From c8c95fcd0a5f414a41936d974520d42f906f6cfc Mon Sep 17 00:00:00 2001 From: Filip Brychta Date: Thu, 10 Oct 2024 15:54:08 +0200 Subject: [PATCH] OSSM-8242: use just one istio version so we can build it in cpaas + bump (#146) to tp2 --- Makefile.vendor.mk | 4 +- api/v1alpha1/istio_types.go | 10 +- api/v1alpha1/istiocni_types.go | 10 +- api/v1alpha1/istiorevision_types.go | 6 +- api/v1alpha1/remoteistio_types.go | 10 +- .../manifests/sailoperator.io_istiocnis.yaml | 8 +- .../sailoperator.io_istiorevisions.yaml | 5 +- bundle/manifests/sailoperator.io_istios.yaml | 8 +- .../sailoperator.io_remoteistios.yaml | 8 +- ...cemeshoperator3.clusterserviceversion.yaml | 32 +- chart/Chart.yaml | 4 +- chart/crds/sailoperator.io_istiocnis.yaml | 8 +- .../crds/sailoperator.io_istiorevisions.yaml | 5 +- chart/crds/sailoperator.io_istios.yaml | 8 +- chart/crds/sailoperator.io_remoteistios.yaml | 8 +- chart/values.yaml | 2 +- docs/api-reference/sailoperator.io.md | 14 +- ossm/versions.yaml | 24 + resources/latest/charts/base/Chart.yaml | 10 - resources/latest/charts/base/README.md | 35 - .../latest/charts/base/crds/crd-all.gen.yaml | 16531 ---------------- .../charts/base/files/profile-ambient.yaml | 17 - .../profile-compatibility-version-1.21.yaml | 28 - .../profile-compatibility-version-1.22.yaml | 21 - .../profile-compatibility-version-1.23.yaml | 10 - .../charts/base/files/profile-demo.yaml | 90 - .../base/files/profile-openshift-ambient.yaml | 28 - .../charts/base/files/profile-openshift.yaml | 20 - .../charts/base/files/profile-preview.yaml | 13 - .../charts/base/files/profile-stable.yaml | 8 - .../latest/charts/base/templates/NOTES.txt | 5 - .../latest/charts/base/templates/crds.yaml | 3 - .../latest/charts/base/templates/default.yaml | 56 - .../charts/base/templates/endpoints.yaml | 26 - .../base/templates/reader-serviceaccount.yaml | 18 - .../charts/base/templates/services.yaml | 40 - .../templates/validatingadmissionpolicy.yaml | 53 - .../charts/base/templates/zzz_profile.yaml | 62 - resources/latest/charts/base/values.yaml | 42 - resources/latest/charts/cni/Chart.yaml | 11 - resources/latest/charts/cni/README.md | 65 - .../charts/cni/files/profile-ambient.yaml | 17 - .../profile-compatibility-version-1.21.yaml | 28 - .../profile-compatibility-version-1.22.yaml | 21 - .../profile-compatibility-version-1.23.yaml | 10 - .../latest/charts/cni/files/profile-demo.yaml | 90 - .../cni/files/profile-openshift-ambient.yaml | 28 - .../charts/cni/files/profile-openshift.yaml | 20 - .../charts/cni/files/profile-preview.yaml | 13 - .../charts/cni/files/profile-stable.yaml | 8 - .../latest/charts/cni/templates/NOTES.txt | 5 - .../latest/charts/cni/templates/_helpers.tpl | 8 - .../charts/cni/templates/clusterrole.yaml | 80 - .../cni/templates/clusterrolebinding.yaml | 66 - .../charts/cni/templates/configmap-cni.yaml | 30 - .../charts/cni/templates/daemonset.yaml | 213 - .../network-attachment-definition.yaml | 11 - .../charts/cni/templates/resourcequota.yaml | 19 - .../charts/cni/templates/serviceaccount.yaml | 19 - .../cni/templates/zzy_descope_legacy.yaml | 3 - .../charts/cni/templates/zzz_profile.yaml | 62 - resources/latest/charts/cni/values.yaml | 143 - resources/latest/charts/gateway/Chart.yaml | 12 - resources/latest/charts/gateway/README.md | 170 - .../charts/gateway/files/profile-ambient.yaml | 17 - .../profile-compatibility-version-1.21.yaml | 28 - .../profile-compatibility-version-1.22.yaml | 21 - .../profile-compatibility-version-1.23.yaml | 10 - .../charts/gateway/files/profile-demo.yaml | 90 - .../files/profile-openshift-ambient.yaml | 28 - .../gateway/files/profile-openshift.yaml | 20 - .../charts/gateway/files/profile-preview.yaml | 13 - .../charts/gateway/files/profile-stable.yaml | 8 - .../latest/charts/gateway/templates/NOTES.txt | 9 - .../charts/gateway/templates/_helpers.tpl | 40 - .../charts/gateway/templates/deployment.yaml | 117 - .../latest/charts/gateway/templates/hpa.yaml | 40 - .../templates/poddisruptionbudget.yaml | 18 - .../latest/charts/gateway/templates/role.yaml | 37 - .../charts/gateway/templates/service.yaml | 66 - .../gateway/templates/serviceaccount.yaml | 15 - .../charts/gateway/templates/zzz_profile.yaml | 62 - .../latest/charts/gateway/values.schema.json | 301 - resources/latest/charts/gateway/values.yaml | 154 - .../latest/charts/istiod-remote/Chart.yaml | 11 - .../latest/charts/istiod-remote/NOTES.txt | 4 - .../files/gateway-injection-template.yaml | 250 - .../files/injection-template.yaml | 536 - .../istiod-remote/files/profile-ambient.yaml | 17 - .../profile-compatibility-version-1.21.yaml | 28 - .../profile-compatibility-version-1.22.yaml | 21 - .../profile-compatibility-version-1.23.yaml | 10 - .../istiod-remote/files/profile-demo.yaml | 90 - .../files/profile-openshift-ambient.yaml | 28 - .../files/profile-openshift.yaml | 20 - .../istiod-remote/files/profile-preview.yaml | 13 - .../istiod-remote/files/profile-stable.yaml | 8 - .../istiod-remote/templates/_helpers.tpl | 23 - .../istiod-remote/templates/clusterrole.yaml | 167 - .../templates/clusterrolebinding.yaml | 39 - .../istiod-remote/templates/configmap.yaml | 114 - .../istiod-remote/templates/default.yaml | 58 - ...aultrevisionvalidatingadmissionpolicy.yaml | 55 - .../istiod-remote/templates/endpoints.yaml | 26 - .../templates/istiod-injector-configmap.yaml | 82 - .../templates/mutatingwebhook.yaml | 160 - .../templates/reader-clusterrole.yaml | 62 - .../templates/reader-clusterrolebinding.yaml | 17 - .../templates/reader-serviceaccount.yaml | 18 - .../charts/istiod-remote/templates/role.yaml | 34 - .../istiod-remote/templates/rolebinding.yaml | 20 - .../templates/serviceaccount.yaml | 23 - .../istiod-remote/templates/services.yaml | 40 - .../templates/validatingadmissionpolicy.yaml | 62 - .../validatingwebhookconfiguration.yaml | 67 - .../templates/zzy_descope_legacy.yaml | 3 - .../istiod-remote/templates/zzz_profile.yaml | 62 - .../latest/charts/istiod-remote/values.yaml | 441 - resources/latest/charts/istiod/Chart.yaml | 12 - resources/latest/charts/istiod/README.md | 73 - .../files/gateway-injection-template.yaml | 250 - .../charts/istiod/files/grpc-agent.yaml | 310 - .../charts/istiod/files/grpc-simple.yaml | 65 - .../istiod/files/injection-template.yaml | 536 - .../charts/istiod/files/kube-gateway.yaml | 341 - .../charts/istiod/files/profile-ambient.yaml | 17 - .../profile-compatibility-version-1.21.yaml | 28 - .../profile-compatibility-version-1.22.yaml | 21 - .../profile-compatibility-version-1.23.yaml | 10 - .../charts/istiod/files/profile-demo.yaml | 90 - .../files/profile-openshift-ambient.yaml | 28 - .../istiod/files/profile-openshift.yaml | 20 - .../charts/istiod/files/profile-preview.yaml | 13 - .../charts/istiod/files/profile-stable.yaml | 8 - .../latest/charts/istiod/files/waypoint.yaml | 305 - .../latest/charts/istiod/templates/NOTES.txt | 82 - .../charts/istiod/templates/_helpers.tpl | 23 - .../charts/istiod/templates/autoscale.yaml | 41 - .../charts/istiod/templates/clusterrole.yaml | 165 - .../istiod/templates/clusterrolebinding.yaml | 37 - .../istiod/templates/configmap-jwks.yaml | 16 - .../charts/istiod/templates/configmap.yaml | 114 - .../charts/istiod/templates/deployment.yaml | 277 - .../templates/istiod-injector-configmap.yaml | 82 - .../istiod/templates/mutatingwebhook.yaml | 160 - .../istiod/templates/poddisruptionbudget.yaml | 27 - .../istiod/templates/reader-clusterrole.yaml | 62 - .../templates/reader-clusterrolebinding.yaml | 17 - .../istiod/templates/revision-tags.yaml | 143 - .../latest/charts/istiod/templates/role.yaml | 32 - .../charts/istiod/templates/rolebinding.yaml | 18 - .../charts/istiod/templates/service.yaml | 52 - .../istiod/templates/serviceaccount.yaml | 21 - .../templates/validatingadmissionpolicy.yaml | 60 - .../validatingwebhookconfiguration.yaml | 65 - .../istiod/templates/zzy_descope_legacy.yaml | 3 - .../charts/istiod/templates/zzz_profile.yaml | 62 - resources/latest/charts/istiod/values.yaml | 521 - resources/latest/charts/ztunnel/Chart.yaml | 11 - resources/latest/charts/ztunnel/README.md | 50 - .../charts/ztunnel/files/profile-ambient.yaml | 17 - .../profile-compatibility-version-1.21.yaml | 28 - .../profile-compatibility-version-1.22.yaml | 21 - .../profile-compatibility-version-1.23.yaml | 10 - .../charts/ztunnel/files/profile-demo.yaml | 90 - .../files/profile-openshift-ambient.yaml | 28 - .../ztunnel/files/profile-openshift.yaml | 20 - .../charts/ztunnel/files/profile-preview.yaml | 13 - .../charts/ztunnel/files/profile-stable.yaml | 8 - .../latest/charts/ztunnel/templates/NOTES.txt | 5 - .../charts/ztunnel/templates/_helpers.tpl | 10 - .../charts/ztunnel/templates/daemonset.yaml | 197 - .../latest/charts/ztunnel/templates/rbac.yaml | 74 - .../charts/ztunnel/templates/zzz_profile.yaml | 62 - resources/latest/charts/ztunnel/values.yaml | 98 - resources/latest/profiles/ambient.yaml | 5 - resources/latest/profiles/default.yaml | 10 - resources/latest/profiles/demo.yaml | 5 - resources/latest/profiles/empty.yaml | 5 - .../latest/profiles/openshift-ambient.yaml | 5 - resources/latest/profiles/openshift.yaml | 5 - resources/latest/profiles/preview.yaml | 8 - resources/latest/profiles/stable.yaml | 5 - resources/v1.21.5/charts/base/Chart.yaml | 10 - resources/v1.21.5/charts/base/README.md | 35 - .../v1.21.5/charts/base/crds/crd-all.gen.yaml | 8457 -------- .../charts/base/files/profile-ambient.yaml | 25 - .../profile-compatibility-version-1.20.yaml | 6 - .../charts/base/files/profile-demo.yaml | 69 - .../charts/base/files/profile-openshift.yaml | 19 - .../charts/base/files/profile-preview.yaml | 9 - .../v1.21.5/charts/base/templates/NOTES.txt | 5 - .../v1.21.5/charts/base/templates/crds.yaml | 3 - .../charts/base/templates/default.yaml | 45 - .../charts/base/templates/endpoints.yaml | 23 - .../base/templates/reader-serviceaccount.yaml | 16 - .../charts/base/templates/services.yaml | 37 - .../charts/base/templates/zzz_profile.yaml | 34 - resources/v1.21.5/charts/base/values.yaml | 40 - resources/v1.21.5/charts/cni/Chart.yaml | 11 - resources/v1.21.5/charts/cni/README.md | 65 - .../charts/cni/files/profile-ambient.yaml | 25 - .../profile-compatibility-version-1.20.yaml | 6 - .../charts/cni/files/profile-demo.yaml | 69 - .../charts/cni/files/profile-openshift.yaml | 19 - .../charts/cni/files/profile-preview.yaml | 9 - .../v1.21.5/charts/cni/templates/NOTES.txt | 5 - .../charts/cni/templates/clusterrole.yaml | 74 - .../cni/templates/clusterrolebinding.yaml | 58 - .../charts/cni/templates/configmap-cni.yaml | 34 - .../charts/cni/templates/daemonset.yaml | 228 - .../network-attachment-definition.yaml | 9 - .../charts/cni/templates/resourcequota.yaml | 16 - .../charts/cni/templates/serviceaccount.yaml | 17 - .../charts/cni/templates/zzz_profile.yaml | 34 - resources/v1.21.5/charts/cni/values.yaml | 147 - resources/v1.21.5/charts/gateway/Chart.yaml | 12 - resources/v1.21.5/charts/gateway/README.md | 170 - .../charts/gateway/files/profile-ambient.yaml | 25 - .../profile-compatibility-version-1.20.yaml | 6 - .../charts/gateway/files/profile-demo.yaml | 69 - .../gateway/files/profile-openshift.yaml | 19 - .../charts/gateway/files/profile-preview.yaml | 9 - .../charts/gateway/templates/NOTES.txt | 9 - .../charts/gateway/templates/_helpers.tpl | 61 - .../charts/gateway/templates/deployment.yaml | 123 - .../v1.21.5/charts/gateway/templates/hpa.yaml | 42 - .../templates/poddisruptionbudget.yaml | 16 - .../charts/gateway/templates/role.yaml | 33 - .../charts/gateway/templates/service.yaml | 64 - .../gateway/templates/serviceaccount.yaml | 13 - .../charts/gateway/templates/zzz_profile.yaml | 34 - .../v1.21.5/charts/gateway/values.schema.json | 301 - resources/v1.21.5/charts/gateway/values.yaml | 152 - resources/v1.21.5/charts/istiod/Chart.yaml | 12 - resources/v1.21.5/charts/istiod/README.md | 73 - .../files/gateway-injection-template.yaml | 256 - .../charts/istiod/files/grpc-agent.yaml | 316 - .../charts/istiod/files/grpc-simple.yaml | 65 - .../istiod/files/injection-template.yaml | 548 - .../charts/istiod/files/kube-gateway.yaml | 354 - .../charts/istiod/files/profile-ambient.yaml | 25 - .../profile-compatibility-version-1.20.yaml | 6 - .../charts/istiod/files/profile-demo.yaml | 69 - .../istiod/files/profile-openshift.yaml | 19 - .../charts/istiod/files/profile-preview.yaml | 9 - .../v1.21.5/charts/istiod/files/waypoint.yaml | 298 - .../v1.21.5/charts/istiod/templates/NOTES.txt | 69 - .../charts/istiod/templates/_helpers.tpl | 23 - .../charts/istiod/templates/autoscale.yaml | 76 - .../charts/istiod/templates/clusterrole.yaml | 152 - .../istiod/templates/clusterrolebinding.yaml | 33 - .../istiod/templates/configmap-jwks.yaml | 14 - .../charts/istiod/templates/configmap.yaml | 112 - .../charts/istiod/templates/deployment.yaml | 265 - .../templates/istiod-injector-configmap.yaml | 78 - .../istiod/templates/mutatingwebhook.yaml | 154 - .../istiod/templates/poddisruptionbudget.yaml | 25 - .../istiod/templates/reader-clusterrole.yaml | 58 - .../templates/reader-clusterrolebinding.yaml | 15 - .../istiod/templates/revision-tags.yaml | 141 - .../v1.21.5/charts/istiod/templates/role.yaml | 30 - .../charts/istiod/templates/rolebinding.yaml | 16 - .../charts/istiod/templates/service.yaml | 50 - .../istiod/templates/serviceaccount.yaml | 15 - .../validatingwebhookconfiguration.yaml | 55 - .../charts/istiod/templates/zzz_profile.yaml | 34 - resources/v1.21.5/charts/istiod/values.yaml | 500 - resources/v1.21.5/charts/ztunnel/Chart.yaml | 11 - resources/v1.21.5/charts/ztunnel/README.md | 50 - .../charts/ztunnel/files/profile-ambient.yaml | 25 - .../profile-compatibility-version-1.20.yaml | 6 - .../charts/ztunnel/files/profile-demo.yaml | 69 - .../ztunnel/files/profile-openshift.yaml | 19 - .../charts/ztunnel/files/profile-preview.yaml | 9 - .../charts/ztunnel/templates/NOTES.txt | 5 - .../charts/ztunnel/templates/daemonset.yaml | 160 - .../charts/ztunnel/templates/rbac.yaml | 16 - .../charts/ztunnel/templates/zzz_profile.yaml | 34 - resources/v1.21.5/charts/ztunnel/values.yaml | 85 - resources/v1.21.5/profiles/ambient.yaml | 5 - resources/v1.21.5/profiles/default.yaml | 10 - resources/v1.21.5/profiles/demo.yaml | 5 - resources/v1.21.5/profiles/empty.yaml | 5 - resources/v1.21.5/profiles/external.yaml | 13 - resources/v1.21.5/profiles/openshift.yaml | 5 - resources/v1.21.5/profiles/preview.yaml | 8 - resources/v1.22.3/charts/base/Chart.yaml | 10 - resources/v1.22.3/charts/base/README.md | 35 - .../v1.22.3/charts/base/crds/crd-all.gen.yaml | 13051 ------------ .../charts/base/files/profile-ambient.yaml | 21 - .../profile-compatibility-version-1.20.yaml | 24 - .../profile-compatibility-version-1.21.yaml | 17 - .../charts/base/files/profile-demo.yaml | 73 - .../base/files/profile-openshift-ambient.yaml | 34 - .../charts/base/files/profile-openshift.yaml | 20 - .../charts/base/files/profile-preview.yaml | 13 - .../charts/base/files/profile-stable.yaml | 8 - .../v1.22.3/charts/base/templates/NOTES.txt | 5 - .../v1.22.3/charts/base/templates/crds.yaml | 3 - .../charts/base/templates/default.yaml | 54 - .../charts/base/templates/endpoints.yaml | 23 - .../base/templates/reader-serviceaccount.yaml | 16 - .../charts/base/templates/services.yaml | 37 - .../templates/validatingadmissionpolicy.yaml | 51 - .../charts/base/templates/zzz_profile.yaml | 38 - resources/v1.22.3/charts/base/values.yaml | 40 - resources/v1.22.3/charts/cni/Chart.yaml | 11 - resources/v1.22.3/charts/cni/README.md | 65 - .../charts/cni/files/profile-ambient.yaml | 21 - .../profile-compatibility-version-1.20.yaml | 24 - .../profile-compatibility-version-1.21.yaml | 17 - .../charts/cni/files/profile-demo.yaml | 73 - .../cni/files/profile-openshift-ambient.yaml | 34 - .../charts/cni/files/profile-openshift.yaml | 20 - .../charts/cni/files/profile-preview.yaml | 13 - .../charts/cni/files/profile-stable.yaml | 8 - .../v1.22.3/charts/cni/templates/NOTES.txt | 5 - .../charts/cni/templates/clusterrole.yaml | 74 - .../cni/templates/clusterrolebinding.yaml | 58 - .../charts/cni/templates/configmap-cni.yaml | 34 - .../charts/cni/templates/daemonset.yaml | 234 - .../network-attachment-definition.yaml | 9 - .../charts/cni/templates/resourcequota.yaml | 16 - .../charts/cni/templates/serviceaccount.yaml | 17 - .../charts/cni/templates/zzz_profile.yaml | 38 - resources/v1.22.3/charts/cni/values.yaml | 141 - resources/v1.22.3/charts/gateway/Chart.yaml | 12 - resources/v1.22.3/charts/gateway/README.md | 170 - .../charts/gateway/files/profile-ambient.yaml | 21 - .../profile-compatibility-version-1.20.yaml | 24 - .../profile-compatibility-version-1.21.yaml | 17 - .../charts/gateway/files/profile-demo.yaml | 73 - .../files/profile-openshift-ambient.yaml | 34 - .../gateway/files/profile-openshift.yaml | 20 - .../charts/gateway/files/profile-preview.yaml | 13 - .../charts/gateway/files/profile-stable.yaml | 8 - .../charts/gateway/templates/NOTES.txt | 9 - .../charts/gateway/templates/_helpers.tpl | 61 - .../charts/gateway/templates/deployment.yaml | 111 - .../v1.22.3/charts/gateway/templates/hpa.yaml | 38 - .../templates/poddisruptionbudget.yaml | 16 - .../charts/gateway/templates/role.yaml | 33 - .../charts/gateway/templates/service.yaml | 64 - .../gateway/templates/serviceaccount.yaml | 13 - .../charts/gateway/templates/zzz_profile.yaml | 38 - .../v1.22.3/charts/gateway/values.schema.json | 301 - resources/v1.22.3/charts/gateway/values.yaml | 152 - resources/v1.22.3/charts/istiod/Chart.yaml | 12 - resources/v1.22.3/charts/istiod/README.md | 73 - .../files/gateway-injection-template.yaml | 250 - .../charts/istiod/files/grpc-agent.yaml | 310 - .../charts/istiod/files/grpc-simple.yaml | 65 - .../istiod/files/injection-template.yaml | 542 - .../charts/istiod/files/kube-gateway.yaml | 356 - .../charts/istiod/files/profile-ambient.yaml | 21 - .../profile-compatibility-version-1.20.yaml | 24 - .../profile-compatibility-version-1.21.yaml | 17 - .../charts/istiod/files/profile-demo.yaml | 73 - .../files/profile-openshift-ambient.yaml | 34 - .../istiod/files/profile-openshift.yaml | 20 - .../charts/istiod/files/profile-preview.yaml | 13 - .../charts/istiod/files/profile-stable.yaml | 8 - .../v1.22.3/charts/istiod/files/waypoint.yaml | 307 - .../v1.22.3/charts/istiod/templates/NOTES.txt | 74 - .../charts/istiod/templates/_helpers.tpl | 23 - .../charts/istiod/templates/autoscale.yaml | 39 - .../charts/istiod/templates/clusterrole.yaml | 157 - .../istiod/templates/clusterrolebinding.yaml | 33 - .../istiod/templates/configmap-jwks.yaml | 14 - .../charts/istiod/templates/configmap.yaml | 112 - .../charts/istiod/templates/deployment.yaml | 257 - .../templates/istiod-injector-configmap.yaml | 80 - .../istiod/templates/mutatingwebhook.yaml | 158 - .../istiod/templates/poddisruptionbudget.yaml | 25 - .../istiod/templates/reader-clusterrole.yaml | 60 - .../templates/reader-clusterrolebinding.yaml | 15 - .../istiod/templates/revision-tags.yaml | 141 - .../v1.22.3/charts/istiod/templates/role.yaml | 30 - .../charts/istiod/templates/rolebinding.yaml | 16 - .../charts/istiod/templates/service.yaml | 50 - .../istiod/templates/serviceaccount.yaml | 19 - .../templates/validatingadmissionpolicy.yaml | 57 - .../validatingwebhookconfiguration.yaml | 63 - .../charts/istiod/templates/zzz_profile.yaml | 38 - resources/v1.22.3/charts/istiod/values.yaml | 514 - resources/v1.22.3/charts/ztunnel/Chart.yaml | 11 - resources/v1.22.3/charts/ztunnel/README.md | 50 - .../charts/ztunnel/files/profile-ambient.yaml | 21 - .../profile-compatibility-version-1.20.yaml | 24 - .../profile-compatibility-version-1.21.yaml | 17 - .../charts/ztunnel/files/profile-demo.yaml | 73 - .../files/profile-openshift-ambient.yaml | 34 - .../ztunnel/files/profile-openshift.yaml | 20 - .../charts/ztunnel/files/profile-preview.yaml | 13 - .../charts/ztunnel/files/profile-stable.yaml | 8 - .../charts/ztunnel/templates/NOTES.txt | 5 - .../charts/ztunnel/templates/daemonset.yaml | 165 - .../charts/ztunnel/templates/rbac.yaml | 51 - .../charts/ztunnel/templates/zzz_profile.yaml | 38 - resources/v1.22.3/charts/ztunnel/values.yaml | 87 - resources/v1.22.3/profiles/ambient.yaml | 5 - resources/v1.22.3/profiles/default.yaml | 10 - resources/v1.22.3/profiles/demo.yaml | 5 - resources/v1.22.3/profiles/empty.yaml | 5 - .../v1.22.3/profiles/openshift-ambient.yaml | 5 - resources/v1.22.3/profiles/openshift.yaml | 5 - resources/v1.22.3/profiles/preview.yaml | 8 - resources/v1.22.3/profiles/stable.yaml | 5 - 409 files changed, 78 insertions(+), 62864 deletions(-) create mode 100644 ossm/versions.yaml delete mode 100644 resources/latest/charts/base/Chart.yaml delete mode 100644 resources/latest/charts/base/README.md delete mode 100644 resources/latest/charts/base/crds/crd-all.gen.yaml delete mode 100644 resources/latest/charts/base/files/profile-ambient.yaml delete mode 100644 resources/latest/charts/base/files/profile-compatibility-version-1.21.yaml delete mode 100644 resources/latest/charts/base/files/profile-compatibility-version-1.22.yaml delete mode 100644 resources/latest/charts/base/files/profile-compatibility-version-1.23.yaml delete mode 100644 resources/latest/charts/base/files/profile-demo.yaml delete mode 100644 resources/latest/charts/base/files/profile-openshift-ambient.yaml delete mode 100644 resources/latest/charts/base/files/profile-openshift.yaml delete mode 100644 resources/latest/charts/base/files/profile-preview.yaml delete mode 100644 resources/latest/charts/base/files/profile-stable.yaml delete mode 100644 resources/latest/charts/base/templates/NOTES.txt delete mode 100644 resources/latest/charts/base/templates/crds.yaml delete mode 100644 resources/latest/charts/base/templates/default.yaml delete mode 100644 resources/latest/charts/base/templates/endpoints.yaml delete mode 100644 resources/latest/charts/base/templates/reader-serviceaccount.yaml delete mode 100644 resources/latest/charts/base/templates/services.yaml delete mode 100644 resources/latest/charts/base/templates/validatingadmissionpolicy.yaml delete mode 100644 resources/latest/charts/base/templates/zzz_profile.yaml delete mode 100644 resources/latest/charts/base/values.yaml delete mode 100644 resources/latest/charts/cni/Chart.yaml delete mode 100644 resources/latest/charts/cni/README.md delete mode 100644 resources/latest/charts/cni/files/profile-ambient.yaml delete mode 100644 resources/latest/charts/cni/files/profile-compatibility-version-1.21.yaml delete mode 100644 resources/latest/charts/cni/files/profile-compatibility-version-1.22.yaml delete mode 100644 resources/latest/charts/cni/files/profile-compatibility-version-1.23.yaml delete mode 100644 resources/latest/charts/cni/files/profile-demo.yaml delete mode 100644 resources/latest/charts/cni/files/profile-openshift-ambient.yaml delete mode 100644 resources/latest/charts/cni/files/profile-openshift.yaml delete mode 100644 resources/latest/charts/cni/files/profile-preview.yaml delete mode 100644 resources/latest/charts/cni/files/profile-stable.yaml delete mode 100644 resources/latest/charts/cni/templates/NOTES.txt delete mode 100644 resources/latest/charts/cni/templates/_helpers.tpl delete mode 100644 resources/latest/charts/cni/templates/clusterrole.yaml delete mode 100644 resources/latest/charts/cni/templates/clusterrolebinding.yaml delete mode 100644 resources/latest/charts/cni/templates/configmap-cni.yaml delete mode 100644 resources/latest/charts/cni/templates/daemonset.yaml delete mode 100644 resources/latest/charts/cni/templates/network-attachment-definition.yaml delete mode 100644 resources/latest/charts/cni/templates/resourcequota.yaml delete mode 100644 resources/latest/charts/cni/templates/serviceaccount.yaml