istio-system")
+ istioName = env.Get("ISTIO_NAME", "default")
+ istioCniNamespace = env.Get("ISTIOCNI_NAMESPACE", "istio-cni")
+ istioCniName = env.Get("ISTIOCNI_NAME", "default")
+ skipDeploy = env.GetBool("SKIP_DEPLOY", false)
+ expectedRegistry = env.Get("EXPECTED_REGISTRY", "^docker\\.io|^gcr\\.io")
+ multicluster = env.GetBool("MULTICLUSTER", false)
+ ipFamily = env.Get("IP_FAMILY", "ipv4")
+
+ k kubectl.Kubectl
+)
+
+func TestDualStack(t *testing.T) {
+ if ipFamily != "dual" || multicluster {
+ t.Skip("Skipping the dualStack tests")
+ }
+
+ RegisterFailHandler(Fail)
+ setup()
+ RunSpecs(t, "DualStack Test Suite")
+}
+
+func setup() {
+ GinkgoWriter.Println("************ Running Setup ************")
+
+ GinkgoWriter.Println("Initializing k8s client")
+ cl, err = k8sclient.InitK8sClient("")
+ Expect(err).NotTo(HaveOccurred())
+
+ k = kubectl.New()
+}
diff --git a/tests/e2e/dualstack/dualstack_test.go b/tests/e2e/dualstack/dualstack_test.go
new file mode 100644
index 000000000..9d4fb4425
--- /dev/null
+++ b/tests/e2e/dualstack/dualstack_test.go
@@ -0,0 +1,357 @@
+//go:build e2e
+
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR Condition OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package dualstack
+
+import (
+ "fmt"
+ "time"
+
+ "github.com/Masterminds/semver/v3"
+ "github.com/istio-ecosystem/sail-operator/api/v1alpha1"
+ "github.com/istio-ecosystem/sail-operator/pkg/kube"
+ . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo"
+ "github.com/istio-ecosystem/sail-operator/pkg/test/util/supportedversion"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common"
+ . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega"
+ . "github.com/onsi/ginkgo/v2"
+ . "github.com/onsi/gomega"
+ "github.com/onsi/gomega/types"
+ appsv1 "k8s.io/api/apps/v1"
+ corev1 "k8s.io/api/core/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+ DualStackNamespace = "dual-stack"
+ IPv4Namespace = "ipv4"
+ IPv6Namespace = "ipv6"
+ SleepNamespace = "sleep"
+)
+
+var _ = Describe("DualStack configuration ", Ordered, func() {
+ SetDefaultEventuallyTimeout(180 * time.Second)
+ SetDefaultEventuallyPollingInterval(time.Second)
+
+ debugInfoLogged := false
+
+ BeforeAll(func(ctx SpecContext) {
+ Expect(k.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created")
+
+ extraArg := ""
+ if ocp {
+ extraArg = "--set=platform=openshift"
+ }
+
+ if skipDeploy {
+ Success("Skipping operator installation because it was deployed externally")
+ } else {
+ Expect(common.InstallOperatorViaHelm(extraArg)).
+ To(Succeed(), "Operator failed to be deployed")
+ }
+
+ Eventually(common.GetObject).WithArguments(ctx, cl, kube.Key(deploymentName, namespace), &appsv1.Deployment{}).
+ Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Error getting Istio CRD")
+ Success("Operator is deployed in the namespace and Running")
+ })
+
+ Describe("for supported versions", func() {
+ for _, version := range supportedversion.List {
+ // Note: This var version is needed to avoid the closure of the loop
+ version := version
+
+ // The minimum supported version is 1.23 (and above)
+ if version.Version.LessThan(semver.MustParse("1.23.0")) {
+ continue
+ }
+
+ Context(fmt.Sprintf("Istio version %s", version.Version), func() {
+ BeforeAll(func() {
+ Expect(k.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Istio namespace failed to be created")
+ Expect(k.CreateNamespace(istioCniNamespace)).To(Succeed(), "IstioCNI namespace failed to be created")
+ })
+
+ When("the IstioCNI CR is created", func() {
+ BeforeAll(func() {
+ cniYAML := `
+apiVersion: sailoperator.io/v1alpha1
+kind: IstioCNI
+metadata:
+ name: default
+spec:
+ version: %s
+ namespace: %s`
+ cniYAML = fmt.Sprintf(cniYAML, version.Name, istioCniNamespace)
+ Log("IstioCNI YAML:", cniYAML)
+ Expect(k.CreateFromString(cniYAML)).To(Succeed(), "IstioCNI creation failed")
+ Success("IstioCNI created")
+ })
+
+ It("deploys the CNI DaemonSet", func(ctx SpecContext) {
+ Eventually(func(g Gomega) {
+ daemonset := &appsv1.DaemonSet{}
+ g.Expect(cl.Get(ctx, kube.Key("istio-cni-node", istioCniNamespace), daemonset)).To(Succeed(), "Error getting IstioCNI DaemonSet")
+ g.Expect(daemonset.Status.NumberAvailable).
+ To(Equal(daemonset.Status.CurrentNumberScheduled), "CNI DaemonSet Pods not Available; expected numberAvailable to be equal to currentNumberScheduled")
+ }).Should(Succeed(), "CNI DaemonSet Pods are not Available")
+ Success("CNI DaemonSet is deployed in the namespace and Running")
+ })
+ })
+
+ When("the Istio CR is created with DualStack configuration", func() {
+ BeforeAll(func() {
+ istioYAML := `
+apiVersion: sailoperator.io/v1alpha1
+kind: Istio
+metadata:
+ name: default
+spec:
+ values:
+ meshConfig:
+ defaultConfig:
+ proxyMetadata:
+ ISTIO_DUAL_STACK: "true"
+ pilot:
+ ipFamilyPolicy: %s
+ env:
+ ISTIO_DUAL_STACK: "true"
+ version: %s
+ namespace: %s`
+ istioYAML = fmt.Sprintf(istioYAML, corev1.IPFamilyPolicyRequireDualStack, version.Name, controlPlaneNamespace)
+ Log("Istio YAML:", istioYAML)
+ Expect(k.CreateFromString(istioYAML)).
+ To(Succeed(), "Istio CR failed to be created")
+ Success("Istio CR created")
+ })
+
+ It("updates the Istio CR status to Reconciled", func(ctx SpecContext) {
+ Eventually(common.GetObject).WithArguments(ctx, cl, kube.Key(istioName), &v1alpha1.Istio{}).
+ Should(HaveCondition(v1alpha1.IstioConditionReconciled, metav1.ConditionTrue), "Istio is not Reconciled; unexpected Condition")
+ Success("Istio CR is Reconciled")
+ })
+
+ It("updates the Istio CR status to Ready", func(ctx SpecContext) {
+ Eventually(common.GetObject).WithArguments(ctx, cl, kube.Key(istioName), &v1alpha1.Istio{}).
+ Should(HaveCondition(v1alpha1.IstioConditionReady, metav1.ConditionTrue), "Istio is not Ready; unexpected Condition")
+ Success("Istio CR is Ready")
+ })
+
+ It("deploys istiod", func(ctx SpecContext) {
+ Eventually(common.GetObject).WithArguments(ctx, cl, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}).
+ Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Istiod is not Available; unexpected Condition")
+ Expect(common.GetVersionFromIstiod()).To(Equal(version.Version), "Unexpected istiod version")
+ Success("Istiod is deployed in the namespace and Running")
+ })
+
+ It("uses the correct image", func(ctx SpecContext) {
+ Expect(common.GetObject(ctx, cl, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{})).
+ To(HaveContainersThat(HaveEach(ImageFromRegistry(expectedRegistry))))
+ })
+
+ It("has ISTIO_DUAL_STACK env variable set", func(ctx SpecContext) {
+ Expect(common.GetObject(ctx, cl, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{})).
+ To(HaveContainersThat(ContainElement(WithTransform(getEnvVars, ContainElement(corev1.EnvVar{Name: "ISTIO_DUAL_STACK", Value: "true"})))),
+ "Expected ISTIO_DUAL_STACK to be set to true, but not found")
+ })
+
+ It("deploys istiod service in dualStack mode", func(ctx SpecContext) {
+ var istiodSvcObj corev1.Service
+
+ Eventually(func() error {
+ _, err := common.GetObject(ctx, cl, kube.Key("istiod", controlPlaneNamespace), &istiodSvcObj)
+ return err
+ }).Should(Succeed(), "Expected to retrieve the 'istiod' service")
+
+ Expect(istiodSvcObj.Spec.IPFamilyPolicy).ToNot(BeNil(), "Expected IPFamilyPolicy to be set")
+ Expect(*istiodSvcObj.Spec.IPFamilyPolicy).To(Equal(corev1.IPFamilyPolicyRequireDualStack), "Expected ipFamilyPolicy to be 'RequireDualStack'")
+ Success("Istio Service is deployed in the namespace and Running")
+ })
+ })
+
+ // We spawn the following pods to verify the data-path connectivity.
+ // 1. a dualStack service in dual-stack namespace which listens on both IPv4 and IPv6 addresses
+ // 2. an ipv4 only service in ipv4 namespace which listens only on IPv4 address
+ // 3. an ipv6 only service in ipv6 namespace which listens only on IPv6 address
+ // Using a sleep pod from the sleep namespace, we try to connect to all the three services to verify that connectivity is successful.
+ When("sample apps are deployed in the cluster", func() {
+ BeforeAll(func(ctx SpecContext) {
+ Expect(k.CreateNamespace(DualStackNamespace)).To(Succeed(), "Failed to create dual-stack namespace")
+ Expect(k.CreateNamespace(IPv4Namespace)).To(Succeed(), "Failed to create ipv4 namespace")
+ Expect(k.CreateNamespace(IPv6Namespace)).To(Succeed(), "Failed to create ipv6 namespace")
+ Expect(k.CreateNamespace(SleepNamespace)).To(Succeed(), "Failed to create sleep namespace")
+
+ Expect(k.Patch("namespace", DualStackNamespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)).
+ To(Succeed(), "Error patching dual-stack namespace")
+ Expect(k.Patch("namespace", IPv4Namespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)).
+ To(Succeed(), "Error patching ipv4 namespace")
+ Expect(k.Patch("namespace", IPv6Namespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)).
+ To(Succeed(), "Error patching ipv6 namespace")
+ Expect(k.Patch("namespace", SleepNamespace, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)).
+ To(Succeed(), "Error patching sleep namespace")
+
+ Expect(k.WithNamespace(DualStackNamespace).Apply(getYAMLPodURL(version, DualStackNamespace))).To(Succeed(), "error deploying tcpDualStack pod")
+ Expect(k.WithNamespace(IPv4Namespace).Apply(getYAMLPodURL(version, IPv4Namespace))).To(Succeed(), "error deploying ipv4 pod")
+ Expect(k.WithNamespace(IPv6Namespace).Apply(getYAMLPodURL(version, IPv6Namespace))).To(Succeed(), "error deploying ipv6 pod")
+ Expect(k.WithNamespace(SleepNamespace).Apply(getYAMLPodURL(version, SleepNamespace))).To(Succeed(), "error deploying sleep pod")
+
+ Success("dualStack validation pods deployed")
+ })
+
+ sleepPod := &corev1.PodList{}
+ It("updates the status of pods to Running", func(ctx SpecContext) {
+ _, err = common.CheckPodsReady(ctx, cl, DualStackNamespace)
+ Expect(err).ToNot(HaveOccurred(), fmt.Sprintf("Error checking status of dual-stack pods: %v", err))
+
+ _, err = common.CheckPodsReady(ctx, cl, IPv4Namespace)
+ Expect(err).ToNot(HaveOccurred(), fmt.Sprintf("Error checking status of ipv4 pods: %v", err))
+
+ _, err = common.CheckPodsReady(ctx, cl, IPv6Namespace)
+ Expect(err).ToNot(HaveOccurred(), fmt.Sprintf("Error checking status of ipv6 pods: %v", err))
+
+ sleepPod, err = common.CheckPodsReady(ctx, cl, SleepNamespace)
+ Expect(err).ToNot(HaveOccurred(), fmt.Sprintf("Error checking status of sleep pods: %v", err))
+
+ Success("Pods are ready")
+ })
+
+ It("can access the dual-stack service from the sleep pod", func(ctx SpecContext) {
+ checkPodConnectivity(sleepPod.Items[0].Name, SleepNamespace, DualStackNamespace)
+ })
+
+ It("can access the ipv4 only service from the sleep pod", func(ctx SpecContext) {
+ checkPodConnectivity(sleepPod.Items[0].Name, SleepNamespace, IPv4Namespace)
+ })
+
+ It("can access the ipv6 only service from the sleep pod", func(ctx SpecContext) {
+ checkPodConnectivity(sleepPod.Items[0].Name, SleepNamespace, IPv6Namespace)
+ })
+
+ AfterAll(func(ctx SpecContext) {
+ By("Deleting the pods")
+ Expect(k.DeleteNamespace(DualStackNamespace, IPv4Namespace, IPv6Namespace, SleepNamespace)).
+ To(Succeed(), "Failed to delete namespaces")
+ Success("DualStack validation pods deleted")
+ })
+ })
+
+ When("the Istio CR is deleted", func() {
+ BeforeEach(func() {
+ Expect(k.WithNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted")
+ Success("Istio CR deleted")
+ })
+
+ It("removes everything from the namespace", func(ctx SpecContext) {
+ Eventually(cl.Get).WithArguments(ctx, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}).
+ Should(ReturnNotFoundError(), "Istiod should not exist anymore")
+ common.CheckNamespaceEmpty(ctx, cl, controlPlaneNamespace)
+ Success("Namespace is empty")
+ })
+ })
+
+ When("the IstioCNI CR is deleted", func() {
+ BeforeEach(func() {
+ Expect(k.WithNamespace(istioCniNamespace).Delete("istiocni", istioCniName)).To(Succeed(), "IstioCNI CR failed to be deleted")
+ Success("IstioCNI deleted")
+ })
+
+ It("removes everything from the CNI namespace", func(ctx SpecContext) {
+ daemonset := &appsv1.DaemonSet{}
+ Eventually(cl.Get).WithArguments(ctx, kube.Key("istio-cni-node", istioCniNamespace), daemonset).