delete mode 100644 resources/latest/charts/cni/templates/zzy_descope_legacy.yaml delete mode 100644 resources/latest/charts/cni/templates/zzz_profile.yaml delete mode 100644 resources/latest/charts/cni/values.yaml delete mode 100644 resources/latest/charts/gateway/Chart.yaml delete mode 100644 resources/latest/charts/gateway/README.md delete mode 100644 resources/latest/charts/gateway/files/profile-ambient.yaml delete mode 100644 resources/latest/charts/gateway/files/profile-compatibility-version-1.21.yaml delete mode 100644 resources/latest/charts/gateway/files/profile-compatibility-version-1.22.yaml delete mode 100644 resources/latest/charts/gateway/files/profile-compatibility-version-1.23.yaml delete mode 100644 resources/latest/charts/gateway/files/profile-demo.yaml delete mode 100644 resources/latest/charts/gateway/files/profile-openshift-ambient.yaml delete mode 100644 resources/latest/charts/gateway/files/profile-openshift.yaml delete mode 100644 resources/latest/charts/gateway/files/profile-preview.yaml delete mode 100644 resources/latest/charts/gateway/files/profile-stable.yaml delete mode 100644 resources/latest/charts/gateway/templates/NOTES.txt delete mode 100644 resources/latest/charts/gateway/templates/_helpers.tpl delete mode 100644 resources/latest/charts/gateway/templates/deployment.yaml delete mode 100644 resources/latest/charts/gateway/templates/hpa.yaml delete mode 100644 resources/latest/charts/gateway/templates/poddisruptionbudget.yaml delete mode 100644 resources/latest/charts/gateway/templates/role.yaml delete mode 100644 resources/latest/charts/gateway/templates/service.yaml delete mode 100644 resources/latest/charts/gateway/templates/serviceaccount.yaml delete mode 100644 resources/latest/charts/gateway/templates/zzz_profile.yaml delete mode 100644 resources/latest/charts/gateway/values.schema.json delete mode 100644 resources/latest/charts/gateway/values.yaml delete mode 100644 resources/latest/charts/istiod-remote/Chart.yaml delete mode 100644 resources/latest/charts/istiod-remote/NOTES.txt delete mode 100644 resources/latest/charts/istiod-remote/files/gateway-injection-template.yaml delete mode 100644 resources/latest/charts/istiod-remote/files/injection-template.yaml delete mode 100644 resources/latest/charts/istiod-remote/files/profile-ambient.yaml delete mode 100644 resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml delete mode 100644 resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml delete mode 100644 resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.23.yaml delete mode 100644 resources/latest/charts/istiod-remote/files/profile-demo.yaml delete mode 100644 resources/latest/charts/istiod-remote/files/profile-openshift-ambient.yaml delete mode 100644 resources/latest/charts/istiod-remote/files/profile-openshift.yaml delete mode 100644 resources/latest/charts/istiod-remote/files/profile-preview.yaml delete mode 100644 resources/latest/charts/istiod-remote/files/profile-stable.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/_helpers.tpl delete mode 100644 resources/latest/charts/istiod-remote/templates/clusterrole.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/clusterrolebinding.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/configmap.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/default.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/endpoints.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/istiod-injector-configmap.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/mutatingwebhook.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/reader-clusterrole.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/reader-clusterrolebinding.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/reader-serviceaccount.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/role.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/rolebinding.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/serviceaccount.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/services.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/validatingadmissionpolicy.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/zzy_descope_legacy.yaml delete mode 100644 resources/latest/charts/istiod-remote/templates/zzz_profile.yaml delete mode 100644 resources/latest/charts/istiod-remote/values.yaml delete mode 100644 resources/latest/charts/istiod/Chart.yaml delete mode 100644 resources/latest/charts/istiod/README.md delete mode 100644 resources/latest/charts/istiod/files/gateway-injection-template.yaml delete mode 100644 resources/latest/charts/istiod/files/grpc-agent.yaml delete mode 100644 resources/latest/charts/istiod/files/grpc-simple.yaml delete mode 100644 resources/latest/charts/istiod/files/injection-template.yaml delete mode 100644 resources/latest/charts/istiod/files/kube-gateway.yaml delete mode 100644 resources/latest/charts/istiod/files/profile-ambient.yaml delete mode 100644 resources/latest/charts/istiod/files/profile-compatibility-version-1.21.yaml delete mode 100644 resources/latest/charts/istiod/files/profile-compatibility-version-1.22.yaml delete mode 100644 resources/latest/charts/istiod/files/profile-compatibility-version-1.23.yaml delete mode 100644 resources/latest/charts/istiod/files/profile-demo.yaml delete mode 100644 resources/latest/charts/istiod/files/profile-openshift-ambient.yaml delete mode 100644 resources/latest/charts/istiod/files/profile-openshift.yaml delete mode 100644 resources/latest/charts/istiod/files/profile-preview.yaml delete mode 100644 resources/latest/charts/istiod/files/profile-stable.yaml delete mode 100644 resources/latest/charts/istiod/files/waypoint.yaml delete mode 100644 resources/latest/charts/istiod/templates/NOTES.txt delete mode 100644 resources/latest/charts/istiod/templates/_helpers.tpl delete mode 100644 resources/latest/charts/istiod/templates/autoscale.yaml delete mode 100644 resources/latest/charts/istiod/templates/clusterrole.yaml delete mode 100644 resources/latest/charts/istiod/templates/clusterrolebinding.yaml delete mode 100644 resources/latest/charts/istiod/templates/configmap-jwks.yaml delete mode 100644 resources/latest/charts/istiod/templates/configmap.yaml delete mode 100644 resources/latest/charts/istiod/templates/deployment.yaml delete mode 100644 resources/latest/charts/istiod/templates/istiod-injector-configmap.yaml delete mode 100644 resources/latest/charts/istiod/templates/mutatingwebhook.yaml delete mode 100644 resources/latest/charts/istiod/templates/poddisruptionbudget.yaml delete mode 100644 resources/latest/charts/istiod/templates/reader-clusterrole.yaml delete mode 100644 resources/latest/charts/istiod/templates/reader-clusterrolebinding.yaml delete mode 100644 resources/latest/charts/istiod/templates/revision-tags.yaml delete mode 100644 resources/latest/charts/istiod/templates/role.yaml delete mode 100644 resources/latest/charts/istiod/templates/rolebinding.yaml delete mode 100644 resources/latest/charts/istiod/templates/service.yaml delete mode 100644 resources/latest/charts/istiod/templates/serviceaccount.yaml delete mode 100644 resources/latest/charts/istiod/templates/validatingadmissionpolicy.yaml delete mode 100644 resources/latest/charts/istiod/templates/validatingwebhookconfiguration.yaml delete mode 100644 resources/latest/charts/istiod/templates/zzy_descope_legacy.yaml delete mode 100644 resources/latest/charts/istiod/templates/zzz_profile.yaml delete mode 100644 resources/latest/charts/istiod/values.yaml delete mode 100644 resources/latest/charts/ztunnel/Chart.yaml delete mode 100644 resources/latest/charts/ztunnel/README.md delete mode 100644 resources/latest/charts/ztunnel/files/profile-ambient.yaml delete mode 100644 resources/latest/charts/ztunnel/files/profile-compatibility-version-1.21.yaml delete mode 100644 resources/latest/charts/ztunnel/files/profile-compatibility-version-1.22.yaml delete mode 100644 resources/latest/charts/ztunnel/files/profile-compatibility-version-1.23.yaml delete mode 100644 resources/latest/charts/ztunnel/files/profile-demo.yaml delete mode 100644 resources/latest/charts/ztunnel/files/profile-openshift-ambient.yaml delete mode 100644 resources/latest/charts/ztunnel/files/profile-openshift.yaml delete mode 100644 resources/latest/charts/ztunnel/files/profile-preview.yaml delete mode 100644 resources/latest/charts/ztunnel/files/profile-stable.yaml delete mode 100644 resources/latest/charts/ztunnel/templates/NOTES.txt delete mode 100644 resources/latest/charts/ztunnel/templates/_helpers.tpl delete mode 100644 resources/latest/charts/ztunnel/templates/daemonset.yaml delete mode 100644 resources/latest/charts/ztunnel/templates/rbac.yaml delete mode 100644 resources/latest/charts/ztunnel/templates/zzz_profile.yaml delete mode 100644 resources/latest/charts/ztunnel/values.yaml delete mode 100644 resources/latest/profiles/ambient.yaml delete mode 100644 resources/latest/profiles/default.yaml delete mode 100644 resources/latest/profiles/demo.yaml delete mode 100644 resources/latest/profiles/empty.yaml delete mode 100644 resources/latest/profiles/openshift-ambient.yaml delete mode 100644 resources/latest/profiles/openshift.yaml delete mode 100644 resources/latest/profiles/preview.yaml delete mode 100644 resources/latest/profiles/stable.yaml delete mode 100644 resources/v1.21.5/charts/base/Chart.yaml delete mode 100644 resources/v1.21.5/charts/base/README.md delete mode 100644 resources/v1.21.5/charts/base/crds/crd-all.gen.yaml delete mode 100644 resources/v1.21.5/charts/base/files/profile-ambient.yaml delete mode 100644 resources/v1.21.5/charts/base/files/profile-compatibility-version-1.20.yaml delete mode 100644 resources/v1.21.5/charts/base/files/profile-demo.yaml delete mode 100644 resources/v1.21.5/charts/base/files/profile-openshift.yaml delete mode 100644 resources/v1.21.5/charts/base/files/profile-preview.yaml delete mode 100644 resources/v1.21.5/charts/base/templates/NOTES.txt delete mode 100644 resources/v1.21.5/charts/base/templates/crds.yaml delete mode 100644 resources/v1.21.5/charts/base/templates/default.yaml delete mode 100644 resources/v1.21.5/charts/base/templates/endpoints.yaml delete mode 100644 resources/v1.21.5/charts/base/templates/reader-serviceaccount.yaml delete mode 100644 resources/v1.21.5/charts/base/templates/services.yaml delete mode 100644 resources/v1.21.5/charts/base/templates/zzz_profile.yaml delete mode 100644 resources/v1.21.5/charts/base/values.yaml delete mode 100644 resources/v1.21.5/charts/cni/Chart.yaml delete mode 100644 resources/v1.21.5/charts/cni/README.md delete mode 100644 resources/v1.21.5/charts/cni/files/profile-ambient.yaml delete mode 100644 resources/v1.21.5/charts/cni/files/profile-compatibility-version-1.20.yaml delete mode 100644 resources/v1.21.5/charts/cni/files/profile-demo.yaml delete mode 100644 resources/v1.21.5/charts/cni/files/profile-openshift.yaml delete mode 100644 resources/v1.21.5/charts/cni/files/profile-preview.yaml delete mode 100644 resources/v1.21.5/charts/cni/templates/NOTES.txt delete mode 100644 resources/v1.21.5/charts/cni/templates/clusterrole.yaml delete mode 100644 resources/v1.21.5/charts/cni/templates/clusterrolebinding.yaml delete mode 100644 resources/v1.21.5/charts/cni/templates/configmap-cni.yaml delete mode 100644 resources/v1.21.5/charts/cni/templates/daemonset.yaml delete mode 100644 resources/v1.21.5/charts/cni/templates/network-attachment-definition.yaml delete mode 100644 resources/v1.21.5/charts/cni/templates/resourcequota.yaml delete mode 100644 resources/v1.21.5/charts/cni/templates/serviceaccount.yaml delete mode 100644 resources/v1.21.5/charts/cni/templates/zzz_profile.yaml delete mode 100644 resources/v1.21.5/charts/cni/values.yaml delete mode 100644 resources/v1.21.5/charts/gateway/Chart.yaml delete mode 100644 