+ Should(ReturnNotFoundError(), "IstioCNI DaemonSet should not exist anymore")
+ common.CheckNamespaceEmpty(ctx, cl, istioCniNamespace)
+ Success("CNI namespace is empty")
+ })
+ })
+ })
+ }
+
+ AfterAll(func(ctx SpecContext) {
+ if CurrentSpecReport().Failed() {
+ common.LogDebugInfo()
+ debugInfoLogged = true
+ }
+
+ By("Cleaning up the Istio namespace")
+ Expect(cl.Delete(ctx, &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: controlPlaneNamespace}})).To(Succeed(), "Istio Namespace failed to be deleted")
+
+ By("Deleting any left-over Istio and IstioRevision resources")
+ Success("Resources deleted")
+ Success("Cleanup done")
+ })
+ })
+
+ AfterAll(func() {
+ if CurrentSpecReport().Failed() && !debugInfoLogged {
+ common.LogDebugInfo()
+ debugInfoLogged = true
+ }
+
+ if skipDeploy {
+ Success("Skipping operator undeploy because it was deployed externally")
+ return
+ }
+
+ By("Deleting operator deployment")
+ Expect(common.UninstallOperator()).
+ To(Succeed(), "Operator failed to be deleted")
+ GinkgoWriter.Println("Operator uninstalled")
+
+ Expect(k.DeleteNamespace(namespace)).To(Succeed(), "Namespace failed to be deleted")
+ Success("Namespace deleted")
+ })
+})
+
+func HaveContainersThat(matcher types.GomegaMatcher) types.GomegaMatcher {
+ return HaveField("Spec.Template.Spec.Containers", matcher)
+}
+
+func ImageFromRegistry(regexp string) types.GomegaMatcher {
+ return HaveField("Image", MatchRegexp(regexp))
+}
+
+func getEnvVars(container corev1.Container) []corev1.EnvVar {
+ return container.Env
+}
+
+func getYAMLPodURL(version supportedversion.VersionInfo, namespace string) string {
+ var url string
+
+ switch namespace {
+ case DualStackNamespace:
+ url = "samples/tcp-echo/tcp-echo-dual-stack.yaml"
+ case IPv4Namespace:
+ url = "samples/tcp-echo/tcp-echo-ipv4.yaml"
+ case IPv6Namespace:
+ url = "samples/tcp-echo/tcp-echo-ipv6.yaml"
+ case SleepNamespace:
+ url = "samples/sleep/sleep.yaml"
+ default:
+ return ""
+ }
+
+ if version.Name == "latest" {
+ return fmt.Sprintf("https://raw.githubusercontent.com/istio/istio/master/%s", url)
+ }
+
+ return fmt.Sprintf("https://raw.githubusercontent.com/istio/istio/%s/%s", version.Version, url)
+}
+
+func checkPodConnectivity(podName, namespace, echoStr string) {
+ command := fmt.Sprintf(`sh -c 'echo %s | nc tcp-echo.%s 9000'`, echoStr, echoStr)
+ response, err := k.WithNamespace(namespace).Exec(podName, "sleep", command)
+ Expect(err).NotTo(HaveOccurred(), fmt.Sprintf("error connecting to the %q pod", podName))
+ Expect(response).To(ContainSubstring(fmt.Sprintf("hello %s", echoStr)), fmt.Sprintf("Unexpected response from %s pod", podName))
+}
diff --git a/tests/e2e/integ-suite-kind.sh b/tests/e2e/integ-suite-kind.sh
index 39a5b415e..e4442e278 100755
--- a/tests/e2e/integ-suite-kind.sh
+++ b/tests/e2e/integ-suite-kind.sh
@@ -29,9 +29,19 @@ export KIND_REGISTRY="localhost:${KIND_REGISTRY_PORT}"
export DEFAULT_CLUSTER_YAML="${SCRIPTPATH}/config/default.yaml"
export IP_FAMILY="${IP_FAMILY:-ipv4}"
export ARTIFACTS="${ARTIFACTS:-$(mktemp -d)}"
+export MULTICLUSTER="${MULTICLUSTER:-false}"
+# Set variable to exclude kind clusters from kubectl annotations.
+# You need to set kind clusters names separated by comma
+export KIND_EXCLUDE_CLUSTERS="${KIND_EXCLUDE_CLUSTERS:-}"
+export ISTIOCTL="${ISTIOCTL:-${ROOT}/bin/istioctl}"
+
# Set variable for cluster kind name
export KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME:-operator-integration-tests}"
+if [ "${MULTICLUSTER}" == "true" ]; then
+ export KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME}-1"
+ export KIND_CLUSTER_NAME_2="${KIND_CLUSTER_NAME}-2"
+fi
# Use the local registry instead of the default HUB
export HUB="${KIND_REGISTRY}"
@@ -52,16 +62,44 @@ function setup_kind_registry() {
fi
# https://docs.tilt.dev/choosing_clusters.html#discovering-the-registry
- # TODO get context/config from existing variables
- kind export kubeconfig --name="${KIND_CLUSTER_NAME}"
- for node in $(kind get nodes --name="${KIND_CLUSTER_NAME}"); do
- kubectl annotate node "${node}" "kind.x-k8s.io/registry=localhost:${KIND_REGISTRY_PORT}" --overwrite;
+ for cluster in $(kind get clusters); do
+ # TODO get context/config from existing variables
+ # Avoid adding the registry to excluded clusters. Use when you have multiple clusters running.
+ if [[ "${KIND_EXCLUDE_CLUSTERS}" == *"${cluster}"* ]]; then
+ continue
+ fi
+
+ kind export kubeconfig --name="${cluster}"
+ for node in $(kind get nodes --name="${cluster}"); do
+ kubectl annotate node "${node}" "kind.x-k8s.io/registry=localhost:${KIND_REGISTRY_PORT}" --overwrite;
+ done
done
}
-KUBECONFIG="${ARTIFACTS}/config" setup_kind_cluster "${KIND_CLUSTER_NAME}" "" "" "true" "true"
-setup_kind_registry
+if [ "${MULTICLUSTER}" == "true" ]; then
+ CLUSTER_TOPOLOGY_CONFIG_FILE="${SCRIPTPATH}/config/multicluster.json"
+ load_cluster_topology "${CLUSTER_TOPOLOGY_CONFIG_FILE}"
+ setup_kind_clusters "" ""
+ setup_kind_registry
+
+ export KUBECONFIG="${KUBECONFIGS[0]}"
+ export KUBECONFIG2="${KUBECONFIGS[1]}"
+else
+ KUBECONFIG="${ARTIFACTS}/config" setup_kind_cluster "${KIND_CLUSTER_NAME}" "" "" "true" "true"
+ setup_kind_registry
+fi
+
+
+# Check that istioctl is present using ${ISTIOCTL}
+if ! command -v "${ISTIOCTL}" &> /dev/null; then
+ echo "istioctl not found. Please set the ISTIOCTL environment variable to the path of the istioctl binary"
+ exit 1
+fi
# Run the integration tests
echo "Running integration tests"
-ARTIFACTS="${ARTIFACTS}" ./tests/e2e/common-operator-integ-suite.sh --kind
+if [ "${MULTICLUSTER}" == "true" ]; then
+ ARTIFACTS="${ARTIFACTS}" ISTIOCTL="${ISTIOCTL}" ./tests/e2e/common-operator-integ-suite.sh --kind --multicluster
+else
+ARTIFACTS="${ARTIFACTS}" IP_FAMILY="${IP_FAMILY}" ./tests/e2e/common-operator-integ-suite.sh --kind
+fi
\ No newline at end of file
diff --git a/tests/e2e/multicluster/common.go b/tests/e2e/multicluster/common.go
new file mode 100644
index 000000000..3309f26c1
--- /dev/null
+++ b/tests/e2e/multicluster/common.go
@@ -0,0 +1,36 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package multicluster
+
+import (
+ "fmt"
+ "time"
+
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl"
+ . "github.com/onsi/gomega"
+)
+
+// verifyResponsesAreReceivedFromBothClusters checks that when the sleep pod in the sample namespace
+// sends a request to the helloworld service, it receives responses from both v1 and v2 versions,
+// which are deployed in different clusters
+func verifyResponsesAreReceivedFromBothClusters(k kubectl.Kubectl, clusterName string) {
+ expectedVersions := []string{"v1", "v2"}
+ for _, v := range expectedVersions {
+ Eventually(k.WithNamespace("sample").Exec, 10*time.Second, 10*time.Millisecond).
+ WithArguments("deploy/sleep", "sleep", "curl -sS helloworld.sample:5000/hello").
+ Should(ContainSubstring(fmt.Sprintf("Hello version: %s", v)),
+ fmt.Sprintf("sleep pod in %s did not receive any response from %s", clusterName, v))
+ }
+}
diff --git a/tests/e2e/multicluster/multicluster_multiprimary_test.go b/tests/e2e/multicluster/multicluster_multiprimary_test.go
new file mode 100644
index 000000000..e6274d0c0
--- /dev/null
+++ b/tests/e2e/multicluster/multicluster_multiprimary_test.go
@@ -0,0 +1,319 @@
+//go:build e2e
+
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package multicluster
+
+import (
+ "context"
+ "fmt"
+ "time"
+
+ "github.com/istio-ecosystem/sail-operator/api/v1alpha1"
+ "github.com/istio-ecosystem/sail-operator/pkg/kube"
+ . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo"
+ "github.com/istio-ecosystem/sail-operator/pkg/test/util/supportedversion"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/certs"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common"
+ . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/istioctl"
+ . "github.com/onsi/ginkgo/v2"
+ . "github.com/onsi/gomega"
+ appsv1 "k8s.io/api/apps/v1"
+ corev1 "k8s.io/api/core/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+var _ = Describe("Multicluster deployment models", Ordered, func() {
+ SetDefaultEventuallyTimeout(180 * time.Second)
+ SetDefaultEventuallyPollingInterval(time.Second)
+ debugInfoLogged := false
+
+ BeforeAll(func(ctx SpecContext) {
+ if !skipDeploy {
+ // Deploy the Sail Operator on both clusters
+ Expect(k1.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Cluster #1")
+ Expect(k2.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Cluster #2")
+
+ Expect(common.InstallOperatorViaHelm("--kubeconfig", kubeconfig)).
+ To(Succeed(), "Operator failed to be deployed in Cluster #1")
+
+ Expect(common.InstallOperatorViaHelm("--kubeconfig "+kubeconfig2)).
+ To(Succeed(), "Operator failed to be deployed in Cluster #2")
+
+ Eventually(common.GetObject).
+ WithArguments(ctx, clPrimary, kube.Key(deploymentName, namespace), &appsv1.Deployment{}).
+ Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Error getting Istio CRD")
+ Success("Operator is deployed in the Cluster #1 namespace and Running")
+
+ Eventually(common.GetObject).
+ WithArguments(ctx, clRemote, kube.Key(deploymentName, namespace), &appsv1.Deployment{}).
+ Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Error getting Istio CRD")
+ Success("Operator is deployed in the Cluster #2 namespace and Running")
+ }
+ })
+
+ Describe("Multi-Primary Multi-Network configuration", func() {
+ // Test the Multi-Primary Multi-Network configuration for each supported Istio version
+ for _, version := range supportedversion.List {
+ Context(fmt.Sprintf("Istio version %s", version.Version), func() {
+ When("Istio resources are created in both clusters", func() {
+ BeforeAll(func(ctx SpecContext) {
+ Expect(k1.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created")
+ Expect(k2.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created")
+
+ // Push the intermediate CA to both clusters
+ Expect(certs.PushIntermediateCA(k1, controlPlaneNamespace, "east", "network1", artifacts, clPrimary)).To(Succeed())
+ Expect(certs.PushIntermediateCA(k2, controlPlaneNamespace, "west", "network2", artifacts, clRemote)).To(Succeed())
+
+ // Wait for the secret to be created in both clusters
+ Eventually(func() error {
+ _, err := common.GetObject(context.Background(), clPrimary, kube.Key("cacerts", controlPlaneNamespace), &corev1.Secret{})
+ return err
+ }).ShouldNot(HaveOccurred(), "Secret is not created on Cluster #1")
+
+ Eventually(func() error {
+ _, err := common.GetObject(context.Background(), clRemote, kube.Key("cacerts", controlPlaneNamespace), &corev1.Secret{})
+ return err
+ }).ShouldNot(HaveOccurred(), "Secret is not created on Cluster #1")
+
+ multiclusterYAML := `
+apiVersion: sailoperator.io/v1alpha1
+kind: Istio
+metadata:
+ name: default
+spec:
+ version: %s
+ namespace: %s
+ values:
+ global:
+ meshID: %s
+ multiCluster:
+ clusterName: %s
+ network: %s`
+ multiclusterCluster1YAML := fmt.Sprintf(multiclusterYAML, version.Name, controlPlaneNamespace, "mesh1", "cluster1", "network1")
+ Log("Istio CR Cluster #1: ", multiclusterCluster1YAML)
+ Expect(k1.CreateFromString(multiclusterCluster1YAML)).To(Succeed(), "Istio Resource creation failed on Cluster #1")
+
+ multiclusterCluster2YAML := fmt.Sprintf(multiclusterYAML, version.Name, controlPlaneNamespace, "mesh1", "cluster2", "network2")
+ Log("Istio CR Cluster #2: ", multiclusterCluster2YAML)
+ Expect(k2.CreateFromString(multiclusterCluster2YAML)).To(Succeed(), "Istio Resource creation failed on Cluster #2")
+ })
+
+ It("updates both Istio CR status to Ready", func(ctx SpecContext) {
+ Eventually(common.GetObject).
+ WithArguments(ctx, clPrimary, kube.Key(istioName), &v1alpha1.Istio{}).
+ Should(HaveCondition(v1alpha1.IstioConditionReady, metav1.ConditionTrue), "Istio is not Ready on Cluster #1; unexpected Condition")
+ Success("Istio CR is Ready on Cluster #1")
+
+ Eventually(common.GetObject).
+ WithArguments(ctx, clRemote, kube.Key(istioName), &v1alpha1.Istio{}).
+ Should(HaveCondition(v1alpha1.IstioConditionReady, metav1.ConditionTrue), "Istio is not Ready on Cluster #2; unexpected Condition")
+ Success("Istio CR is Ready on Cluster #1")
+ })
+
+ It("deploys istiod", func(ctx SpecContext) {
+ Eventually(common.GetObject).
+ WithArguments(ctx, clPrimary, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}).
+ Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Istiod is not Available on Cluster #1; unexpected Condition")
+ Expect(common.GetVersionFromIstiod()).To(Equal(version.Version), "Unexpected istiod version")
+ Success("Istiod is deployed in the namespace and Running on Cluster #1")
+
+ Eventually(common.GetObject).
+ WithArguments(ctx, clRemote, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}).
+ Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Istiod is not Available on Cluster #2; unexpected Condition")
+ Expect(common.GetVersionFromIstiod()).To(Equal(version.Version), "Unexpected istiod version")
+ Success("Istiod is deployed in the namespace and Running on Cluster #2")
+ })
+ })
+
+ When("Gateway is created in both clusters", func() {
+ BeforeAll(func(ctx SpecContext) {
+ Expect(k1.WithNamespace(controlPlaneNamespace).Apply(eastGatewayYAML)).To(Succeed(), "Gateway creation failed on Cluster #1")
+ Expect(k2.WithNamespace(controlPlaneNamespace).Apply(westGatewayYAML)).To(Succeed(), "Gateway creation failed on Cluster #2")
+
+ // Expose the Gateway service in both clusters
+ Expect(k1.WithNamespace(controlPlaneNamespace).Apply(exposeServiceYAML)).To(Succeed(), "Expose Service creation failed on Cluster #1")
+ Expect(k2.WithNamespace(controlPlaneNamespace).Apply(exposeServiceYAML)).To(Succeed(), "Expose Service creation failed on Cluster #2")
+ })
+
+ It("updates both Gateway status to Available", func(ctx SpecContext) {
+ Eventually(common.GetObject).
+ WithArguments(ctx, clPrimary, kube.Key("istio-eastwestgateway", controlPlaneNamespace), &appsv1.Deployment{}).
+ Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Gateway is not Ready on Cluster #1; unexpected Condition")
+
+ Eventually(common.GetObject).
+ WithArguments(ctx, clRemote, kube.Key("istio-eastwestgateway", controlPlaneNamespace), &appsv1.Deployment{}).
+ Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Gateway is not Ready on Cluster #2; unexpected Condition")
+ Success("Gateway is created and available in both clusters")
+ })
+ })
+
+ When("are installed remote secrets on each cluster", func() {
+ BeforeAll(func(ctx SpecContext) {
+ // Get the internal IP of the control plane node in both clusters
+ internalIPCluster1, err := k1.GetInternalIP("node-role.kubernetes.io/control-plane")
+ Expect(err).NotTo(HaveOccurred())
+ Expect(internalIPCluster1).NotTo(BeEmpty(), "Internal IP is empty for Cluster #1")
+
+ internalIPCluster2, err := k2.GetInternalIP("node-role.kubernetes.io/control-plane")
+ Expect(internalIPCluster2).NotTo(BeEmpty(), "Internal IP is empty for Cluster #2")
+ Expect(err).NotTo(HaveOccurred())
+
+ // Install a remote secret in Cluster #1 that provides access to the Cluster #2 API server.
+ secret, err := istioctl.CreateRemoteSecret(kubeconfig2, "cluster2", internalIPCluster2)
+ Expect(err).NotTo(HaveOccurred())
+ Expect(k1.ApplyString(secret)).To(Succeed(), "Remote secret creation failed on Cluster #1")
+
+ // Install a remote secret in Cluster #2 that provides access to the Cluster #1 API server.
+ secret, err = istioctl.CreateRemoteSecret(kubeconfig, "cluster1", internalIPCluster1)
+ Expect(err).NotTo(HaveOccurred())
+ Expect(k2.ApplyString(secret)).To(Succeed(), "Remote secret creation failed on Cluster #1")
+ })
+
+ It("remote secrets are created", func(ctx SpecContext) {
+ secret, err := common.GetObject(ctx, clPrimary, kube.Key("istio-remote-secret-cluster2", controlPlaneNamespace), &corev1.Secret{})
+ Expect(err).NotTo(HaveOccurred())
+ Expect(secret).NotTo(BeNil(), "Secret is not created on Cluster #1")
+
+ secret, err = common.GetObject(ctx, clRemote, kube.Key("istio-remote-secret-cluster1", controlPlaneNamespace), &corev1.Secret{})
+ Expect(err).NotTo(HaveOccurred())
+ Expect(secret).NotTo(BeNil(), "Secret is not created on Cluster #2")
+ Success("Remote secrets are created in both clusters")
+ })
+ })
+
+ When("sample apps are deployed in both clusters", func() {
+ BeforeAll(func(ctx SpecContext) {
+ // Deploy the sample app in both clusters
+ deploySampleApp("sample", version)
+ Success("Sample app is deployed in both clusters")
+ })
+
+ It("updates the pods status to Ready", func(ctx SpecContext) {
+ samplePodsCluster1 := &corev1.PodList{}
+
+ Expect(clPrimary.List(ctx, samplePodsCluster1, client.InNamespace("sample"))).To(Succeed())
+ Expect(samplePodsCluster1.Items).ToNot(BeEmpty(), "No pods found in bookinfo namespace")
+
+ for _, pod := range samplePodsCluster1.Items {
+ Eventually(common.GetObject).
+ WithArguments(ctx, clPrimary, kube.Key(pod.Name, "sample"), &corev1.Pod{}).
+ Should(HaveCondition(corev1.PodReady, metav1.ConditionTrue), "Pod is not Ready on Cluster #1; unexpected Condition")
+ }
+
+ samplePodsCluster2 := &corev1.PodList{}
+ Expect(clRemote.List(ctx, samplePodsCluster2, client.InNamespace("sample"))).To(Succeed())
+ Expect(samplePodsCluster2.Items).ToNot(BeEmpty(), "No pods found in bookinfo namespace")
+
+ for _, pod := range samplePodsCluster2.Items {
+ Eventually(common.GetObject).
+ WithArguments(ctx, clRemote, kube.Key(pod.Name, "sample"), &corev1.Pod{}).
+ Should(HaveCondition(corev1.PodReady, metav1.ConditionTrue), "Pod is not Ready on Cluster #2; unexpected Condition")
+ }
+ Success("Sample app is created in both clusters and Running")
+ })
+
+ It("can access the sample app from both clusters", func(ctx SpecContext) {
+ verifyResponsesAreReceivedFromBothClusters(k1, "Cluster #1")
+ verifyResponsesAreReceivedFromBothClusters(k2, "Cluster #2")
+ Success("Sample app is accessible from both clusters")
+ })
+ })
+
+ When("istio CR is deleted in both clusters", func() {
+ BeforeEach(func() {
+ // Delete the Istio CR in both clusters
+ Expect(k1.WithNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted")
+ Expect(k2.WithNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted")
+ Success("Istio CR is deleted in both clusters")
+ })
+
+ It("removes istiod pod", func(ctx SpecContext) {
+ // Check istiod pod is deleted in both clusters
+ Eventually(clPrimary.Get).WithArguments(ctx, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}).
+ Should(ReturnNotFoundError(), "Istiod should not exist anymore on Cluster #1")
+ Eventually(clRemote.Get).WithArguments(ctx, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}).
+ Should(ReturnNotFoundError(), "Istiod should not exist anymore on Cluster #2")
+ })
+ })
+
+ AfterAll(func(ctx SpecContext) {
+ if CurrentSpecReport().Failed() {
+ common.LogDebugInfo()
+ debugInfoLogged = true
+ }
+
+ // Delete namespaces to ensure clean up for new tests iteration
+ Expect(k1.DeleteNamespaceNoWait(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #1")
+ Expect(k2.DeleteNamespaceNoWait(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #2")
+ Expect(k1.DeleteNamespaceNoWait("sample")).To(Succeed(), "Namespace failed to be deleted on Cluster #1")
+ Expect(k2.DeleteNamespaceNoWait("sample")).To(Succeed(), "Namespace failed to be deleted on Cluster #2")
+
+ Expect(k1.WaitNamespaceDeleted(controlPlaneNamespace)).To(Succeed())
+ Expect(k2.WaitNamespaceDeleted(controlPlaneNamespace)).To(Succeed())
+ Success("ControlPlane Namespaces are empty")
+
+ Expect(k1.WaitNamespaceDeleted("sample")).To(Succeed())
+ Expect(k2.WaitNamespaceDeleted("sample")).To(Succeed())
+ Success("Sample app is deleted in both clusters")
+ })
+ })
+ }
+ })
+
+ AfterAll(func(ctx SpecContext) {
+ if CurrentSpecReport().Failed() && !debugInfoLogged {
+ common.LogDebugInfo()
+ debugInfoLogged = true
+ }
+
+ // Delete the Sail Operator from both clusters
+ Expect(k1.DeleteNamespaceNoWait(namespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #1")
+ Expect(k2.DeleteNamespaceNoWait(namespace)).To(Succeed(), "Namespace failed to be deleted on Cluster #2")
+ Expect(k1.WaitNamespaceDeleted(namespace)).To(Succeed())
+ Expect(k2.WaitNamespaceDeleted(namespace)).To(Succeed())
+ })
+})
+
+// deploySampleApp deploys the sample app in the given cluster
+func deploySampleApp(ns string, istioVersion supportedversion.VersionInfo) {
+ // Create the namespace
+ Expect(k1.CreateNamespace(ns)).To(Succeed(), "Namespace failed to be created")
+ Expect(k2.CreateNamespace(ns)).To(Succeed(), "Namespace failed to be created")
+
+ // Label the namespace
+ Expect(k1.Patch("namespace", ns, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)).
+ To(Succeed(), "Error patching sample namespace")
+ Expect(k2.Patch("namespace", ns, "merge", `{"metadata":{"labels":{"istio-injection":"enabled"}}}`)).
+ To(Succeed(), "Error patching sample namespace")
+
+ version := istioVersion.Version.String()
+ // Deploy the sample app from upstream URL in both clusters
+ if istioVersion.Name == "latest" {
+ version = "master"
+ }
+ helloWorldURL := fmt.Sprintf("https://raw.githubusercontent.com/istio/istio/%s/samples/helloworld/helloworld.yaml", version)
+ Expect(k1.WithNamespace(ns).ApplyWithLabels(helloWorldURL, "service=helloworld")).To(Succeed(), "Sample service deploy failed on Cluster #1")
+ Expect(k2.WithNamespace(ns).ApplyWithLabels(helloWorldURL, "service=helloworld")).To(Succeed(), "Sample service deploy failed on Cluster #2")
+
+ Expect(k1.WithNamespace(ns).ApplyWithLabels(helloWorldURL, "version=v1")).To(Succeed(), "Sample service deploy failed on Cluster #1")
+ Expect(k2.WithNamespace(ns).ApplyWithLabels(helloWorldURL, "version=v2")).To(Succeed(), "Sample service deploy failed on Cluster #2")
+
+ sleepURL := fmt.Sprintf("https://raw.githubusercontent.com/istio/istio/%s/samples/sleep/sleep.yaml", version)
+ Expect(k1.WithNamespace(ns).Apply(sleepURL)).To(Succeed(), "Sample sleep deploy failed on Cluster #1")
+ Expect(k2.WithNamespace(ns).Apply(sleepURL)).To(Succeed(), "Sample sleep deploy failed on Cluster #2")
+}
diff --git a/tests/e2e/multicluster/multicluster_primaryremote_test.go b/tests/e2e/multicluster/multicluster_primaryremote_test.go
new file mode 100644
index 000000000..1ebfc799e
--- /dev/null
+++ b/tests/e2e/multicluster/multicluster_primaryremote_test.go
@@ -0,0 +1,332 @@
+//go:build e2e
+
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package multicluster
+
+import (
+ "context"
+ "fmt"
+ "time"
+
+ "github.com/istio-ecosystem/sail-operator/api/v1alpha1"
+ "github.com/istio-ecosystem/sail-operator/pkg/kube"
+ . "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo"
+ "github.com/istio-ecosystem/sail-operator/pkg/test/util/supportedversion"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/certs"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common"
+ . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/istioctl"
+ . "github.com/onsi/ginkgo/v2"
+ . "github.com/onsi/gomega"
+ appsv1 "k8s.io/api/apps/v1"
+ corev1 "k8s.io/api/core/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+var _ = Describe("Multicluster deployment models", Ordered, func() {
+ SetDefaultEventuallyTimeout(180 * time.Second)
+ SetDefaultEventuallyPollingInterval(time.Second)
+ debugInfoLogged := false
+
+ BeforeAll(func(ctx SpecContext) {
+ if !skipDeploy {
+ // Deploy the Sail Operator on both clusters
+ Expect(k1.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Primary Cluster")
+ Expect(k2.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created on Remote Cluster")
+
+ Expect(common.InstallOperatorViaHelm("--kubeconfig", kubeconfig)).
+ To(Succeed(), "Operator failed to be deployed in Primary Cluster")
+
+ Expect(common.InstallOperatorViaHelm("--kubeconfig", kubeconfig2)).
+ To(Succeed(), "Operator failed to be deployed in Remote Cluster")
+
+ Eventually(common.GetObject).
+ WithArguments(ctx, clPrimary, kube.Key(deploymentName, namespace), &appsv1.Deployment{}).
+ Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Error getting Istio CRD")
+ Success("Operator is deployed in the Primary namespace and Running")
+
+ Eventually(common.GetObject).