resources/v1.21.5/charts/gateway/README.md delete mode 100644 resources/v1.21.5/charts/gateway/files/profile-ambient.yaml delete mode 100644 resources/v1.21.5/charts/gateway/files/profile-compatibility-version-1.20.yaml delete mode 100644 resources/v1.21.5/charts/gateway/files/profile-demo.yaml delete mode 100644 resources/v1.21.5/charts/gateway/files/profile-openshift.yaml delete mode 100644 resources/v1.21.5/charts/gateway/files/profile-preview.yaml delete mode 100644 resources/v1.21.5/charts/gateway/templates/NOTES.txt delete mode 100644 resources/v1.21.5/charts/gateway/templates/_helpers.tpl delete mode 100644 resources/v1.21.5/charts/gateway/templates/deployment.yaml delete mode 100644 resources/v1.21.5/charts/gateway/templates/hpa.yaml delete mode 100644 resources/v1.21.5/charts/gateway/templates/poddisruptionbudget.yaml delete mode 100644 resources/v1.21.5/charts/gateway/templates/role.yaml delete mode 100644 resources/v1.21.5/charts/gateway/templates/service.yaml delete mode 100644 resources/v1.21.5/charts/gateway/templates/serviceaccount.yaml delete mode 100644 resources/v1.21.5/charts/gateway/templates/zzz_profile.yaml delete mode 100644 resources/v1.21.5/charts/gateway/values.schema.json delete mode 100644 resources/v1.21.5/charts/gateway/values.yaml delete mode 100644 resources/v1.21.5/charts/istiod/Chart.yaml delete mode 100644 resources/v1.21.5/charts/istiod/README.md delete mode 100644 resources/v1.21.5/charts/istiod/files/gateway-injection-template.yaml delete mode 100644 resources/v1.21.5/charts/istiod/files/grpc-agent.yaml delete mode 100644 resources/v1.21.5/charts/istiod/files/grpc-simple.yaml delete mode 100644 resources/v1.21.5/charts/istiod/files/injection-template.yaml delete mode 100644 resources/v1.21.5/charts/istiod/files/kube-gateway.yaml delete mode 100644 resources/v1.21.5/charts/istiod/files/profile-ambient.yaml delete mode 100644 resources/v1.21.5/charts/istiod/files/profile-compatibility-version-1.20.yaml delete mode 100644 resources/v1.21.5/charts/istiod/files/profile-demo.yaml delete mode 100644 resources/v1.21.5/charts/istiod/files/profile-openshift.yaml delete mode 100644 resources/v1.21.5/charts/istiod/files/profile-preview.yaml delete mode 100644 resources/v1.21.5/charts/istiod/files/waypoint.yaml delete mode 100644 resources/v1.21.5/charts/istiod/templates/NOTES.txt delete mode 100644 resources/v1.21.5/charts/istiod/templates/_helpers.tpl delete mode 100644 resources/v1.21.5/charts/istiod/templates/autoscale.yaml delete mode 100644 resources/v1.21.5/charts/istiod/templates/clusterrole.yaml delete mode 100644 resources/v1.21.5/charts/istiod/templates/clusterrolebinding.yaml delete mode 100644 resources/v1.21.5/charts/istiod/templates/configmap-jwks.yaml delete mode 100644 resources/v1.21.5/charts/istiod/templates/configmap.yaml delete mode 100644 resources/v1.21.5/charts/istiod/templates/deployment.yaml delete mode 100644 resources/v1.21.5/charts/istiod/templates/istiod-injector-configmap.yaml delete mode 100644 resources/v1.21.5/charts/istiod/templates/mutatingwebhook.yaml delete mode 100644 resources/v1.21.5/charts/istiod/templates/poddisruptionbudget.yaml delete mode 100644 resources/v1.21.5/charts/istiod/templates/reader-clusterrole.yaml delete mode 100644 resources/v1.21.5/charts/istiod/templates/reader-clusterrolebinding.yaml delete mode 100644 resources/v1.21.5/charts/istiod/templates/revision-tags.yaml delete mode 100644 resources/v1.21.5/charts/istiod/templates/role.yaml delete mode 100644 resources/v1.21.5/charts/istiod/templates/rolebinding.yaml delete mode 100644 resources/v1.21.5/charts/istiod/templates/service.yaml delete mode 100644 resources/v1.21.5/charts/istiod/templates/serviceaccount.yaml delete mode 100644 resources/v1.21.5/charts/istiod/templates/validatingwebhookconfiguration.yaml delete mode 100644 resources/v1.21.5/charts/istiod/templates/zzz_profile.yaml delete mode 100644 resources/v1.21.5/charts/istiod/values.yaml delete mode 100644 resources/v1.21.5/charts/ztunnel/Chart.yaml delete mode 100644 resources/v1.21.5/charts/ztunnel/README.md delete mode 100644 resources/v1.21.5/charts/ztunnel/files/profile-ambient.yaml delete mode 100644 resources/v1.21.5/charts/ztunnel/files/profile-compatibility-version-1.20.yaml delete mode 100644 resources/v1.21.5/charts/ztunnel/files/profile-demo.yaml delete mode 100644 resources/v1.21.5/charts/ztunnel/files/profile-openshift.yaml delete mode 100644 resources/v1.21.5/charts/ztunnel/files/profile-preview.yaml delete mode 100644 resources/v1.21.5/charts/ztunnel/templates/NOTES.txt delete mode 100644 resources/v1.21.5/charts/ztunnel/templates/daemonset.yaml delete mode 100644 resources/v1.21.5/charts/ztunnel/templates/rbac.yaml delete mode 100644 resources/v1.21.5/charts/ztunnel/templates/zzz_profile.yaml delete mode 100644 resources/v1.21.5/charts/ztunnel/values.yaml delete mode 100644 resources/v1.21.5/profiles/ambient.yaml delete mode 100644 resources/v1.21.5/profiles/default.yaml delete mode 100644 resources/v1.21.5/profiles/demo.yaml delete mode 100644 resources/v1.21.5/profiles/empty.yaml delete mode 100644 resources/v1.21.5/profiles/external.yaml delete mode 100644 resources/v1.21.5/profiles/openshift.yaml delete mode 100644 resources/v1.21.5/profiles/preview.yaml delete mode 100644 resources/v1.22.3/charts/base/Chart.yaml delete mode 100644 resources/v1.22.3/charts/base/README.md delete mode 100644 resources/v1.22.3/charts/base/crds/crd-all.gen.yaml delete mode 100644 resources/v1.22.3/charts/base/files/profile-ambient.yaml delete mode 100644 resources/v1.22.3/charts/base/files/profile-compatibility-version-1.20.yaml delete mode 100644 resources/v1.22.3/charts/base/files/profile-compatibility-version-1.21.yaml delete mode 100644 resources/v1.22.3/charts/base/files/profile-demo.yaml delete mode 100644 resources/v1.22.3/charts/base/files/profile-openshift-ambient.yaml delete mode 100644 resources/v1.22.3/charts/base/files/profile-openshift.yaml delete mode 100644 resources/v1.22.3/charts/base/files/profile-preview.yaml delete mode 100644 resources/v1.22.3/charts/base/files/profile-stable.yaml delete mode 100644 resources/v1.22.3/charts/base/templates/NOTES.txt delete mode 100644 resources/v1.22.3/charts/base/templates/crds.yaml delete mode 100644 resources/v1.22.3/charts/base/templates/default.yaml delete mode 100644 resources/v1.22.3/charts/base/templates/endpoints.yaml delete mode 100644 resources/v1.22.3/charts/base/templates/reader-serviceaccount.yaml delete mode 100644 resources/v1.22.3/charts/base/templates/services.yaml delete mode 100644 resources/v1.22.3/charts/base/templates/validatingadmissionpolicy.yaml delete mode 100644 resources/v1.22.3/charts/base/templates/zzz_profile.yaml delete mode 100644 resources/v1.22.3/charts/base/values.yaml delete mode 100644 resources/v1.22.3/charts/cni/Chart.yaml delete mode 100644 resources/v1.22.3/charts/cni/README.md delete mode 100644 resources/v1.22.3/charts/cni/files/profile-ambient.yaml delete mode 100644 resources/v1.22.3/charts/cni/files/profile-compatibility-version-1.20.yaml delete mode 100644 resources/v1.22.3/charts/cni/files/profile-compatibility-version-1.21.yaml delete mode 100644 resources/v1.22.3/charts/cni/files/profile-demo.yaml delete mode 100644 resources/v1.22.3/charts/cni/files/profile-openshift-ambient.yaml delete mode 100644 resources/v1.22.3/charts/cni/files/profile-openshift.yaml delete mode 100644 resources/v1.22.3/charts/cni/files/profile-preview.yaml delete mode 100644 resources/v1.22.3/charts/cni/files/profile-stable.yaml delete mode 100644 resources/v1.22.3/charts/cni/templates/NOTES.txt delete mode 100644 resources/v1.22.3/charts/cni/templates/clusterrole.yaml delete mode 100644 resources/v1.22.3/charts/cni/templates/clusterrolebinding.yaml delete mode 100644 resources/v1.22.3/charts/cni/templates/configmap-cni.yaml delete mode 100644 resources/v1.22.3/charts/cni/templates/daemonset.yaml delete mode 100644 resources/v1.22.3/charts/cni/templates/network-attachment-definition.yaml delete mode 100644 resources/v1.22.3/charts/cni/templates/resourcequota.yaml delete mode 100644 resources/v1.22.3/charts/cni/templates/serviceaccount.yaml delete mode 100644 resources/v1.22.3/charts/cni/templates/zzz_profile.yaml delete mode 100644 resources/v1.22.3/charts/cni/values.yaml delete mode 100644 resources/v1.22.3/charts/gateway/Chart.yaml delete mode 100644 resources/v1.22.3/charts/gateway/README.md delete mode 100644 resources/v1.22.3/charts/gateway/files/profile-ambient.yaml delete mode 100644 resources/v1.22.3/charts/gateway/files/profile-compatibility-version-1.20.yaml delete mode 100644 resources/v1.22.3/charts/gateway/files/profile-compatibility-version-1.21.yaml delete mode 100644 resources/v1.22.3/charts/gateway/files/profile-demo.yaml delete mode 100644 resources/v1.22.3/charts/gateway/files/profile-openshift-ambient.yaml delete mode 100644 resources/v1.22.3/charts/gateway/files/profile-openshift.yaml delete mode 100644 resources/v1.22.3/charts/gateway/files/profile-preview.yaml delete mode 100644 resources/v1.22.3/charts/gateway/files/profile-stable.yaml delete mode 100644 resources/v1.22.3/charts/gateway/templates/NOTES.txt delete mode 100644 resources/v1.22.3/charts/gateway/templates/_helpers.tpl delete mode 100644 resources/v1.22.3/charts/gateway/templates/deployment.yaml delete mode 100644 resources/v1.22.3/charts/gateway/templates/hpa.yaml delete mode 100644 resources/v1.22.3/charts/gateway/templates/poddisruptionbudget.yaml delete mode 100644 resources/v1.22.3/charts/gateway/templates/role.yaml delete mode 100644 resources/v1.22.3/charts/gateway/templates/service.yaml delete mode 100644 resources/v1.22.3/charts/gateway/templates/serviceaccount.yaml delete mode 100644 resources/v1.22.3/charts/gateway/templates/zzz_profile.yaml delete mode 100644 resources/v1.22.3/charts/gateway/values.schema.json delete mode 100644 resources/v1.22.3/charts/gateway/values.yaml delete mode 100644 resources/v1.22.3/charts/istiod/Chart.yaml delete mode 100644 resources/v1.22.3/charts/istiod/README.md delete mode 100644 resources/v1.22.3/charts/istiod/files/gateway-injection-template.yaml delete mode 100644 resources/v1.22.3/charts/istiod/files/grpc-agent.yaml delete mode 100644 resources/v1.22.3/charts/istiod/files/grpc-simple.yaml delete mode 100644 resources/v1.22.3/charts/istiod/files/injection-template.yaml delete mode 100644 resources/v1.22.3/charts/istiod/files/kube-gateway.yaml delete mode 100644 resources/v1.22.3/charts/istiod/files/profile-ambient.yaml delete mode 100644 resources/v1.22.3/charts/istiod/files/profile-compatibility-version-1.20.yaml delete mode 100644 resources/v1.22.3/charts/istiod/files/profile-compatibility-version-1.21.yaml delete mode 100644 resources/v1.22.3/charts/istiod/files/profile-demo.yaml delete mode 100644 resources/v1.22.3/charts/istiod/files/profile-openshift-ambient.yaml delete mode 100644 resources/v1.22.3/charts/istiod/files/profile-openshift.yaml delete mode 100644 resources/v1.22.3/charts/istiod/files/profile-preview.yaml delete mode 100644 resources/v1.22.3/charts/istiod/files/profile-stable.yaml delete mode 100644 resources/v1.22.3/charts/istiod/files/waypoint.yaml delete mode 100644 resources/v1.22.3/charts/istiod/templates/NOTES.txt delete mode 100644 resources/v1.22.3/charts/istiod/templates/_helpers.tpl delete mode 100644 resources/v1.22.3/charts/istiod/templates/autoscale.yaml delete mode 100644 resources/v1.22.3/charts/istiod/templates/clusterrole.yaml delete mode 100644 resources/v1.22.3/charts/istiod/templates/clusterrolebinding.yaml delete mode 100644 resources/v1.22.3/charts/istiod/templates/configmap-jwks.yaml delete mode 100644 resources/v1.22.3/charts/istiod/templates/configmap.yaml delete mode 100644 resources/v1.22.3/charts/istiod/templates/deployment.yaml delete mode 100644 resources/v1.22.3/charts/istiod/templates/istiod-injector-configmap.yaml