+ WithArguments(ctx, clRemote, kube.Key(deploymentName, namespace), &appsv1.Deployment{}).
+ Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Error getting Istio CRD")
+ Success("Operator is deployed in the Remote namespace and Running")
+ }
+ })
+
+ Describe("Primary-Remote - Multi-Network configuration", func() {
+ // Test the Primary-Remote - Multi-Network configuration for each supported Istio version
+ for _, version := range supportedversion.List {
+ // The Primary-Remote - Multi-Network configuration is only supported in Istio 1.23, because that's the only
+ // version that has the istiod-remote chart. For 1.24, we need to rewrite the support for RemoteIstio.
+ if !(version.Version.Major() == 1 && version.Version.Minor() == 23) {
+ continue
+ }
+
+ Context(fmt.Sprintf("Istio version %s", version.Version), func() {
+ When("Istio resources are created in both clusters", func() {
+ BeforeAll(func(ctx SpecContext) {
+ Expect(k1.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created")
+ Expect(k2.CreateNamespace(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be created")
+
+ // Push the intermediate CA to both clusters
+ Expect(certs.PushIntermediateCA(k1, controlPlaneNamespace, "east", "network1", artifacts, clPrimary)).
+ To(Succeed(), "Error pushing intermediate CA to Primary Cluster")
+ Expect(certs.PushIntermediateCA(k2, controlPlaneNamespace, "west", "network2", artifacts, clRemote)).
+ To(Succeed(), "Error pushing intermediate CA to Remote Cluster")
+
+ // Wait for the secret to be created in both clusters
+ Eventually(func() error {
+ _, err := common.GetObject(context.Background(), clPrimary, kube.Key("cacerts", controlPlaneNamespace), &corev1.Secret{})
+ return err
+ }).ShouldNot(HaveOccurred(), "Secret is not created on Primary Cluster")
+
+ Eventually(func() error {
+ _, err := common.GetObject(context.Background(), clRemote, kube.Key("cacerts", controlPlaneNamespace), &corev1.Secret{})
+ return err
+ }).ShouldNot(HaveOccurred(), "Secret is not created on Primary Cluster")
+
+ PrimaryYAML := `
+apiVersion: sailoperator.io/v1alpha1
+kind: Istio
+metadata:
+ name: default
+spec:
+ version: %s
+ namespace: %s
+ values:
+ pilot:
+ env:
+ EXTERNAL_ISTIOD: "true"
+ global:
+ meshID: %s
+ multiCluster:
+ clusterName: %s
+ network: %s`
+ multiclusterPrimaryYAML := fmt.Sprintf(PrimaryYAML, version.Name, controlPlaneNamespace, "mesh1", "cluster1", "network1")
+ Log("Istio CR Primary: ", multiclusterPrimaryYAML)
+ Expect(k1.CreateFromString(multiclusterPrimaryYAML)).To(Succeed(), "Istio Resource creation failed on Primary Cluster")
+ })
+
+ It("updates Istio CR on Primary cluster status to Ready", func(ctx SpecContext) {
+ Eventually(common.GetObject).
+ WithArguments(ctx, clPrimary, kube.Key(istioName), &v1alpha1.Istio{}).
+ Should(HaveCondition(v1alpha1.IstioConditionReady, metav1.ConditionTrue), "Istio is not Ready on Primary; unexpected Condition")
+ Success("Istio CR is Ready on Primary Cluster")
+ })
+
+ It("deploys istiod", func(ctx SpecContext) {
+ Eventually(common.GetObject).
+ WithArguments(ctx, clPrimary, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}).
+ Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Istiod is not Available on Primary; unexpected Condition")
+ Expect(common.GetVersionFromIstiod()).To(Equal(version.Version), "Unexpected istiod version")
+ Success("Istiod is deployed in the namespace and Running on Primary Cluster")
+ })
+ })
+
+ When("Gateway is created on Primary cluster ", func() {
+ BeforeAll(func(ctx SpecContext) {
+ Expect(k1.WithNamespace(controlPlaneNamespace).Apply(eastGatewayYAML)).To(Succeed(), "Gateway creation failed on Primary Cluster")
+
+ // Expose istiod service in Primary cluster
+ Expect(k1.WithNamespace(controlPlaneNamespace).Apply(exposeIstiodYAML)).To(Succeed(), "Expose Istiod creation failed on Primary Cluster")
+
+ // Expose the Gateway service in both clusters
+ Expect(k1.WithNamespace(controlPlaneNamespace).Apply(exposeServiceYAML)).To(Succeed(), "Expose Service creation failed on Primary Cluster")
+ })
+
+ It("updates Gateway status to Available", func(ctx SpecContext) {
+ Eventually(common.GetObject).
+ WithArguments(ctx, clPrimary, kube.Key("istio-eastwestgateway", controlPlaneNamespace), &appsv1.Deployment{}).
+ Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Gateway is not Ready on Primary; unexpected Condition")
+ })
+ })
+
+ When("RemoteIstio is created in Remote cluster", func() {
+ BeforeAll(func(ctx SpecContext) {
+ RemoteYAML := `
+apiVersion: sailoperator.io/v1alpha1
+kind: RemoteIstio
+metadata:
+ name: default
+spec:
+ version: %s
+ namespace: istio-system
+ values:
+ istiodRemote:
+ injectionPath: /inject/cluster/remote/net/network2
+ global:
+ remotePilotAddress: %s`
+
+ remotePilotAddress, err := common.GetSVCLoadBalancerAddress(ctx, clPrimary, controlPlaneNamespace, "istio-eastwestgateway")
+ Expect(remotePilotAddress).NotTo(BeEmpty(), "Remote Pilot Address is empty")
+ Expect(err).NotTo(HaveOccurred(), "Error getting Remote Pilot Address")
+ remoteIstioYAML := fmt.Sprintf(RemoteYAML, version.Name, remotePilotAddress)
+ Log("RemoteIstio CR: ", remoteIstioYAML)
+ By("Creating RemoteIstio CR on Remote Cluster")
+ Expect(k2.CreateFromString(remoteIstioYAML)).To(Succeed(), "RemoteIstio Resource creation failed on Remote Cluster")
+
+ // Set the controlplane cluster and network for Remote namespace
+ By("Patching the istio-system namespace on Remote Cluster")
+ Expect(
+ k2.Patch(
+ "namespace",
+ controlPlaneNamespace,
+ "merge",
+ `{"metadata":{"annotations":{"topology.istio.io/controlPlaneClusters":"cluster1"}}}`)).
+ To(Succeed(), "Error patching istio-system namespace")
+ Expect(
+ k2.Patch(
+ "namespace",
+ controlPlaneNamespace,
+ "merge",
+ `{"metadata":{"labels":{"topology.istio.io/network":"network2"}}}`)).
+ To(Succeed(), "Error patching istio-system namespace")
+
+ // To be able to access the remote cluster from the primary cluster, we need to create a secret in the primary cluster
+ // RemoteIstio resource will not be Ready until the secret is created
+ // Get the internal IP of the control plane node in Remote cluster
+ internalIPRemote, err := k2.GetInternalIP("node-role.kubernetes.io/control-plane")
+ Expect(internalIPRemote).NotTo(BeEmpty(), "Internal IP is empty for Remote Cluster")
+ Expect(err).NotTo(HaveOccurred())
+
+ // Wait for the RemoteIstio CR to be created, this can be moved to a condition verification, but the resource it not will be Ready at this point
+ time.Sleep(5 * time.Second)
+
+ // Install a remote secret in Primary cluster that provides access to the Remote cluster API server.
+ By("Creating Remote Secret on Primary Cluster")
+ secret, err := istioctl.CreateRemoteSecret(kubeconfig2, "remote", internalIPRemote)
+ Expect(err).NotTo(HaveOccurred())
+ Expect(k1.WithNamespace(controlPlaneNamespace).ApplyString(secret)).To(Succeed(), "Remote secret creation failed on Primary Cluster")
+ })
+
+ It("secret is created", func(ctx SpecContext) {
+ secret, err := common.GetObject(ctx, clPrimary, kube.Key("istio-remote-secret-remote", controlPlaneNamespace), &corev1.Secret{})
+ Expect(err).NotTo(HaveOccurred())
+ Expect(secret).NotTo(BeNil(), "Secret is not created on Primary Cluster")
+ Success("Remote secret is created in Primary cluster")
+ })
+
+ It("updates RemoteIstio CR status to Ready", func(ctx SpecContext) {
+ Eventually(common.GetObject).
+ WithArguments(ctx, clRemote, kube.Key(istioName), &v1alpha1.RemoteIstio{}).
+ Should(HaveCondition(v1alpha1.IstioConditionReady, metav1.ConditionTrue), "Istio is not Ready on Remote; unexpected Condition")
+ Success("RemoteIstio CR is Ready on Remote Cluster")
+ })
+ })
+
+ When("gateway is created in Remote cluster", func() {
+ BeforeAll(func(ctx SpecContext) {
+ Expect(k2.WithNamespace(controlPlaneNamespace).Apply(westGatewayYAML)).To(Succeed(), "Gateway creation failed on Remote Cluster")
+ Success("Gateway is created in Remote cluster")
+ })
+
+ It("updates Gateway status to Available", func(ctx SpecContext) {
+ Eventually(common.GetObject).
+ WithArguments(ctx, clRemote, kube.Key("istio-eastwestgateway", controlPlaneNamespace), &appsv1.Deployment{}).
+ Should(HaveCondition(appsv1.DeploymentAvailable, metav1.ConditionTrue), "Gateway is not Ready on Remote; unexpected Condition")
+ Success("Gateway is created and available in Remote cluster")
+ })
+ })
+
+ When("sample apps are deployed in both clusters", func() {
+ BeforeAll(func(ctx SpecContext) {
+ // Deploy the sample app in both clusters
+ deploySampleApp("sample", version)
+ Success("Sample app is deployed in both clusters")
+ })
+
+ It("updates the pods status to Ready", func(ctx SpecContext) {
+ samplePodsPrimary := &corev1.PodList{}
+
+ Expect(clPrimary.List(ctx, samplePodsPrimary, client.InNamespace("sample"))).To(Succeed())
+ Expect(samplePodsPrimary.Items).ToNot(BeEmpty(), "No pods found in bookinfo namespace")
+
+ for _, pod := range samplePodsPrimary.Items {
+ Eventually(common.GetObject).
+ WithArguments(ctx, clPrimary, kube.Key(pod.Name, "sample"), &corev1.Pod{}).
+ Should(HaveCondition(corev1.PodReady, metav1.ConditionTrue), "Pod is not Ready on Primary; unexpected Condition")
+ }
+
+ samplePodsRemote := &corev1.PodList{}
+ Expect(clRemote.List(ctx, samplePodsRemote, client.InNamespace("sample"))).To(Succeed())
+ Expect(samplePodsRemote.Items).ToNot(BeEmpty(), "No pods found in bookinfo namespace")
+
+ for _, pod := range samplePodsRemote.Items {
+ Eventually(common.GetObject).
+ WithArguments(ctx, clRemote, kube.Key(pod.Name, "sample"), &corev1.Pod{}).
+ Should(HaveCondition(corev1.PodReady, metav1.ConditionTrue), "Pod is not Ready on Remote; unexpected Condition")
+ }
+ Success("Sample app is created in both clusters and Running")
+ })
+
+ It("can access the sample app from both clusters", func(ctx SpecContext) {
+ verifyResponsesAreReceivedFromBothClusters(k1, "Cluster #1")
+ verifyResponsesAreReceivedFromBothClusters(k2, "Cluster #2")
+ Success("Sample app is accessible from both clusters")
+ })
+ })
+
+ When("Istio CR and RemoteIstio CR are deleted in both clusters", func() {
+ BeforeEach(func() {
+ Expect(k1.WithNamespace(controlPlaneNamespace).Delete("istio", istioName)).To(Succeed(), "Istio CR failed to be deleted")
+ Expect(k2.WithNamespace(controlPlaneNamespace).Delete("remoteistio", istioName)).To(Succeed(), "RemoteIstio CR failed to be deleted")
+ Success("Istio and RemoteIstio are deleted")
+ })
+
+ It("removes istiod on Primary", func(ctx SpecContext) {
+ Eventually(clPrimary.Get).WithArguments(ctx, kube.Key("istiod", controlPlaneNamespace), &appsv1.Deployment{}).
+ Should(ReturnNotFoundError(), "Istiod should not exist anymore")
+ Success("Istiod is deleted on Primary Cluster")
+ })
+ })
+
+ AfterAll(func(ctx SpecContext) {
+ if CurrentSpecReport().Failed() {
+ common.LogDebugInfo()
+ debugInfoLogged = true
+ }
+
+ // Delete namespaces to ensure clean up for new tests iteration
+ Expect(k1.DeleteNamespaceNoWait(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Primary Cluster")
+ Expect(k2.DeleteNamespaceNoWait(controlPlaneNamespace)).To(Succeed(), "Namespace failed to be deleted on Remote Cluster")
+ Expect(k1.DeleteNamespaceNoWait("sample")).To(Succeed(), "Namespace failed to be deleted on Primary Cluster")
+ Expect(k2.DeleteNamespaceNoWait("sample")).To(Succeed(), "Namespace failed to be deleted on Remote Cluster")
+
+ Expect(k1.WaitNamespaceDeleted(controlPlaneNamespace)).To(Succeed())
+ Expect(k2.WaitNamespaceDeleted(controlPlaneNamespace)).To(Succeed())
+ Success("ControlPlane Namespaces were deleted")
+
+ Expect(k1.WaitNamespaceDeleted("sample")).To(Succeed())
+ Expect(k2.WaitNamespaceDeleted("sample")).To(Succeed())
+ Success("Sample app is deleted in both clusters")
+ })
+ })
+ }
+ })
+
+ AfterAll(func(ctx SpecContext) {
+ if CurrentSpecReport().Failed() && !debugInfoLogged {
+ common.LogDebugInfo()
+ debugInfoLogged = true
+ }
+
+ // Delete the Sail Operator from both clusters
+ Expect(k1.DeleteNamespaceNoWait(namespace)).To(Succeed(), "Namespace failed to be deleted on Primary Cluster")
+ Expect(k2.DeleteNamespaceNoWait(namespace)).To(Succeed(), "Namespace failed to be deleted on Remote Cluster")
+ Expect(k1.WaitNamespaceDeleted(namespace)).To(Succeed())
+ Expect(k2.WaitNamespaceDeleted(namespace)).To(Succeed())
+ })
+})
diff --git a/tests/e2e/multicluster/multicluster_suite_test.go b/tests/e2e/multicluster/multicluster_suite_test.go
new file mode 100644
index 000000000..bf08d58d5
--- /dev/null
+++ b/tests/e2e/multicluster/multicluster_suite_test.go
@@ -0,0 +1,104 @@
+//go:build e2e
+
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package multicluster
+
+import (
+ "fmt"
+ "os"
+ "path/filepath"
+ "testing"
+
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/certs"
+ k8sclient "github.com/istio-ecosystem/sail-operator/tests/e2e/util/client"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl"
+ . "github.com/onsi/ginkgo/v2"
+ . "github.com/onsi/gomega"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+var (
+ clPrimary client.Client
+ clRemote client.Client
+ err error
+ ocp = env.GetBool("OCP", false)
+ namespace = common.OperatorNamespace
+ deploymentName = env.Get("DEPLOYMENT_NAME", "sail-operator")
+ controlPlaneNamespace = env.Get("CONTROL_PLANE_NS", "istio-system")
+ istioName = env.Get("ISTIO_NAME", "default")
+ skipDeploy = env.GetBool("SKIP_DEPLOY", false)
+ multicluster = env.GetBool("MULTICLUSTER", false)
+ kubeconfig = env.Get("KUBECONFIG", "")
+ kubeconfig2 = env.Get("KUBECONFIG2", "")
+ artifacts = env.Get("ARTIFACTS", "/tmp/artifacts")
+
+ eastGatewayYAML string
+ westGatewayYAML string
+ exposeServiceYAML string
+ exposeIstiodYAML string
+
+ k1 kubectl.Kubectl
+ k2 kubectl.Kubectl
+)
+
+func TestInstall(t *testing.T) {
+ if !multicluster {
+ t.Skip("Skipping test. Only valid for multicluster")
+ }
+ if ocp {
+ t.Skip("Skipping test. Not valid for OCP")
+ // TODO: Implement the steps to run the test on OCP
+ // https://github.com/istio-ecosystem/sail-operator/issues/365
+ }
+ RegisterFailHandler(Fail)
+ setup(t)
+ RunSpecs(t, "Multi-Cluster Test Suite")
+}
+
+func setup(t *testing.T) {
+ GinkgoWriter.Println("************ Running Setup ************")
+
+ GinkgoWriter.Println("Initializing k8s client")
+ clPrimary, err = k8sclient.InitK8sClient(kubeconfig)
+ clRemote, err = k8sclient.InitK8sClient(kubeconfig2)
+ if err != nil {
+ t.Fatalf("Error initializing k8s client: %v", err)
+ }
+
+ err := certs.CreateIntermediateCA(artifacts)
+ if err != nil {
+ t.Fatalf("Error creating intermediate CA: %v", err)
+ }
+
+ // Set the path for the multicluster YAML files to be used
+ workDir, err := os.Getwd()
+ if err != nil {
+ t.Fatalf("Error getting working directory: %v", err)
+ }
+
+ // Set base path
+ baseRepoDir := filepath.Join(workDir, "../../..")
+ eastGatewayYAML = fmt.Sprintf("%s/docs/multicluster/east-west-gateway-net1.yaml", baseRepoDir)
+ westGatewayYAML = fmt.Sprintf("%s/docs/multicluster/east-west-gateway-net2.yaml", baseRepoDir)
+ exposeServiceYAML = fmt.Sprintf("%s/docs/multicluster/expose-services.yaml", baseRepoDir)
+ exposeIstiodYAML = fmt.Sprintf("%s/docs/multicluster/expose-istiod.yaml", baseRepoDir)
+
+ // Initialize kubectl utilities, one for each cluster
+ k1 = kubectl.New().WithKubeconfig(kubeconfig)
+ k2 = kubectl.New().WithKubeconfig(kubeconfig2)
+}
diff --git a/tests/e2e/operator/operator_install_test.go b/tests/e2e/operator/operator_install_test.go
index cc6777d6c..0bb5b887a 100644
--- a/tests/e2e/operator/operator_install_test.go
+++ b/tests/e2e/operator/operator_install_test.go
@@ -17,16 +17,12 @@
package operator
import (
- "path/filepath"
"time"
"github.com/istio-ecosystem/sail-operator/pkg/kube"
- "github.com/istio-ecosystem/sail-operator/pkg/test/project"
. "github.com/istio-ecosystem/sail-operator/pkg/test/util/ginkgo"
- common "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common"
. "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega"
- "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm"
- "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
appsv1 "k8s.io/api/apps/v1"
@@ -60,7 +56,7 @@ var _ = Describe("Operator", Ordered, func() {
Describe("installation", func() {
BeforeAll(func() {
- Expect(kubectl.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created")
+ Expect(k.CreateNamespace(namespace)).To(Succeed(), "Namespace failed to be created")
extraArg := ""
if ocp {
@@ -70,7 +66,7 @@ var _ = Describe("Operator", Ordered, func() {
if skipDeploy {
Success("Skipping operator installation because it was deployed externally")
} else {
- Expect(helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), "--namespace "+namespace, "--set=image="+image, extraArg)).
+ Expect(common.InstallOperatorViaHelm(extraArg)).
To(Succeed(), "Operator failed to be deployed")
}
})
@@ -120,12 +116,12 @@ var _ = Describe("Operator", Ordered, func() {
}
By("Uninstalling the operator")
- Expect(helm.Uninstall("sail-operator", "--namespace "+namespace)).
+ Expect(common.UninstallOperator()).
To(Succeed(), "Operator failed to be deleted")
Success("Operator uninstalled")
By("Deleting the CRDs")
- Expect(kubectl.DeleteCRDs(sailCRDs)).To(Succeed(), "CRDs failed to be deleted")
+ Expect(k.DeleteCRDs(sailCRDs)).To(Succeed(), "CRDs failed to be deleted")
Success("CRDs deleted")
})
})
diff --git a/tests/e2e/operator/operator_suite_test.go b/tests/e2e/operator/operator_suite_test.go
index ebe1c972d..5995af641 100644
--- a/tests/e2e/operator/operator_suite_test.go
+++ b/tests/e2e/operator/operator_suite_test.go
@@ -20,7 +20,9 @@ import (
"testing"
k8sclient "github.com/istio-ecosystem/sail-operator/tests/e2e/util/client"
- env "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
"sigs.k8s.io/controller-runtime/pkg/client"
@@ -30,15 +32,20 @@ var (
cl client.Client
ocp = env.GetBool("OCP", false)
skipDeploy = env.GetBool("SKIP_DEPLOY", false)
- image = env.Get("IMAGE", "quay.io/maistra-dev/sail-operator:latest")
- namespace = env.Get("NAMESPACE", "sail-operator")
+ namespace = common.OperatorNamespace
deploymentName = env.Get("DEPLOYMENT_NAME", "sail-operator")
+ multicluster = env.GetBool("MULTICLUSTER", false)
+
+ k kubectl.Kubectl
)
func TestInstall(t *testing.T) {
+ if multicluster {
+ t.Skip("Skipping test for multicluster")
+ }
RegisterFailHandler(Fail)
setup()
- RunSpecs(t, "Install Operator Suite")
+ RunSpecs(t, "Operator Installation Test Suite")
}
func setup() {
@@ -46,7 +53,7 @@ func setup() {
GinkgoWriter.Println("Initializing k8s client")
var err error
- cl, err = k8sclient.InitK8sClient()
+ cl, err = k8sclient.InitK8sClient("")
Expect(err).NotTo(HaveOccurred())
if ocp {
@@ -54,4 +61,6 @@ func setup() {
} else {
GinkgoWriter.Println("Running on Kubernetes")
}
+
+ k = kubectl.New()
}
diff --git a/tests/e2e/util/certs/certs.go b/tests/e2e/util/certs/certs.go
new file mode 100644
index 000000000..505eebe6f
--- /dev/null
+++ b/tests/e2e/util/certs/certs.go
@@ -0,0 +1,280 @@
+//go:build e2e
+
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package certs
+
+import (
+ "context"
+ "fmt"
+ "os"
+ "path/filepath"
+
+ "github.com/istio-ecosystem/sail-operator/pkg/kube"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/common"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/shell"
+ corev1 "k8s.io/api/core/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// CreateIntermediateCA creates the intermediate CA
+func CreateIntermediateCA(basePath string) error {
+ certsDir := filepath.Join(basePath, "certs")
+
+ // Create the certs directory
+ err := os.MkdirAll(certsDir, 0o755)
+ if err != nil {
+ return fmt.Errorf("failed to create certs directory: %w", err)
+ }
+
+ // Create the root CA configuration file
+ err = createRootCAConf(certsDir)
+ if err != nil {
+ return fmt.Errorf("failed to create root-ca.conf: %w", err)
+ }
+
+ // Step 1: Generate root-key.pem
+ rootKey := filepath.Join(certsDir, "root-key.pem")
+ _, err = shell.ExecuteCommand(fmt.Sprintf("openssl genrsa -out %s 4096", rootKey))
+ if err != nil {
+ return fmt.Errorf("failed to generate root-key.pem: %w", err)
+ }
+
+ // Step 2: Generate root-cert.csr using root-key.pem and root-ca.conf
+ rootCSR := filepath.Join(certsDir, "root-cert.csr")
+ rootConf := filepath.Join(certsDir, "root-ca.conf") // You'll need to ensure root-ca.conf exists
+ _, err = shell.ExecuteCommand(fmt.Sprintf("openssl req -sha256 -new -key %s -config %s -out %s", rootKey, rootConf, rootCSR))
+ if err != nil {
+ return fmt.Errorf("failed to generate root-cert.csr: %w", err)
+ }
+
+ // Step 3: Generate root-cert.pem
+ rootCert := filepath.Join(certsDir, "root-cert.pem")
+ _, err = shell.ExecuteCommand(
+ fmt.Sprintf("openssl x509 -req -sha256 -days 3650 -signkey %s -extensions req_ext -extfile %s -in %s -out %s",
+ rootKey, rootConf, rootCSR, rootCert))
+ if err != nil {
+ return fmt.Errorf("failed to generate root-cert.pem: %w", err)
+ }
+
+ // Step 4: Generate east-cacerts (self-signed intermediate certificates)
+ // Create directories for east and west if needed
+ eastDir := filepath.Join(certsDir, "east")
+ westDir := filepath.Join(certsDir, "west")
+
+ // Create the east and west directories
+ err = os.MkdirAll(eastDir, 0o755)
+ if err != nil {
+ return fmt.Errorf("failed to create east directory: %w", err)
+ }
+ err = os.MkdirAll(westDir, 0o755)
+ if err != nil {
+ return fmt.Errorf("failed to create west directory: %w", err)
+ }
+
+ // Create the intermediate CA configuration file
+ err = createIntermediateCAConf(eastDir)
+ if err != nil {
+ return fmt.Errorf("failed to create ca.conf on east dir: %w", err)
+ }
+
+ err = createIntermediateCAConf(westDir)
+ if err != nil {
+ return fmt.Errorf("failed to create ca.conf on west dir: %w", err)
+ }
+
+ err = generateIntermediateCACertificates(eastDir, rootCert, rootKey)
+ if err != nil {
+ return fmt.Errorf("failed to generate east intermediate CA certificates: %w", err)
+ }
+
+ err = generateIntermediateCACertificates(westDir, rootCert, rootKey)
+ if err != nil {
+ return fmt.Errorf("failed to generate west intermediate CA certificates: %w", err)
+ }
+
+ return nil
+}
+
+func generateIntermediateCACertificates(dir string, rootCert string, rootKey string) error {
+ caKey := filepath.Join(dir, "ca-key.pem")
+ _, err := shell.ExecuteCommand(fmt.Sprintf("openssl genrsa -out %s 4096", caKey))
+ if err != nil {
+ return fmt.Errorf("failed to generate east-ca-key.pem: %w", err)
+ }
+
+ caCSR := filepath.Join(dir, "ca-cert.csr")
+ caConf := filepath.Join(dir, "ca.conf")
+ _, err = shell.ExecuteCommand(fmt.Sprintf("openssl req -sha256 -new -config %s -key %s -out %s", caConf, caKey, caCSR))
+ if err != nil {
+ return fmt.Errorf("failed to generate east-ca-cert.csr: %w", err)
+ }
+
+ caCert := filepath.Join(dir, "ca-cert.pem")
+ _, err = shell.ExecuteCommand(
+ fmt.Sprintf("openssl x509 -req -sha256 -days 3650 -CA %s -CAkey %s -CAcreateserial -extensions req_ext -extfile %s -in %s -out %s",
+ rootCert, rootKey, caConf, caCSR, caCert))
+ if err != nil {
+ return fmt.Errorf("failed to generate east-ca-cert.pem: %w", err)
+ }
+
+ certChain := filepath.Join(dir, "cert-chain.pem")
+ _, err = shell.ExecuteCommand(fmt.Sprintf("cat %s %s > %s", caCert, rootCert, certChain))
+ if err != nil {
+ return fmt.Errorf("failed to generate east-cert-chain.pem: %w", err)
+ }
+
+ return nil
+}
+
+// createRootCAConf creates the root CA configuration file
+func createRootCAConf(certsDir string) error {
+ confPath := filepath.Join(certsDir, "root-ca.conf")
+ confContent := `
+[ req ]
+encrypt_key = no
+prompt = no
+utf8 = yes
+default_md = sha256
+default_bits = 4096
+req_extensions = req_ext
+x509_extensions = req_ext
+distinguished_name = req_dn