delete mode 100644 resources/v1.22.3/charts/istiod/templates/mutatingwebhook.yaml delete mode 100644 resources/v1.22.3/charts/istiod/templates/poddisruptionbudget.yaml delete mode 100644 resources/v1.22.3/charts/istiod/templates/reader-clusterrole.yaml delete mode 100644 resources/v1.22.3/charts/istiod/templates/reader-clusterrolebinding.yaml delete mode 100644 resources/v1.22.3/charts/istiod/templates/revision-tags.yaml delete mode 100644 resources/v1.22.3/charts/istiod/templates/role.yaml delete mode 100644 resources/v1.22.3/charts/istiod/templates/rolebinding.yaml delete mode 100644 resources/v1.22.3/charts/istiod/templates/service.yaml delete mode 100644 resources/v1.22.3/charts/istiod/templates/serviceaccount.yaml delete mode 100644 resources/v1.22.3/charts/istiod/templates/validatingadmissionpolicy.yaml delete mode 100644 resources/v1.22.3/charts/istiod/templates/validatingwebhookconfiguration.yaml delete mode 100644 resources/v1.22.3/charts/istiod/templates/zzz_profile.yaml delete mode 100644 resources/v1.22.3/charts/istiod/values.yaml delete mode 100644 resources/v1.22.3/charts/ztunnel/Chart.yaml delete mode 100644 resources/v1.22.3/charts/ztunnel/README.md delete mode 100644 resources/v1.22.3/charts/ztunnel/files/profile-ambient.yaml delete mode 100644 resources/v1.22.3/charts/ztunnel/files/profile-compatibility-version-1.20.yaml delete mode 100644 resources/v1.22.3/charts/ztunnel/files/profile-compatibility-version-1.21.yaml delete mode 100644 resources/v1.22.3/charts/ztunnel/files/profile-demo.yaml delete mode 100644 resources/v1.22.3/charts/ztunnel/files/profile-openshift-ambient.yaml delete mode 100644 resources/v1.22.3/charts/ztunnel/files/profile-openshift.yaml delete mode 100644 resources/v1.22.3/charts/ztunnel/files/profile-preview.yaml delete mode 100644 resources/v1.22.3/charts/ztunnel/files/profile-stable.yaml delete mode 100644 resources/v1.22.3/charts/ztunnel/templates/NOTES.txt delete mode 100644 resources/v1.22.3/charts/ztunnel/templates/daemonset.yaml delete mode 100644 resources/v1.22.3/charts/ztunnel/templates/rbac.yaml delete mode 100644 resources/v1.22.3/charts/ztunnel/templates/zzz_profile.yaml delete mode 100644 resources/v1.22.3/charts/ztunnel/values.yaml delete mode 100644 resources/v1.22.3/profiles/ambient.yaml delete mode 100644 resources/v1.22.3/profiles/default.yaml delete mode 100644 resources/v1.22.3/profiles/demo.yaml delete mode 100644 resources/v1.22.3/profiles/empty.yaml delete mode 100644 resources/v1.22.3/profiles/openshift-ambient.yaml delete mode 100644 resources/v1.22.3/profiles/openshift.yaml delete mode 100644 resources/v1.22.3/profiles/preview.yaml delete mode 100644 resources/v1.22.3/profiles/stable.yaml diff --git a/Makefile.vendor.mk b/Makefile.vendor.mk index 07830b722..fb65fabeb 100644 --- a/Makefile.vendor.mk +++ b/Makefile.vendor.mk @@ -1,7 +1,7 @@ -VERSION = 3.0.0-tp.1 +VERSION = 3.0.0-tp.2 OPERATOR_NAME = servicemeshoperator3 HUB = quay.io/maistra-dev CHANNELS = candidates HELM_VALUES_FILE = ossm/values.yaml -VERSIONS_YAML_FILE = versions.yaml +VERSIONS_YAML_FILE ?= ossm/versions.yaml GENERATE_RELATED_IMAGES = false diff --git a/api/v1alpha1/istio_types.go b/api/v1alpha1/istio_types.go index dfeb27df3..ae995daee 100644 --- a/api/v1alpha1/istio_types.go +++ b/api/v1alpha1/istio_types.go @@ -37,9 +37,9 @@ const ( type IstioSpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.5", "urn:alm:descriptor:com.tectonic.ui:select:latest"} - // +kubebuilder:validation:Enum=v1.23.0;v1.22.3;v1.21.5;latest + // Must be one of: v1.23.0. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.0"} + // +kubebuilder:validation:Enum=v1.23.0 // +kubebuilder:default=v1.23.0 Version string `json:"version"` @@ -51,10 +51,10 @@ type IstioSpec struct { // +sail:profile // The built-in installation configuration profile to use. // The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - // Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + // Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. // +++PROFILES-DROPDOWN-HIDDEN-UNTIL-WE-FULLY-IMPLEMENT-THEM+++operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:external", "urn:alm:descriptor:com.tectonic.ui:select:minimal", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote"} // +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"} - // +kubebuilder:validation:Enum=ambient;default;demo;empty;external;openshift-ambient;openshift;preview;stable + // +kubebuilder:validation:Enum=ambient;default;demo;empty;openshift-ambient;openshift;preview;stable Profile string `json:"profile,omitempty"` // Namespace to which the Istio components should be installed. diff --git a/api/v1alpha1/istiocni_types.go b/api/v1alpha1/istiocni_types.go index 0bceffb8c..34123428e 100644 --- a/api/v1alpha1/istiocni_types.go +++ b/api/v1alpha1/istiocni_types.go @@ -28,19 +28,19 @@ const ( type IstioCNISpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.5", "urn:alm:descriptor:com.tectonic.ui:select:latest"} - // +kubebuilder:validation:Enum=v1.23.0;v1.22.3;v1.21.5;latest + // Must be one of: v1.23.0. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.0"} + // +kubebuilder:validation:Enum=v1.23.0 // +kubebuilder:default=v1.23.0 Version string `json:"version"` // +sail:profile // The built-in installation configuration profile to use. // The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - // Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + // Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. // +++PROFILES-DROPDOWN-HIDDEN-UNTIL-WE-FULLY-IMPLEMENT-THEM+++operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:external", "urn:alm:descriptor:com.tectonic.ui:select:minimal", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote"} // +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"} - // +kubebuilder:validation:Enum=ambient;default;demo;empty;external;openshift-ambient;openshift;preview;stable + // +kubebuilder:validation:Enum=ambient;default;demo;empty;openshift-ambient;openshift;preview;stable Profile string `json:"profile,omitempty"` // Namespace to which the Istio CNI component should be installed. diff --git a/api/v1alpha1/istiorevision_types.go b/api/v1alpha1/istiorevision_types.go index 9500341f3..2ede45762 100644 --- a/api/v1alpha1/istiorevision_types.go +++ b/api/v1alpha1/istiorevision_types.go @@ -35,9 +35,9 @@ type IstioRevisionSpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.5", "urn:alm:descriptor:com.tectonic.ui:select:latest"} - // +kubebuilder:validation:Enum=v1.23.0;v1.22.3;v1.21.5;latest + // Must be one of: v1.23.0. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.0"} + // +kubebuilder:validation:Enum=v1.23.0 Version string `json:"version"` // Namespace to which the Istio components should be installed. diff --git a/api/v1alpha1/remoteistio_types.go b/api/v1alpha1/remoteistio_types.go index 1494a9bc7..599a6be67 100644 --- a/api/v1alpha1/remoteistio_types.go +++ b/api/v1alpha1/remoteistio_types.go @@ -27,9 +27,9 @@ const RemoteIstioKind = "RemoteIstio" type RemoteIstioSpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.5", "urn:alm:descriptor:com.tectonic.ui:select:latest"} - // +kubebuilder:validation:Enum=v1.23.0;v1.22.3;v1.21.5;latest + // Must be one of: v1.23.0. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.0"} + // +kubebuilder:validation:Enum=v1.23.0 // +kubebuilder:default=v1.23.0 Version string `json:"version"` @@ -41,10 +41,10 @@ type RemoteIstioSpec struct { // +sail:profile // The built-in installation configuration profile to use. // The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - // Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + // Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. // +++PROFILES-DROPDOWN-HIDDEN-UNTIL-WE-FULLY-IMPLEMENT-THEM+++operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:external", "urn:alm:descriptor:com.tectonic.ui:select:minimal", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote"} // +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"} - // +kubebuilder:validation:Enum=ambient;default;demo;empty;external;openshift-ambient;openshift;preview;stable + // +kubebuilder:validation:Enum=ambient;default;demo;empty;openshift-ambient;openshift;preview;stable Profile string `json:"profile,omitempty"` // Namespace to which the Istio components should be installed. diff --git a/bundle/manifests/sailoperator.io_istiocnis.yaml b/bundle/manifests/sailoperator.io_istiocnis.yaml index 6b37a1d81..7025e9062 100644 --- a/bundle/manifests/sailoperator.io_istiocnis.yaml +++ b/bundle/manifests/sailoperator.io_istiocnis.yaml @@ -70,13 +70,12 @@ spec: description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. enum: - ambient - default - demo - empty - - external - openshift-ambient - openshift - preview @@ -1395,12 +1394,9 @@ spec: default: v1.23.0 description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.0. enum: - v1.23.0 - - v1.22.3 - - v1.21.5 - - latest type: string required: - namespace diff --git a/bundle/manifests/sailoperator.io_istiorevisions.yaml b/bundle/manifests/sailoperator.io_istiorevisions.yaml index 091ee88d7..96e9a6790 100644 --- a/bundle/manifests/sailoperator.io_istiorevisions.yaml +++ b/bundle/manifests/sailoperator.io_istiorevisions.yaml @@ -7927,12 +7927,9 @@ spec: version: description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.0. enum: - v1.23.0 - - v1.22.3 - - v1.21.5 - - latest type: string required: - namespace diff --git a/bundle/manifests/sailoperator.io_istios.yaml b/bundle/manifests/sailoperator.io_istios.yaml index 3ba422ba5..a4d3cde69 100644 --- a/bundle/manifests/sailoperator.io_istios.yaml +++ b/bundle/manifests/sailoperator.io_istios.yaml @@ -87,13 +87,12 @@ spec: description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. enum: - ambient - default - demo - empty - - external - openshift-ambient - openshift - preview @@ -7983,12 +7982,9 @@ spec: default: v1.23.0 description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.0. enum: - v1.23.0 - - v1.22.3 - - v1.21.5 - - latest type: string required: - namespace diff --git a/bundle/manifests/sailoperator.io_remoteistios.yaml b/bundle/manifests/sailoperator.io_remoteistios.yaml index f77d7cc7a..be25b78e7 100644 --- a/bundle/manifests/sailoperator.io_remoteistios.yaml +++ b/bundle/manifests/sailoperator.io_remoteistios.yaml @@ -82,13 +82,12 @@ spec: description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. enum: - ambient - default - demo - empty - - external - openshift-ambient - openshift - preview @@ -7978,12 +7977,9 @@ spec: default: v1.23.0 description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.0. enum: - v1.23.0 - - v1.22.3 - - v1.21.5 - - latest type: string required: - namespace diff --git a/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml b/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml index a2c740b29..2d9ebf907 100644 --- a/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml +++ b/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml @@ -34,7 +34,7 @@ metadata: capabilities: Seamless Upgrades categories: OpenShift Optional, Integration & Delivery, Networking, Security containerImage: quay.io/maistra-dev/sail-operator:3.0-latest - createdAt: "2024-08-29T15:46:07Z" + createdAt: "2024-10-10T07:52:12Z" description: The OpenShift Service Mesh Operator enables you to install, configure, and manage an instance of Red Hat OpenShift Service Mesh. OpenShift Service Mesh is based on the open source Istio project. @@ -55,7 +55,7 @@ metadata: operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 repository: https://github.com/istio-ecosystem/sail-operator support: Red Hat, Inc. - name: servicemeshoperator3.v3.0.0-tp.1 + name: servicemeshoperator3.v3.0.0-tp.2 namespace: placeholder spec: apiservicedefinitions: {} @@ -164,15 +164,12 @@ spec: specDescriptors: - description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.0. displayName: Istio Version path: version x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General - urn:alm:descriptor:com.tectonic.ui:select:v1.23.0 - - urn:alm:descriptor:com.tectonic.ui:select:v1.22.3 - - urn:alm:descriptor:com.tectonic.ui:select:v1.21.5 - - urn:alm:descriptor:com.tectonic.ui:select:latest - description: Namespace to which the Istio CNI component should be installed. displayName: Namespace path: namespace @@ -181,7 +178,7 @@ spec: - description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. displayName: Profile path: profile x-descriptors: @@ -202,15 +199,12 @@ spec: specDescriptors: - description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.0. displayName: Istio Version path: version x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General - urn:alm:descriptor:com.tectonic.ui:select:v1.23.0 - - urn:alm:descriptor:com.tectonic.ui:select:v1.22.3 - - urn:alm:descriptor:com.tectonic.ui:select:v1.21.5 - - urn:alm:descriptor:com.tectonic.ui:select:latest - description: Namespace to which the Istio components should be installed. displayName: Namespace path: namespace @@ -248,15 +242,12 @@ spec: - urn:alm:descriptor:com.tectonic.ui:select:RevisionBased - description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.0. displayName: Istio Version path: version x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General - urn:alm:descriptor:com.tectonic.ui:select:v1.23.0 - - urn:alm:descriptor:com.tectonic.ui:select:v1.22.3 - - urn:alm:descriptor:com.tectonic.ui:select:v1.21.5 - - urn:alm:descriptor:com.tectonic.ui:select:latest - description: |- Defines how many seconds the operator should wait before removing a non-active revision after all the workloads have stopped using it. You may want to set this value on the order of minutes. @@ -284,7 +275,7 @@ spec: - description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. displayName: Profile path: profile x-descriptors: @@ -320,15 +311,12 @@ spec: - urn:alm:descriptor:com.tectonic.ui:select:RevisionBased - description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.0. displayName: Istio Version path: version x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General - urn:alm:descriptor:com.tectonic.ui:select:v1.23.0 - - urn:alm:descriptor:com.tectonic.ui:select:v1.22.3 - - urn:alm:descriptor:com.tectonic.ui:select:v1.21.5 - - urn:alm:descriptor:com.tectonic.ui:select:latest - description: |- Defines how many seconds the operator should wait before removing a non-active revision after all the workloads have stopped using it. You may want to set this value on the order of minutes. @@ -356,7 +344,7 @@ spec: - description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. displayName: Profile path: profile x-descriptors: @@ -784,4 +772,4 @@ spec: maturity: alpha provider: name: Red Hat, Inc. - version: 3.0.0-tp.1 + version: 3.0.0-tp.2 diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 9400c4abc..25b62579b 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -2,5 +2,5 @@ apiVersion: v2 name: sail-operator description: A Helm chart for Kubernetes type: application -version: 3.0.0-tp.1 -appVersion: "3.0.0-tp.1" +version: 3.0.0-tp.2 +appVersion: "3.0.0-tp.2" diff --git a/chart/crds/sailoperator.io_istiocnis.yaml b/chart/crds/sailoperator.io_istiocnis.yaml index 3852ba680..39e5f3fe3 100644 --- a/chart/crds/sailoperator.io_istiocnis.yaml +++ b/chart/crds/sailoperator.io_istiocnis.yaml @@ -70,13 +70,12 @@ spec: description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. enum: - ambient - default - demo - empty - - external - openshift-ambient - openshift - preview @@ -1395,12 +1394,9 @@ spec: default: v1.23.0 description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.0. enum: - v1.23.0 - - v1.22.3 - - v1.21.5 - - latest type: string required: - namespace diff --git a/chart/crds/sailoperator.io_istiorevisions.yaml b/chart/crds/sailoperator.io_istiorevisions.yaml index 0dabf6f01..f6255f6b0 100644 --- a/chart/crds/sailoperator.io_istiorevisions.yaml +++ b/chart/crds/sailoperator.io_istiorevisions.yaml @@ -7927,12 +7927,9 @@ spec: version: description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.0. enum: - v1.23.0 - - v1.22.3 - - v1.21.5 - - latest type: string required: - namespace diff --git a/chart/crds/sailoperator.io_istios.yaml b/chart/crds/sailoperator.io_istios.yaml index b9a5f37fa..cabad5391 100644 --- a/chart/crds/sailoperator.io_istios.yaml +++ b/chart/crds/sailoperator.io_istios.yaml @@ -87,13 +87,12 @@ spec: description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. enum: - ambient - default - demo - empty - - external - openshift-ambient - openshift - preview @@ -7983,12 +7982,9 @@ spec: default: v1.23.0 description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.0. enum: - v1.23.0 - - v1.22.3 - - v1.21.5 - - latest type: string required: - namespace diff --git a/chart/crds/sailoperator.io_remoteistios.yaml b/chart/crds/sailoperator.io_remoteistios.yaml index 75f001835..ef400a913 100644 --- a/chart/crds/sailoperator.io_remoteistios.yaml +++ b/chart/crds/sailoperator.io_remoteistios.yaml @@ -82,13 +82,12 @@ spec: description: |- The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. + Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. enum: - ambient - default - demo - empty - - external - openshift-ambient - openshift - preview @@ -7978,12 +7977,9 @@ spec: default: v1.23.0 description: |- Defines the version of Istio to install. - Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. + Must be one of: v1.23.0. enum: - v1.23.0 - - v1.22.3 - - v1.21.5 - - latest type: string required: - namespace diff --git a/chart/values.yaml b/chart/values.yaml index 7c5c7056b..3c0b2f5a7 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -23,7 +23,7 @@ csv: [See this page](https://github.com/istio-ecosystem/sail-operator/blob/main/bundle/README.md) for instructions on how to use it. support: Community based - version: 3.0.0-tp.1 + version: 3.0.0-tp.2 icon: base64data: iVBORw0KGgoAAAANSUhEUgAAAIAAAACACAYAAADDPmHLAAAACXBIWXMAAAFiAAABYgFfJ9BTAAAHL0lEQVR4nO2du24bRxSGz5LL+01kaMuX2HShnmlSi2VUBM4bKG/gdGFnl+rsBwggvUHUsTT9AIGdnoWCIIWNIJZNWKLM5Uww1K4sC6JEQrP7z8yeDyDYCHuG3F/nNmeWnpSSTMXvD3tE9Ey9gp3e0NiFWkzGgqVvEtFLvz/c8/vDNQPW4xQ2CCBim4gO/P7wFzOW4wY2CUDRIKLnfn/4xu8PvzNgPdZjmwAiukT02u8Pn5mxHHuxVQART9kb3AzbBUDsDW6GFgEMRuNHwM8QobzBkCuF1dDlAfYGo/GeAULYDCuFHngd1qAzBKgy7c1gNEa74kbYN+CQsAS6cwD15T8djMZKCOj/QhUS9jkkXE1cSaBKzF4ORuMXg9EYeQMeE9GQq4TFxF0FPAnDAtIbdEMRcF5wCUmUgZ3QGyBjcpQX/Axcg5Ek2QeIcgNkpbDLyeHXJN0I6oYh4aeE7Z5HJYd7QPtGgegEKnf8OzgkbLMITkG2glVI2AdWCXMRpL1MRO8FzMs0pAjCCiG1IjBhM0jlBQeD0RhVq3fTLAJTdgMboSeAigBkG4pJ28FKBK8HozGqVu+mMTE0cR5gFyiC1FUHpg6EsAgSwuSJoN3t7+//ALK9nZbpY6NHwh7drf8qG+VjkPnnadg7MFoA+bxPYn2tBBTBrutbyVYMhc5FUMihzDs9T2DNVLB42D4GiUCVp862jO0ZC/e8knjYnlAGsmTVKHKyMrDrXIDnFWedW/+BRPDYxVkC+w6G5LItca/5L8i6miVAzjJox8qTQbJcaIt2/QPIvMoHTDgIowVrj4bJVrUhq8UjgGmVFO4D7MaC1WcDxd2mR7kswrTaOHqBMKwbuw+Hel5p9m0blRQ+cWHU3P7TwSopvFVHJYXWnzxy4Xg4yUa5DcwHrO4POCEAOs0HMsD+gLWloTMCUE0i8eAbVCiwtlXsjgBUKCjk2rJZnQBMWxsKnBKAQrRrAlQaWhkKnBMAeV5Z3GtxKFgS9wQQhQLMEIkKBVY1iJwUgELcbnigqmDbpgaRswKYVwV31t6CrFvjBdwVgAoF1eK6LBcQpru2TBU7LQCFuLOGSgif2ZAQOi8A8rOcEF6B+wLAJ4RGTxSnQgDzhLBVRU0QGe0F0iEAlRA2KzlQh3DT5LIwNQKYdwhvNbgsvEB6BBCWhcARMiPPGaZKAAqgFzDyTEHqBAD0Ah0TvUDqBEDsBb4ilQJgL/CFVAqA2AuckVoBsBc4JbUCUIhGBdUdNMYLpFoAslnJg/YIOqbMD6ZaAOpomawVUc8fMmJeIN0CmE8R1z+DTBuxR5B6AVA2o46Zo6zDk0EWwOmzBv4Gmd5GP2yCBaAEUMw/AJWEhPYCLIAQYEkITQZZACFyrSxAphvIxhALICKTaaYxGWQBnEM2yqhkcBM1PMoCOIesFB+AOoOEygVYABcAdgYhrWEWwAVEq4YSACQZZAFcJJdtAXsCiXsBFsAlyFrpPcj046Q7gyyASxBrlRnQfKJegAVwGX62nZbWMAtgAcAw0E2yJ8ACWIColxFPHo1IzAuwABaR9+8Dm0KJ5QEsgCsANoU6SYUBFsAVyGoR9XgZSioMsACuQP00DdB8ImGABXAVamoY94OViYQBFsA1yHoJdYRMEfvUMAvgGmSlGADNx54HsACuA1sOduPeG2ABLIEs55HmYw0DLIAlkNXiP0DzsVYDLIAlkKU8Mg9gDwAn53eAS2jEeYaQBbAkoKeOR7AA0MhKAdkPiC0PYAEsSymPOkZOYTkYy6PnWQBLon6HCLyEWMIAC2BZPK8EHBMjFoABADeGiAVgALJc+Au4iljyABbAKhRz6O9LuxdgAayAzPtV8BK0zwewAFYhk2mCV8AeAA24I7ip+4IsgFXJZVGTwnN0j4mxAFZEFnLvwEtgAUBxrBJgAayIzGZQTxOLYA8Axc/eAa+gq/Nivs6LOUMwe0tCBt7RSUBSFr1PJ+vqo3lHJ+oNWgZQmAgGO703Wq6l4yLWoW6wlBPv+LMf3ugOCUneZEok5h5+3fCPpMIAC2AhQrynmfjofQ4yNJ0J72R6m6azkjcNiKbzh3+YfoOvQ9uouJ0CkPKYgtk7byYyNJkKL5jVaTJt0kyQdzJVf9EMX66irRIwWQCv3n+ctLzDT/WzOPzlBpfU2Tn8EmE44QH+JKLDMJadvW9t1IbRH/z42x+9DNFL4BpNRZv44xSA2js/OPc6u9FbG7XDGO2mAjUqHuz0hjf9rLoEsBe+5jd8a6N2oOm6zGK0DIdoEcDWRm1Px3WYlVCl4P5NvzLuBNqLFg/AArAXLXsC3Ao2m0srJfUe7PS0JNIsACwXK6WzV7DTSySRZgHEy4fL/nuTvMHXwQK4Oa/CKwzP32hdu3VxwwK4notxeN580dGEMQEWwJc4HFuiZTJpEEAUh2GJlsm4IIBFiZY1cRiJLQI4n2iRa3EYBhH9D18eNW58bi76AAAAAElFTkSuQmCC mediatype: image/png diff --git a/docs/api-reference/sailoperator.io.md b/docs/api-reference/sailoperator.io.md index d8e479b79..fc72e0a35 100644 --- a/docs/api-reference/sailoperator.io.md +++ b/docs/api-reference/sailoperator.io.md @@ -624,8 +624,8 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. | v1.23.0 | Enum: [v1.23.0 v1.22.3 v1.21.5 latest] | -| `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. | | Enum: [ambient default demo empty external openshift-ambient openshift preview stable] | +| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.0. | v1.23.0 | Enum: [v1.23.0] | +| `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. | | Enum: [ambient default demo empty openshift-ambient openshift preview stable] | | `namespace` _string_ | Namespace to which the Istio CNI component should be installed. | istio-cni | | | `values` _[CNIValues](#cnivalues)_ | Defines the values to be passed to the Helm charts when installing Istio CNI. | | | @@ -852,7 +852,7 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | | `type` _[IstioRevisionType](#istiorevisiontype)_ | Type indicates whether this revision represents a local or a remote control plane installation. | Local | | -| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. | | Enum: [v1.23.0 v1.22.3 v1.21.5 latest] | +| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.0. | | Enum: [v1.23.0] | | `namespace` _string_ | Namespace to which the Istio components should be installed. | | | | `values` _[Values](#values)_ | Defines the values to be passed to the Helm charts when installing Istio. | | | @@ -905,9 +905,9 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. | v1.23.0 | Enum: [v1.23.0 v1.22.3 v1.21.5 latest] | +| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.0. | v1.23.0 | Enum: [v1.23.0] | | `updateStrategy` _[IstioUpdateStrategy](#istioupdatestrategy)_ | Defines the update strategy to use when the version in the Istio CR is updated. | \{ type:InPlace \} | | -| `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. | | Enum: [ambient default demo empty external openshift-ambient openshift preview stable] | +| `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. | | Enum: [ambient default demo empty openshift-ambient openshift preview stable] | | `namespace` _string_ | Namespace to which the Istio components should be installed. | istio-system | | | `values` _[Values](#values)_ | Defines the values to be passed to the Helm charts when installing Istio. | | | @@ -2510,9 +2510,9 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.0, v1.22.3, v1.21.5, latest. | v1.23.0 | Enum: [v1.23.0 v1.22.3 v1.21.5 latest] | +| `version` _string_ | Defines the version of Istio to install. Must be one of: v1.23.0. | v1.23.0 | Enum: [v1.23.0] | | `updateStrategy` _[IstioUpdateStrategy](#istioupdatestrategy)_ | Defines the update strategy to use when the version in the RemoteIstio CR is updated. | \{ type:InPlace \} | | -| `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, stable. | | Enum: [ambient default demo empty external openshift-ambient openshift preview stable] | +| `profile` _string_ | The built-in installation configuration profile to use. The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. Must be one of: ambient, default, demo, empty, openshift-ambient, openshift, preview, stable. | | Enum: [ambient default demo empty openshift-ambient openshift preview stable] | | `namespace` _string_ | Namespace to which the Istio components should be installed. | istio-system | | | `values` _[Values](#values)_ | Defines the values to be passed to the Helm charts when installing Istio. | | | diff --git a/ossm/versions.yaml b/ossm/versions.yaml new file mode 100644 index 000000000..cc477f2bf --- /dev/null +++ b/ossm/versions.yaml @@ -0,0 +1,24 @@ +# This file defines all the Istio versions supported by this operator. + +# The list of versions to support. Each item specifies the name of the version, +# the Git repository and commit hash for retrieving the profiles, and +# a list of URLs for retrieving the charts. +# The first item in the list is the default version. +# +# IMPORTANT: in addition to the versions specified here, the versions of the +# istio.io/istio and istio.io/api dependencies defined in go.mod must also be +# updated to match the most recent version specified here. The versions in +# go.mod affect the generated API schema for the Sail CRDs (e.g. IstioRevision), +# as well as all the Istio CRDs (e.g. VirtualService). +versions: + - name: v1.23.0 + version: 1.23.0 + repo: https://github.com/istio/istio + commit: 1.23.0 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.23.0.