+
+[ req_ext ]
+subjectKeyIdentifier = hash
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign
+
+[ req_dn ]
+O = Istio
+CN = Root CA
+`
+
+ // Write the configuration file to the directory
+ return writeFile(confPath, confContent)
+}
+
+// createIntermediateCAConf creates the intermediate CA configuration file
+func createIntermediateCAConf(certsDir string) error {
+ confPath := filepath.Join(certsDir, "ca.conf")
+ confContent := fmt.Sprintf(`
+[ req ]
+encrypt_key = no
+prompt = no
+utf8 = yes
+default_md = sha256
+default_bits = 4096
+req_extensions = req_ext
+x509_extensions = req_ext
+distinguished_name = req_dn
+
+[ req_ext ]
+subjectKeyIdentifier = hash
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign
+subjectAltName=@san
+
+[ san ]
+DNS.1 = istiod.istio-system.svc
+
+[ req_dn ]
+O = Istio
+CN = Intermediate CA
+L = %s
+`, confPath)
+
+ // Write the configuration file to the directory
+ return writeFile(confPath, confContent)
+}
+
+// writeFile writes the content to the file
+func writeFile(confPath string, confContent string) error {
+ file, err := os.Create(confPath)
+ if err != nil {
+ return fmt.Errorf("failed to create %s: %v", confPath, err)
+ }
+ defer file.Close()
+
+ _, err = file.WriteString(confContent)
+ if err != nil {
+ return fmt.Errorf("failed to write to %s: %v", confPath, err)
+ }
+
+ return nil
+}
+
+// PushIntermediateCA pushes the intermediate CA to the cluster
+func PushIntermediateCA(k kubectl.Kubectl, ns, zone, network, basePath string, cl client.Client) error {
+ // Set cert dir
+ certDir := filepath.Join(basePath, "certs")
+
+ // Check if the secret exists in the cluster
+ _, err := common.GetObject(context.Background(), cl, kube.Key("cacerts", ns), &corev1.Secret{})
+ if err != nil {
+ // Label the namespace with the network
+ err = k.Patch("namespace", ns, "merge", `{"metadata":{"labels":{"topology.istio.io/network":"`+network+`"}}}`)
+ if err != nil {
+ return fmt.Errorf("failed to label namespace: %w", err)
+ }
+
+ // Read the pem content from the files
+ caCertPath := filepath.Join(certDir, zone, "ca-cert.pem")
+ caKeyPath := filepath.Join(certDir, zone, "ca-key.pem")
+ rootCertPath := filepath.Join(certDir, "root-cert.pem")
+ certChainPath := filepath.Join(certDir, zone, "cert-chain.pem")
+
+ // Read the pem content from the files to create the secret
+ caCert, err := os.ReadFile(caCertPath)
+ if err != nil {
+ return fmt.Errorf("failed to read ca-cert.pem: %w", err)
+ }
+ caKey, err := os.ReadFile(caKeyPath)
+ if err != nil {
+ return fmt.Errorf("failed to read ca-key.pem: %w", err)
+ }
+ rootCert, err := os.ReadFile(rootCertPath)
+ if err != nil {
+ return fmt.Errorf("failed to read root-cert.pem: %w", err)
+ }
+ certChain, err := os.ReadFile(certChainPath)
+ if err != nil {
+ return fmt.Errorf("failed to read cert-chain.pem: %w", err)
+ }
+
+ // Create the secret by using the client in the cluster and the files created in the setup
+ secret := &corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "cacerts",
+ Namespace: ns,
+ },
+ Data: map[string][]byte{
+ "ca-cert.pem": caCert,
+ "ca-key.pem": caKey,
+ "root-cert.pem": rootCert,
+ "cert-chain.pem": certChain,
+ },
+ }
+
+ err = cl.Create(context.Background(), secret)
+ if err != nil {
+ return fmt.Errorf("failed to create secret: %w", err)
+ }
+ }
+
+ return nil
+}
diff --git a/tests/e2e/util/client/client.go b/tests/e2e/util/client/client.go
index 9ab45ee74..efebdad0f 100644
--- a/tests/e2e/util/client/client.go
+++ b/tests/e2e/util/client/client.go
@@ -27,8 +27,17 @@ import (
)
// getConfig returns the configuration of the kubernetes go-client
-func getConfig() (*rest.Config, error) {
- // use the current context in kubeconfig
+func getConfig(kubeconfig string) (*rest.Config, error) {
+ // If kubeconfig is provided, use it
+ if kubeconfig != "" {
+ config, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
+ if err != nil {
+ return nil, fmt.Errorf("error building config: %w", err)
+ }
+
+ return config, nil
+ }
+ // If not kubeconfig is provided use the current context in kubeconfig
config, err := clientcmd.BuildConfigFromFlags("", os.Getenv("KUBECONFIG"))
if err != nil {
return nil, fmt.Errorf("error building config: %w", err)
@@ -38,8 +47,11 @@ func getConfig() (*rest.Config, error) {
}
// InitK8sClient returns the kubernetes clientset
-func InitK8sClient() (client.Client, error) {
- config, err := getConfig()
+// Arguments:
+// Kubeconfig: string
+// Set kubeconfig to "" to use the current context in kubeconfig
+func InitK8sClient(kubeconfig string) (client.Client, error) {
+ config, err := getConfig(kubeconfig)
if err != nil {
return nil, fmt.Errorf("error getting config for k8s client: %w", err)
}
diff --git a/tests/e2e/util/common/e2e_utils.go b/tests/e2e/util/common/e2e_utils.go
index a787a4b49..b03cbc251 100644
--- a/tests/e2e/util/common/e2e_utils.go
+++ b/tests/e2e/util/common/e2e_utils.go
@@ -18,42 +18,91 @@ package common
import (
"context"
+ "fmt"
+ "path/filepath"
+ "regexp"
"strings"
"time"
- env "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env"
+ "github.com/Masterminds/semver/v3"
+ "github.com/istio-ecosystem/sail-operator/pkg/kube"
+ "github.com/istio-ecosystem/sail-operator/pkg/test/project"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env"
+ . "github.com/istio-ecosystem/sail-operator/tests/e2e/util/gomega"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/helm"
"github.com/istio-ecosystem/sail-operator/tests/e2e/util/kubectl"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"sigs.k8s.io/controller-runtime/pkg/client"
"istio.io/istio/pkg/ptr"
)
var (
- namespace = env.Get("NAMESPACE", "sail-operator")
+ OperatorImage = env.Get("IMAGE", "quay.io/maistra-dev/sail-operator:latest")
+ OperatorNamespace = env.Get("NAMESPACE", "sail-operator")
+
deploymentName = env.Get("DEPLOYMENT_NAME", "sail-operator")
controlPlaneNamespace = env.Get("CONTROL_PLANE_NS", "istio-system")
istioName = env.Get("ISTIO_NAME", "default")
istioCniName = env.Get("ISTIOCNI_NAME", "default")
istioCniNamespace = env.Get("ISTIOCNI_NAMESPACE", "istio-cni")
+
+ // version can have one of the following formats:
+ // - 1.22.2
+ // - 1.23.0-rc.1
+ // - 1.24-alpha.feabc1234
+ istiodVersionRegex = regexp.MustCompile(`Version:"([^"]*)"`)
+
+ k = kubectl.New()
)
-// getObject returns the object with the given key
+// GetObject returns the object with the given key
func GetObject(ctx context.Context, cl client.Client, key client.ObjectKey, obj client.Object) (client.Object, error) {
err := cl.Get(ctx, key, obj)
return obj, err
}
-// getList invokes client.List and returns the list
+// GetList invokes client.List and returns the list
func GetList(ctx context.Context, cl client.Client, list client.ObjectList, opts ...client.ListOption) (client.ObjectList, error) {
err := cl.List(ctx, list, opts...)
return list, err
}
-// checkNamespaceEmpty checks if the given namespace is empty
+// GetPodNameByLabel returns the name of the pod with the given label
+func GetPodNameByLabel(ctx context.Context, cl client.Client, ns, labelKey, labelValue string) (string, error) {
+ podList := &corev1.PodList{}
+ err := cl.List(ctx, podList, client.InNamespace(ns), client.MatchingLabels{labelKey: labelValue})
+ if err != nil {
+ return "", err
+ }
+ if len(podList.Items) == 0 {
+ return "", fmt.Errorf("no pod found with label %s=%s", labelKey, labelValue)
+ }
+ return podList.Items[0].Name, nil
+}
+
+// GetSVCLoadBalancerAddress returns the address of the service with the given name
+func GetSVCLoadBalancerAddress(ctx context.Context, cl client.Client, ns, svcName string) (string, error) {
+ svc := &corev1.Service{}
+ err := cl.Get(ctx, client.ObjectKey{Namespace: ns, Name: svcName}, svc)
+ if err != nil {
+ return "", err
+ }
+
+ // To avoid flakiness, wait for the LoadBalancer to be ready
+ Eventually(func() ([]corev1.LoadBalancerIngress, error) {
+ err := cl.Get(ctx, client.ObjectKey{Namespace: ns, Name: svcName}, svc)
+ return svc.Status.LoadBalancer.Ingress, err
+ }, "1m", "1s").ShouldNot(BeEmpty(), "LoadBalancer should be ready")
+
+ return svc.Status.LoadBalancer.Ingress[0].IP, nil
+}
+
+// CheckNamespaceEmpty checks if the given namespace is empty
func CheckNamespaceEmpty(ctx SpecContext, cl client.Client, ns string) {
// TODO: Check to add more validations
Eventually(func() ([]corev1.Pod, error) {
@@ -97,53 +146,57 @@ func LogDebugInfo() {
}
func logOperatorDebugInfo() {
- operator, err := kubectl.GetYAML(namespace, "deployment", deploymentName)
+ k := k.WithNamespace(OperatorNamespace)
+ operator, err := k.GetYAML("deployment", deploymentName)
logDebugElement("Operator Deployment YAML", operator, err)
- logs, err := kubectl.Logs(namespace, "deploy/"+deploymentName, ptr.Of(120*time.Second))
+ logs, err := k.Logs("deploy/"+deploymentName, ptr.Of(120*time.Second))
logDebugElement("Operator logs", logs, err)
- events, err := kubectl.GetEvents(namespace)
- logDebugElement("Events in "+namespace, events, err)
+ events, err := k.GetEvents()
+ logDebugElement("Events in "+OperatorNamespace, events, err)
- // Temporaty information to gather more details about failure
- pods, err := kubectl.GetPods(namespace, "-o wide")
- logDebugElement("Pods in "+namespace, pods, err)
+ // Temporary information to gather more details about failure
+ pods, err := k.GetPods("", "-o wide")
+ logDebugElement("Pods in "+OperatorNamespace, pods, err)
- describe, err := kubectl.Describe(namespace, "deployment", deploymentName)
+ describe, err := k.Describe("deployment", deploymentName)
logDebugElement("Operator Deployment describe", describe, err)
}
func logIstioDebugInfo() {
- resource, err := kubectl.GetYAML("", "istio", istioName)
+ resource, err := k.GetYAML("istio", istioName)
logDebugElement("Istio YAML", resource, err)
- output, err := kubectl.GetPods(controlPlaneNamespace, "-o wide")
+ output, err := k.WithNamespace(controlPlaneNamespace).GetPods("", "-o wide")
logDebugElement("Pods in "+controlPlaneNamespace, output, err)
- logs, err := kubectl.Logs(controlPlaneNamespace, "deploy/istiod", ptr.Of(120*time.Second))
+ logs, err := k.WithNamespace(controlPlaneNamespace).Logs("deploy/istiod", ptr.Of(120*time.Second))
logDebugElement("Istiod logs", logs, err)
- events, err := kubectl.GetEvents(controlPlaneNamespace)
+ events, err := k.WithNamespace(controlPlaneNamespace).GetEvents()
logDebugElement("Events in "+controlPlaneNamespace, events, err)
}
func logCNIDebugInfo() {
- resource, err := kubectl.GetYAML("", "istiocni", istioCniName)
+ resource, err := k.GetYAML("istiocni", istioCniName)
logDebugElement("IstioCNI YAML", resource, err)
- ds, err := kubectl.GetYAML(istioCniNamespace, "daemonset", "istio-cni-node")
+ ds, err := k.WithNamespace(istioCniNamespace).GetYAML("daemonset", "istio-cni-node")
logDebugElement("Istio CNI DaemonSet YAML", ds, err)
- events, err := kubectl.GetEvents(istioCniNamespace)
+ events, err := k.WithNamespace(istioCniNamespace).GetEvents()
logDebugElement("Events in "+istioCniNamespace, events, err)
- // Temporaty information to gather more details about failure
- pods, err := kubectl.GetPods(istioCniNamespace, "-o wide")
+ // Temporary information to gather more details about failure
+ pods, err := k.WithNamespace(istioCniNamespace).GetPods("", "-o wide")
logDebugElement("Pods in "+istioCniNamespace, pods, err)
- describe, err := kubectl.Describe(istioCniNamespace, "daemonset", "istio-cni-node")
+ describe, err := k.WithNamespace(istioCniNamespace).Describe("daemonset", "istio-cni-node")
logDebugElement("Istio CNI DaemonSet describe", describe, err)
+
+ logs, err := k.WithNamespace(istioCniNamespace).Logs("daemonset/istio-cni-node", ptr.Of(120*time.Second))
+ logDebugElement("Istio CNI logs", logs, err)
}
func logDebugElement(caption string, info string, err error) {
@@ -155,3 +208,50 @@ func logDebugElement(caption string, info string, err error) {
GinkgoWriter.Println(indent + strings.ReplaceAll(strings.TrimSpace(info), "\n", "\n"+indent))
}
}
+
+func GetVersionFromIstiod() (*semver.Version, error) {
+ k := kubectl.New()
+ output, err := k.WithNamespace(controlPlaneNamespace).Exec("deploy/istiod", "", "pilot-discovery version")
+ if err != nil {
+ return nil, fmt.Errorf("error getting version from istiod: %w", err)
+ }
+
+ matches := istiodVersionRegex.FindStringSubmatch(output)
+ if len(matches) > 1 && matches[1] != "" {
+ return semver.NewVersion(matches[1])
+ }
+ return nil, fmt.Errorf("error getting version from istiod: version not found in output: %s", output)
+}
+
+func CheckPodsReady(ctx SpecContext, cl client.Client, namespace string) (*corev1.PodList, error) {
+ podList := &corev1.PodList{}
+
+ err := cl.List(ctx, podList, client.InNamespace(namespace))
+ if err != nil {
+ return nil, fmt.Errorf("failed to list pods in %s namespace: %w", namespace, err)
+ }
+
+ Expect(podList.Items).ToNot(BeEmpty(), fmt.Sprintf("No pods found in %s namespace", namespace))
+
+ for _, pod := range podList.Items {
+ Eventually(GetObject).WithArguments(ctx, cl, kube.Key(pod.Name, namespace), &corev1.Pod{}).
+ Should(HaveCondition(corev1.PodReady, metav1.ConditionTrue), fmt.Sprintf("%q Pod in %q namespace is not Ready", pod.Name, namespace))
+ }
+
+ return podList, nil
+}
+
+func InstallOperatorViaHelm(extraArgs ...string) error {
+ args := []string{
+ "--namespace " + OperatorNamespace,
+ "--set image=" + OperatorImage,
+ "--set operatorLogLevel=3",
+ }
+ args = append(args, extraArgs...)
+
+ return helm.Install("sail-operator", filepath.Join(project.RootDir, "chart"), args...)
+}
+
+func UninstallOperator() error {
+ return helm.Uninstall("sail-operator", "--namespace", OperatorNamespace)
+}
diff --git a/tests/e2e/util/istioctl/istioctl.go b/tests/e2e/util/istioctl/istioctl.go
new file mode 100644
index 000000000..7186ed6b1
--- /dev/null
+++ b/tests/e2e/util/istioctl/istioctl.go
@@ -0,0 +1,55 @@
+//go:build e2e
+
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR Condition OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package istioctl
+
+import (
+ "fmt"
+
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/env"
+ "github.com/istio-ecosystem/sail-operator/tests/e2e/util/shell"
+)
+
+var istioctlBinary = env.Get("ISTIOCTL_PATH", "istioctl")
+
+// Istioctl returns the istioctl command
+// If the environment variable COMMAND is set, it will return the value of COMMAND
+// Otherwise, it will return the default value "istioctl" as default
+// Arguments:
+// - format: format of the command without istioctl
+// - args: arguments of the command
+func istioctl(format string, args ...interface{}) string {
+ binary := "istioctl"
+ if istioctlBinary != "" {
+ binary = istioctlBinary
+ }
+
+ cmd := fmt.Sprintf(format, args...)
+
+ return fmt.Sprintf("%s %s", binary, cmd)
+}
+
+// CreateRemoteSecret creates a secret in the remote cluster
+// Arguments:
+// - remoteKubeconfig: kubeconfig of the remote cluster
+// - secretName: name of the secret
+// - internalIP: internal IP of the remote cluster
+func CreateRemoteSecret(remoteKubeconfig string, secretName string, internalIP string) (string, error) {
+ cmd := istioctl("create-remote-secret --kubeconfig %s --name %s --server=https://%s:6443", remoteKubeconfig, secretName, internalIP)
+ yaml, err := shell.ExecuteCommand(cmd)
+
+ return yaml, err
+}
diff --git a/tests/e2e/util/kubectl/kubectl.go b/tests/e2e/util/kubectl/kubectl.go
index 7d4e8f054..5c92fbee0 100644
--- a/tests/e2e/util/kubectl/kubectl.go
+++ b/tests/e2e/util/kubectl/kubectl.go
@@ -17,32 +17,92 @@ package kubectl
import (
"fmt"
"os"
+ "strconv"
"strings"
"time"
"github.com/istio-ecosystem/sail-operator/tests/e2e/util/shell"
)
-const DefaultBinary = "kubectl"
+type Kubectl struct {
+ binary string
+ namespace string
+ kubeconfig string
+}
+
+// New creates a new kubectl.Kubectl
+func New() Kubectl {
+ return Kubectl{}.WithBinary(os.Getenv("COMMAND"))
+}
+
+func (k Kubectl) build(cmd string) string {
+ args := []string{k.binary}
-// kubectl return the kubectl command
-// If the environment variable COMMAND is set, it will return the value of COMMAND
-// Otherwise, it will return the default value "kubectl" as default
-// Arguments:
-// - format: format of the command without kubeclt or oc
-// - args: arguments of the command
-func kubectl(format string, args ...interface{}) string {
- binary := DefaultBinary
- if cmd := os.Getenv("COMMAND"); cmd != "" {
- binary = cmd
+ // Only append namespace if it's set
+ if k.namespace != "" {
+ args = append(args, k.namespace)
}
- return binary + " " + fmt.Sprintf(format, args...)
+ // Only append kubeconfig if it's set
+ if k.kubeconfig != "" {
+ args = append(args, k.kubeconfig)
+ }
+
+ args = append(args, cmd)
+
+ // Join all the arguments with a space
+ return strings.Join(args, " ")
+}
+
+// WithBinary returns a new Kubectl with the binary set to the given value; if the value is "", the binary is set to "kubectl"
+func (k Kubectl) WithBinary(binary string) Kubectl {
+ if binary == "" {
+ k.binary = "kubectl"
+ } else {
+ k.binary = binary
+ }
+ return k
+}
+
+// WithNamespace returns a new Kubectl with the namespace set to the given value
+func (k Kubectl) WithNamespace(ns string) Kubectl {
+ if ns == "" {
+ k.namespace = "--all-namespaces"
+ } else {
+ k.namespace = fmt.Sprintf("-n %s", ns)
+ }
+ return k
+}
+
+// WithKubeconfig returns a new Kubectl with kubeconfig set to the given value
+func (k Kubectl) WithKubeconfig(kubeconfig string) Kubectl {
+ if kubeconfig == "" {
+ k.kubeconfig = ""
+ } else {
+ k.kubeconfig = fmt.Sprintf("--kubeconfig %s", kubeconfig)
+ }
+ return k
+}
+
+// CreateNamespace creates a namespace
+// If the namespace already exists, it will return nil
+func (k Kubectl) CreateNamespace(ns string) error {
+ cmd := k.build(" create namespace " + ns)
+ output, err := k.executeCommand(cmd)
+ if err != nil {
+ if strings.Contains(output, "AlreadyExists") {
+ return nil
+ }
+
+ return fmt.Errorf("error creating namespace: %w, output: %s", err, output)
+ }
+
+ return nil
}
// CreateFromString creates a resource from the given yaml string
-func CreateFromString(yamlString string) error {
- cmd := kubectl("create -f -")
+func (k Kubectl) CreateFromString(yamlString string) error {
+ cmd := k.build(" create -f -")
_, err := shell.ExecuteCommandWithInput(cmd, yamlString)
if err != nil {
return fmt.Errorf("error creating resource from yaml: %w", err)
@@ -50,21 +110,42 @@ func CreateFromString(yamlString string) error {
return nil
}
-// ApplyString applies the given yaml string to the cluster
-func ApplyString(ns, yamlString string) error {
- cmd := kubectl("apply -n %s --server-side -f -", ns)
- _, err := shell.ExecuteCommandWithInput(cmd, yamlString)
- if err != nil {
- return fmt.Errorf("error applying yaml: %w", err)
+// DeleteCRDs deletes the CRDs by given list of crds names
+func (k Kubectl) DeleteCRDs(crds []string) error {
+ for _, crd := range crds {
+ cmd := k.build(" delete crd " + crd)
+ _, err := shell.ExecuteCommand(cmd)
+ if err != nil {
+ return fmt.Errorf("error deleting crd %s: %w", crd, err)
+ }
}
return nil
}
-// Apply applies the given yaml file to the cluster
-func Apply(ns, yamlFile string) error {
- cmd := kubectl("apply -n %s -f %s", ns, yamlFile)
- _, err := shell.ExecuteCommand(cmd)
+// DeleteNamespaceNoWait deletes a namespace and returns immediately (without waiting for the namespace to be removed).
+func (k Kubectl) DeleteNamespaceNoWait(namespaces ...string) error {
+ return k.deleteNamespace(namespaces, false)
+}
+
+// DeleteNamespace deletes a namespace and waits for it to be removed completely.
+func (k Kubectl) DeleteNamespace(namespaces ...string) error {
+ return k.deleteNamespace(namespaces, true)
+}
+
+func (k Kubectl) deleteNamespace(namespaces []string, wait bool) error {
+ cmd := k.build(" delete namespace " + strings.Join(namespaces, " ") + " --wait=" + strconv.FormatBool(wait))
+ _, err := k.executeCommand(cmd)
+ if err != nil {
+ return fmt.Errorf("error deleting namespace: %w", err)
+ }
+ return nil
+}
+
+// ApplyString applies the given yaml string to the cluster
+func (k Kubectl) ApplyString(yamlString string) error {
+ cmd := k.build(" apply --server-side -f -")
+ _, err := shell.ExecuteCommandWithInput(cmd, yamlString)
if err != nil {
return fmt.Errorf("error applying yaml: %w", err)
}
@@ -72,37 +153,38 @@ func Apply(ns, yamlFile string) error {
return nil
}
-// CreateNamespace creates a namespace
-// If the namespace already exists, it will return nil
-func CreateNamespace(ns string) error {
- cmd := kubectl("create namespace %s", ns)
- output, err := shell.ExecuteCommand(cmd)
- if err != nil {
- if strings.Contains(output, "AlreadyExists") {
- return nil
- }
+// Apply applies the given yaml file to the cluster
+func (k Kubectl) Apply(yamlFile string) error {
+ err := k.ApplyWithLabels(yamlFile, "")
+ return err
+}
- return fmt.Errorf("error creating namespace: %w, output: %s", err, output)
+// ApplyWithLabels applies the given yaml file to the cluster with the given labels
+func (k Kubectl) ApplyWithLabels(yamlFile, label string) error {
+ cmd := k.build(" apply " + labelFlag(label) + " -f " + yamlFile)
+ _, err := k.executeCommand(cmd)
+ if err != nil {
+ return fmt.Errorf("error applying yaml: %w", err)
}
return nil
}
-// DeleteNamespace deletes a namespace
-func DeleteNamespace(ns string) error {
- cmd := kubectl("delete namespace %s", ns)
- _, err := shell.ExecuteCommand(cmd)
+// DeleteFromFile deletes a resource from the given yaml file
+func (k Kubectl) DeleteFromFile(yamlFile string) error {
+ cmd := k.build(" delete -f " + yamlFile)
+ _, err := k.executeCommand(cmd)
if err != nil {
- return fmt.Errorf("error deleting namespace: %w", err)
+ return fmt.Errorf("error deleting resource from yaml: %w", err)
}
return nil
}
// Delete deletes a resource based on the namespace, kind and the name
-func Delete(ns, kind, name string) error {
- cmd := kubectl("delete %s %s %s", kind, name, nsflag(ns))
- _, err := shell.ExecuteCommand(cmd)
+func (k Kubectl) Delete(kind, name string) error {
+ cmd := k.build(" delete " + kind + " " + name)
+ _, err := k.executeCommand(cmd)
if err != nil {
return fmt.Errorf("error deleting deployment: %w", err)
}
@@ -110,51 +192,46 @@ func Delete(ns, kind, name string) error {
return nil
}
-// DeleteCRDs deletes the CRDs by given list of crds names
-func DeleteCRDs(crds []string) error {
- for _, crd := range crds {
- cmd := kubectl("delete crd %s", crd)
- _, err := shell.ExecuteCommand(cmd)
- if err != nil {
- return fmt.Errorf("error deleting crd %s: %w", crd, err)
- }
- }
-
- return nil
+// Wait waits for a specific condition on one or many resources
+func (k Kubectl) Wait(waitFor, resource string, timeout time.Duration) error {
+ cmd := k.build(fmt.Sprintf("wait --for %s %s --timeout %s", waitFor, resource, timeout.String()))
+ _, err := k.executeCommand(cmd)
+ return err
}
-// Patch patches a resource.
-func Patch(ns, kind, name, patchType, patch string) error {
- cmd := kubectl(`patch %s %s %s --type=%s -p=%q`, kind, name, prepend("-n", ns), patchType, patch)
- _, err := shell.ExecuteCommand(cmd)
+// Patch patches a resource
+func (k Kubectl) Patch(kind, name, patchType, patch string) error {
+ cmd := k.build(fmt.Sprintf(" patch %s %s --type=%s -p=%q", kind, name, patchType, patch))
+ _, err := k.executeCommand(cmd)
if err != nil {
return fmt.Errorf("error patching resource: %w", err)
}
return nil
}
-// ForceDelete deletes a resource by removing its finalizers.
-func ForceDelete(ns, kind, name string) error {
+// ForceDelete deletes a resource by removing its finalizers
+func (k Kubectl) ForceDelete(kind, name string) error {
// Not all resources have finalizers, trying to remove them returns an error here.
// We explicitly ignore the error and attempt to delete the resource anyway.
- _ = Patch(ns, kind, name, "json", `[{"op": "remove", "path": "/metadata/finalizers"}]`)
- return Delete(ns, kind, name)
+ _ = k.Patch(kind, name, "json", `[{"op": "remove", "path": "/metadata/finalizers"}]`)
+ return k.Delete(kind, name)
}
// GetYAML returns the yaml of a resource
-// Arguments:
-// - ns: namespace
-// - kind: type of the resource
-// - name: name of the resource
-func GetYAML(ns, kind, name string) (string, error) {
- cmd := kubectl("get %s %s %s -o yaml", kind, name, nsflag(ns))
- return shell.ExecuteCommand(cmd)
+func (k Kubectl) GetYAML(kind, name string) (string, error) {
+ cmd := k.build(fmt.Sprintf(" get %s %s -o yaml", kind, name))
+ output, err := k.executeCommand(cmd)
+ if err != nil {
+ return "", fmt.Errorf("error getting yaml: %w, output: %s", err, output)
+ }
+
+ return output, nil
}
// GetPods returns the pods of a namespace
-func GetPods(ns string, args ...string) (string, error) {
- cmd := kubectl("get pods %s %s", nsflag(ns), strings.Join(args, " "))
- output, err := shell.ExecuteCommand(cmd)
+func (k Kubectl) GetPods(args ...string) (string, error) {
+ cmd := k.build(fmt.Sprintf(" get pods %s", strings.Join(args, " ")))
+ output, err := k.executeCommand(cmd)
if err != nil {
return "", fmt.Errorf("error getting pods: %w, output: %s", err, output)
}
@@ -162,10 +239,31 @@ func GetPods(ns string, args ...string) (string, error) {
return output, nil
}
+// GetInternalIP returns the internal IP of a node
+func (k Kubectl) GetInternalIP(label string) (string, error) {
+ cmd := k.build(fmt.Sprintf(" get nodes -l %s -o jsonpath='{.items[0].status.addresses[?(@.type==\"InternalIP\")].address}'", label))
+ output, err := k.executeCommand(cmd)
+ if err != nil {
+ return "", fmt.Errorf("error getting internal IP: %w, output: %s", err, output)
+ }
+
+ return output, nil
+}
+
+// Exec executes a command in the pod or specific container
+func (k Kubectl) Exec(pod, container, command string) (string, error) {
+ cmd := k.build(fmt.Sprintf(" exec %s %s -- %s", pod, containerFlag(container), command))
+ output, err := k.executeCommand(cmd)
+ if err != nil {
+ return "", err
+ }
+ return output, nil
+}
+
// GetEvents returns the events of a namespace
-func GetEvents(ns string) (string, error) {
- cmd := kubectl("get events %s", nsflag(ns))
- output, err := shell.ExecuteCommand(cmd)
+func (k Kubectl) GetEvents() (string, error) {
+ cmd := k.build(" get events")
+ output, err := k.executeCommand(cmd)
if err != nil {
return "", fmt.Errorf("error getting events: %w, output: %s", err, output)
}
@@ -174,13 +272,9 @@ func GetEvents(ns string) (string, error) {
}
// Describe returns the description of a resource
-// Arguments:
-// - ns: namespace
-// - kind: type of the resource
-// - name: name of the resource
-func Describe(ns, kind, name string) (string, error) {
- cmd := kubectl("describe %s %s %s", kind, name, nsflag(ns))
- output, err := shell.ExecuteCommand(cmd)
+func (k Kubectl) Describe(kind, name string) (string, error) {
+ cmd := k.build(fmt.Sprintf(" describe %s %s", kind, name))
+ output, err := k.executeCommand(cmd)
if err != nil {
return "", fmt.Errorf("error describing resource: %w, output: %s", err, output)
}
@@ -189,12 +283,8 @@ func Describe(ns, kind, name string) (string, error) {
}
// Logs returns the logs of a deployment
-// Arguments:
-// - ns: namespace
-// - pod: the pod name, "kind/name", or "-l labelselector"
-// - Since: time range
-func Logs(ns, pod string, since *time.Duration) (string, error) {
- cmd := kubectl("logs %s %s %s", pod, nsflag(ns), sinceFlag(since))
+func (k Kubectl) Logs(pod string, since *time.Duration) (string, error) {
+ cmd := k.build(fmt.Sprintf(" logs %s %s", pod, sinceFlag(since)))
output, err := shell.ExecuteCommand(cmd)
if err != nil {
return "", err
@@ -202,39 +292,31 @@ func Logs(ns, pod string, since *time.Duration) (string, error) {
return output, nil
}
-func sinceFlag(since *time.Duration) string {
- if since == nil {
- return ""
- }
- return "--since=" + since.String()
+// executeCommand handles running the command and then resets the namespace automatically
+func (k Kubectl) executeCommand(cmd string) (string, error) {
+ return shell.ExecuteCommand(cmd)
}
-// Exec executes a command in the pod or specific container
-func Exec(ns, pod, container, command string) (string, error) {
- cmd := kubectl("exec %s %s %s -- %s", pod, containerflag(container), nsflag(ns), command)
- output, err := shell.ExecuteCommand(cmd)
- if err != nil {
- return "", err
- }
- return output, nil
+// WaitNamespaceDeleted waits for a namespace to be deleted
+func (k Kubectl) WaitNamespaceDeleted(ns string) error {
+ return k.Wait("delete", "namespace/"+ns, 2*time.Minute)
}
-// prepend prepends the prefix, but only if str is not empty
-func prepend(prefix, str string) string {
- if str == "" {
- return str
+func sinceFlag(since *time.Duration) string {
+ if since == nil {
+ return ""
}
- return prefix + str
+ return "--since=" + since.String()
}
-func nsflag(ns string) string {
- if ns == "" {
- return "--all-namespaces"
+func labelFlag(label string) string {
+ if label == "" {
+ return ""
}
- return "-n " + ns
+ return "-l " + label
}
-func containerflag(container string) string {
+func containerFlag(container string) string {
if container == "" {
return ""
}
diff --git a/tests/integration/api/istio_test.go b/tests/integration/api/istio_test.go
index 7345b8b34..f4113ed0d 100644
--- a/tests/integration/api/istio_test.go
+++ b/tests/integration/api/istio_test.go
@@ -272,6 +272,14 @@ var _ = Describe("Istio resource", Ordered, func() {
deleteAllIstiosAndRevisions(ctx)
})
+ When("namespace is updated", func() {
+ It("throws a validation error as the field is immutable", func() {
+ Expect(k8sClient.Get(ctx, istioKey, istio)).To(Succeed())
+ istio.Spec.Namespace = workloadNamespace
+ Expect(k8sClient.Update(ctx, istio)).To(MatchError(ContainSubstring("immutable")))
+ })
+ })
+
When("version is updated", func() {
BeforeAll(func() {
Expect(k8sClient.Get(ctx, istioKey, istio)).To(Succeed())
diff --git a/tools/update_deps.sh b/tools/update_deps.sh
index f544bbaff..90fd2a737 100755
--- a/tools/update_deps.sh
+++ b/tools/update_deps.sh
@@ -31,6 +31,10 @@ function getLatestVersion() {
# Update common files
make update-common
+# update build container used in github actions
+NEW_IMAGE_MASTER=$(grep IMAGE_VERSION= < common/scripts/setup_env.sh | cut -d= -f2)
+sed -i -e "s|\(gcr.io/istio-testing/build-tools\):master.*|\1:$NEW_IMAGE_MASTER|" .github/workflows/update-deps.yaml
+
# Update go dependencies
export GO111MODULE=on
go get -u "istio.io/istio@${UPDATE_BRANCH}"
@@ -58,7 +62,7 @@ sed -i "s|OPM_VERSION ?= .*|OPM_VERSION ?= ${OPM_LATEST_VERSION}|" "${ROOTDIR}/M
RBAC_PROXY_LATEST_VERSION=$(getLatestVersion brancz/kube-rbac-proxy | cut -d/ -f1)
# Only update it if the newer image is available in the registry
if docker manifest inspect "gcr.io/kubebuilder/kube-rbac-proxy:${RBAC_PROXY_LATEST_VERSION}" >/dev/null 2>/dev/null; then
- sed -i "s|gcr.io/kubebuilder/kube-rbac-proxy:.*|gcr.io/kubebuilder/kube-rbac-proxy:${RBAC_PROXY_LATEST_VERSION}|" "${ROOTDIR}/chart/templates/deployment.yaml"
+ sed -i "s|gcr.io/kubebuilder/kube-rbac-proxy:.*|gcr.io/kubebuilder/kube-rbac-proxy:${RBAC_PROXY_LATEST_VERSION}|" "${ROOTDIR}/chart/values.yaml"
fi
# Update gitleaks
diff --git a/versions.yaml b/versions.yaml
index 116ad15ac..d4170669d 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -11,46 +11,45 @@
# go.mod affect the generated API schema for the Sail CRDs (e.g. IstioRevision),
# as well as all the Istio CRDs (e.g. VirtualService).
versions:
- - name: v1.23.0
- version: 1.23.0
+ - name: v1.23.2
+ version: 1.23.2
repo: https://github.com/istio/istio
- commit: 1.23.0
+ commit: 1.23.2
charts:
- - https://istio-release.storage.googleapis.com/charts/base-1.23.0.tgz
- - https://istio-release.storage.googleapis.com/charts/istiod-1.23.0.tgz
- - https://istio-release.storage.googleapis.com/charts/istiod-remote-1.23.0.tgz
- - https://istio-release.storage.googleapis.com/charts/gateway-1.23.0.tgz
- - https://istio-release.storage.googleapis.com/charts/cni-1.23.0.tgz
- - https://istio-release.storage.googleapis.com/charts/ztunnel-1.23.0.tgz
- - name: v1.22.3
- version: 1.22.3
+ - https://istio-release.storage.googleapis.com/charts/base-1.23.2.tgz
+ - https://istio-release.storage.googleapis.com/charts/istiod-1.23.2.tgz
+ - https://istio-release.storage.googleapis.com/charts/istiod-remote-1.23.2.tgz
+ - https://istio-release.storage.googleapis.com/charts/gateway-1.23.2.tgz
+ - https://istio-release.storage.googleapis.com/charts/cni-1.23.2.tgz
+ - https://istio-release.storage.googleapis.com/charts/ztunnel-1.23.2.tgz
+ - name: v1.22.5
+ version: 1.22.5
repo: https://github.com/istio/istio
- commit: 1.22.3
+ commit: 1.22.5
charts:
- - https://istio-release.storage.googleapis.com/charts/base-1.22.3.tgz
- - https://istio-release.storage.googleapis.com/charts/istiod-1.22.3.tgz
- - https://istio-release.storage.googleapis.com/charts/gateway-1.22.3.tgz
- - https://istio-release.storage.googleapis.com/charts/cni-1.22.3.tgz
- - https://istio-release.storage.googleapis.com/charts/ztunnel-1.22.3.tgz
- - name: v1.21.5
- version: 1.21.5
+ - https://istio-release.storage.googleapis.com/charts/base-1.22.5.tgz
+ - https://istio-release.storage.googleapis.com/charts/istiod-1.22.5.tgz
+ - https://istio-release.storage.googleapis.com/charts/gateway-1.22.5.tgz
+ - https://istio-release.storage.googleapis.com/charts/cni-1.22.5.tgz
+ - https://istio-release.storage.googleapis.com/charts/ztunnel-1.22.5.tgz
+ - name: v1.21.6
+ version: 1.21.6
repo: https://github.com/istio/istio
- commit: 1.21.5
+ commit: 1.21.6
charts:
- - https://istio-release.storage.googleapis.com/charts/base-1.21.5.tgz
- - https://istio-release.storage.googleapis.com/charts/istiod-1.21.5.tgz
- - https://istio-release.storage.googleapis.com/charts/gateway-1.21.5.tgz
- - https://istio-release.storage.googleapis.com/charts/cni-1.21.5.tgz
- - https://istio-release.storage.googleapis.com/charts/ztunnel-1.21.5.tgz
+ - https://istio-release.storage.googleapis.com/charts/base-1.21.6.tgz
+ - https://istio-release.storage.googleapis.com/charts/istiod-1.21.6.tgz
+ - https://istio-release.storage.googleapis.com/charts/gateway-1.21.6.tgz
+ - https://istio-release.storage.googleapis.com/charts/cni-1.21.6.tgz
+ - https://istio-release.storage.googleapis.com/charts/ztunnel-1.21.6.tgz
- name: latest
- version: 1.24-alpha
+ version: 1.24-alpha.1d92787e64d8c46594e86ae9b5e90265384e5070
repo: https://github.com/istio/istio
branch: master
- commit: b28bdd77da4c7f0f4f3631db514f1c4f79a90289
+ commit: 1d92787e64d8c46594e86ae9b5e90265384e5070
charts:
- - https://storage.googleapis.com/istio-build/dev/1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289/helm/base-1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289.tgz
- - https://storage.googleapis.com/istio-build/dev/1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289/helm/cni-1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289.tgz
- - https://storage.googleapis.com/istio-build/dev/1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289/helm/gateway-1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289.tgz
- - https://storage.googleapis.com/istio-build/dev/1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289/helm/istiod-1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289.tgz
- - https://storage.googleapis.com/istio-build/dev/1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289/helm/istiod-remote-1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289.tgz
- - https://storage.googleapis.com/istio-build/dev/1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289/helm/ztunnel-1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289.tgz
+ - https://storage.googleapis.com/istio-build/dev/1.24-alpha.1d92787e64d8c46594e86ae9b5e90265384e5070/helm/base-1.24-alpha.1d92787e64d8c46594e86ae9b5e90265384e5070.tgz
+ - https://storage.googleapis.com/istio-build/dev/1.24-alpha.1d92787e64d8c46594e86ae9b5e90265384e5070/helm/cni-1.24-alpha.1d92787e64d8c46594e86ae9b5e90265384e5070.tgz
+ - https://storage.googleapis.com/istio-build/dev/1.24-alpha.1d92787e64d8c46594e86ae9b5e90265384e5070/helm/gateway-1.24-alpha.1d92787e64d8c46594e86ae9b5e90265384e5070.tgz
+ - https://storage.googleapis.com/istio-build/dev/1.24-alpha.1d92787e64d8c46594e86ae9b5e90265384e5070/helm/istiod-1.24-alpha.1d92787e64d8c46594e86ae9b5e90265384e5070.tgz
+ - https://storage.googleapis.com/istio-build/dev/1.24-alpha.1d92787e64d8c46594e86ae9b5e90265384e5070/helm/ztunnel-1.24-alpha.1d92787e64d8c46594e86ae9b5e90265384e5070.tgz