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.23.0.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-remote-1.23.0.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.23.0.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.23.0.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.23.0.tgz diff --git a/resources/latest/charts/base/Chart.yaml b/resources/latest/charts/base/Chart.yaml deleted file mode 100644 index 7d589bb9e..000000000 --- a/resources/latest/charts/base/Chart.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v2 -appVersion: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 -description: Helm chart for deploying Istio cluster resources and CRDs -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -name: base -sources: -- https://github.com/istio/istio -version: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 diff --git a/resources/latest/charts/base/README.md b/resources/latest/charts/base/README.md deleted file mode 100644 index ae8f6d5b0..000000000 --- a/resources/latest/charts/base/README.md +++ /dev/null @@ -1,35 +0,0 @@ -# Istio base Helm Chart - -This chart installs resources shared by all Istio revisions. This includes Istio CRDs. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-base`: - -```console -kubectl create namespace istio-system -helm install istio-base istio/base -n istio-system -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/resources/latest/charts/base/crds/crd-all.gen.yaml b/resources/latest/charts/base/crds/crd-all.gen.yaml deleted file mode 100644 index 675d42a84..000000000 --- a/resources/latest/charts/base/crds/crd-all.gen.yaml +++ /dev/null @@ -1,16531 +0,0 @@ -# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: wasmplugins.extensions.istio.io -spec: - group: extensions.istio.io - names: - categories: - - istio-io - - extensions-istio-io - kind: WasmPlugin - listKind: WasmPluginList - plural: wasmplugins - singular: wasmplugin - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Extend the functionality provided by the Istio proxy through - WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' - properties: - failStrategy: - description: |- - Specifies the failure behavior for the plugin due to fatal errors. - - Valid Options: FAIL_CLOSE, FAIL_OPEN - enum: - - FAIL_CLOSE - - FAIL_OPEN - type: string - imagePullPolicy: - description: |- - The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`. - - Valid Options: IfNotPresent, Always - enum: - - UNSPECIFIED_POLICY - - IfNotPresent - - Always - type: string - imagePullSecret: - description: Credentials to use for OCI image pulling. - maxLength: 253 - minLength: 1 - type: string - match: - description: Specifies the criteria to determine which traffic is - passed to WasmPlugin. - items: - properties: - mode: - description: |- - Criteria for selecting traffic by their direction. - - Valid Options: CLIENT, SERVER, CLIENT_AND_SERVER - enum: - - UNDEFINED - - CLIENT - - SERVER - - CLIENT_AND_SERVER - type: string - ports: - description: Criteria for selecting traffic by their destination - port. - items: - properties: - number: - maximum: 65535 - minimum: 1 - type: integer - required: - - number - type: object - type: array - x-kubernetes-list-map-keys: - - number - x-kubernetes-list-type: map - type: object - type: array - phase: - description: |- - Determines where in the filter chain this `WasmPlugin` is to be injected. - - Valid Options: AUTHN, AUTHZ, STATS - enum: - - UNSPECIFIED_PHASE - - AUTHN - - AUTHZ - - STATS - type: string - pluginConfig: - description: The configuration that will be passed on to the plugin. - type: object - x-kubernetes-preserve-unknown-fields: true - pluginName: - description: The plugin name to be used in the Envoy configuration - (used to be called `rootID`). - maxLength: 256 - minLength: 1 - type: string - priority: - description: Determines ordering of `WasmPlugins` in the same `phase`. - format: int32 - nullable: true - type: integer - selector: - description: Criteria used to select the specific set of pods/VMs - on which this plugin configuration should be applied. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - sha256: - description: SHA256 checksum that will be used to verify Wasm module - or OCI container. - pattern: (^$|^[a-f0-9]{64}$) - type: string - targetRef: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - type: array - type: - description: |- - Specifies the type of Wasm Extension to be used. - - Valid Options: HTTP, NETWORK - enum: - - UNSPECIFIED_PLUGIN_TYPE - - HTTP - - NETWORK - type: string - url: - description: URL of a Wasm module or OCI container. - minLength: 1 - type: string - x-kubernetes-validations: - - message: url must have schema one of [http, https, file, oci] - rule: 'isURL(self) ? (url(self).getScheme() in ['''', ''http'', - ''https'', ''oci'', ''file'']) : (isURL(''http://'' + self) && - url(''http://'' +self).getScheme() in ['''', ''http'', ''https'', - ''oci'', ''file''])' - verificationKey: - type: string - vmConfig: - description: Configuration for a Wasm VM. - properties: - env: - description: Specifies environment variables to be injected to - this VM. - items: - properties: - name: - description: Name of the environment variable. - maxLength: 256 - minLength: 1 - type: string - value: - description: Value for the environment variable. - maxLength: 2048 - type: string - valueFrom: - description: |- - Source for the environment variable's value. - - Valid Options: INLINE, HOST - enum: - - INLINE - - HOST - type: string - required: - - name - type: object - x-kubernetes-validations: - - message: value may only be set when valueFrom is INLINE - rule: '(has(self.valueFrom) ? self.valueFrom : '''') != ''HOST'' - || !has(self.value)' - maxItems: 256 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - required: - - url - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: destinationrules.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: DestinationRule - listKind: DestinationRuleList - plural: destinationrules - shortNames: - - dr - singular: destinationrule - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - description: One or more named sets that represent individual versions - of a service. - items: - properties: - labels: - additionalProperties: - type: string - description: Labels apply a filter over the endpoints of a service - in the service registry. - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - min_health_percent hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that - will be queued while waiting for a ready - connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent - streams allowed for a peer on one HTTP/2 - connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that - can be outstanding to all hosts in a cluster - at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive - probes to send without response before - deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - description: The minimum number of virtual - nodes to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the - traffic will fail over to when endpoints - in the 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of - Service. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally - originated failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled - as long as the associated load balancing pool - has at least min_health_percent hosts in healthy - mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the - destination service on which this policy is being - applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in - verifying a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use - in verifying a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds - the TLS certs for the client including the CA - certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature - and SAN for the server certificate corresponding - to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify - the subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - maxItems: 4096 - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - required: - - name - type: object - type: array - trafficPolicy: - description: Traffic policies to apply (load balancing policy, connection - pool sizes, outlier detection). - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes to - send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes to - use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic will - fail over to when endpoints in the 'from' region - becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing pool - for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long as - the associated load balancing pool has at least min_health_percent - hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - min_health_percent hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the destination - service on which this policy is being applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - maxItems: 4096 - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing certificate - authority certificates to use in verifying a presented server - certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing the - certificate revocation list (CRL) to use in verifying a - presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS certs - for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether the proxy - should skip verifying the CA signature and SAN for the server - certificate corresponding to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `DestinationRule` configuration should be applied. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - required: - - host - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - description: One or more named sets that represent individual versions - of a service. - items: - properties: - labels: - additionalProperties: - type: string - description: Labels apply a filter over the endpoints of a service - in the service registry. - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - min_health_percent hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that - will be queued while waiting for a ready - connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent - streams allowed for a peer on one HTTP/2 - connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that - can be outstanding to all hosts in a cluster - at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive - probes to send without response before - deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - description: The minimum number of virtual - nodes to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the - traffic will fail over to when endpoints - in the 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of - Service. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally - originated failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled - as long as the associated load balancing pool - has at least min_health_percent hosts in healthy - mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the - destination service on which this policy is being - applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in - verifying a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use - in verifying a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds - the TLS certs for the client including the CA - certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature - and SAN for the server certificate corresponding - to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify - the subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - maxItems: 4096 - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - required: - - name - type: object - type: array - trafficPolicy: - description: Traffic policies to apply (load balancing policy, connection - pool sizes, outlier detection). - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes to - send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes to - use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic will - fail over to when endpoints in the 'from' region - becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing pool - for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long as - the associated load balancing pool has at least min_health_percent - hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - min_health_percent hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the destination - service on which this policy is being applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - maxItems: 4096 - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing certificate - authority certificates to use in verifying a presented server - certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing the - certificate revocation list (CRL) to use in verifying a - presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS certs - for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether the proxy - should skip verifying the CA signature and SAN for the server - certificate corresponding to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `DestinationRule` configuration should be applied. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - required: - - host - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - description: One or more named sets that represent individual versions - of a service. - items: - properties: - labels: - additionalProperties: - type: string - description: Labels apply a filter over the endpoints of a service - in the service registry. - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - min_health_percent hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that - will be queued while waiting for a ready - connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent - streams allowed for a peer on one HTTP/2 - connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that - can be outstanding to all hosts in a cluster - at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive - probes to send without response before - deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - description: The minimum number of virtual - nodes to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the - traffic will fail over to when endpoints - in the 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of - Service. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally - originated failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled - as long as the associated load balancing pool - has at least min_health_percent hosts in healthy - mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the - destination service on which this policy is being - applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in - verifying a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use - in verifying a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds - the TLS certs for the client including the CA - certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature - and SAN for the server certificate corresponding - to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify - the subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - maxItems: 4096 - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - required: - - name - type: object - type: array - trafficPolicy: - description: Traffic policies to apply (load balancing policy, connection - pool sizes, outlier detection). - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes to - send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes to - use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic will - fail over to when endpoints in the 'from' region - becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing pool - for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long as - the associated load balancing pool has at least min_health_percent - hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater - than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - min_health_percent hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the destination - service on which this policy is being applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - maxItems: 4096 - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing certificate - authority certificates to use in verifying a presented server - certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing the - certificate revocation list (CRL) to use in verifying a - presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS certs - for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether the proxy - should skip verifying the CA signature and SAN for the server - certificate corresponding to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `DestinationRule` configuration should be applied. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - required: - - host - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - listKind: EnvoyFilterList - plural: envoyfilters - singular: envoyfilter - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See - more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' - properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - description: |- - Specifies where in the Envoy configuration, the patch should be applied. - - Valid Options: LISTENER, FILTER_CHAIN, NETWORK_FILTER, HTTP_FILTER, ROUTE_CONFIGURATION, VIRTUAL_HOST, HTTP_ROUTE, CLUSTER, EXTENSION_CONFIG, BOOTSTRAP, LISTENER_FILTER - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG - - BOOTSTRAP - - LISTENER_FILTER - type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - type: string - portNumber: - description: The service port for which this cluster - was generated. - maximum: 4294967295 - minimum: 0 - type: integer - service: - description: The fully qualified service name for this - cluster. - type: string - subset: - description: The subset associated with the service. - type: string - type: object - context: - description: |- - The specific config generation context to match on. - - Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. - properties: - filterChain: - description: Match a specific filter chain in a listener. - properties: - applicationProtocols: - description: Applies only to sidecars. - type: string - destinationPort: - description: The destination_port value used by - a filter chain's match condition. - maximum: 4294967295 - minimum: 0 - type: integer - filter: - description: The name of a specific filter to apply - the patch to. - properties: - name: - description: The filter name to match on. - type: string - subFilter: - description: The next level filter within this - filter to match upon. - properties: - name: - description: The filter name to match on. - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. - type: string - sni: - description: The SNI value used by a filter chain's - match condition. - type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. - type: string - type: object - listenerFilter: - description: Match a specific listener filter. - type: string - name: - description: Match a specific listener by its name. - type: string - portName: - type: string - portNumber: - description: The service port/gateway port to which - traffic is being sent/received. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - type: string - description: Match on the node metadata supplied by - a proxy when connecting to Istio Pilot. - type: object - proxyVersion: - description: A regular expression in golang regex format - (RE2) that can be used to select proxies using a specific - version of istio proxy. - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. - properties: - gateway: - description: The Istio gateway config's namespace/name - for which this route configuration was generated. - type: string - name: - description: Route configuration name to match on. - type: string - portName: - description: Applicable only for GATEWAY context. - type: string - portNumber: - description: The service port number or gateway server - port number for which this route configuration was - generated. - maximum: 4294967295 - minimum: 0 - type: integer - vhost: - description: Match a specific virtual host in a route - configuration and apply the patch to the virtual host. - properties: - name: - description: The VirtualHosts objects generated - by Istio are named as host:port, where the host - typically corresponds to the VirtualService's - host field or the hostname of a service in the - registry. - type: string - route: - description: Match a specific route within the virtual - host. - properties: - action: - description: |- - Match a route with specific action type. - - Valid Options: ANY, ROUTE, REDIRECT, DIRECT_RESPONSE - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string - name: - description: The Route objects generated by - default are named as default. - type: string - type: object - type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: |- - Determines the filter insertion order. - - Valid Options: AUTHN, AUTHZ, STATS - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: |- - Determines how the patch should be applied. - - Valid Options: MERGE, ADD, REMOVE, INSERT_BEFORE, INSERT_AFTER, INSERT_FIRST, REPLACE - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - priority: - description: Priority defines the order in which patch sets are applied - within a context. - format: int32 - type: integer - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - type: array - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this patch configuration should be applied. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: gateways.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Gateway - listKind: GatewayList - plural: gateways - shortNames: - - gw - singular: gateway - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs - on which this gateway configuration should be applied. - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - description: The ip or the Unix domain socket to which the listener - should be bound to. - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - description: The Port on which the proxy should listen for incoming - connections. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - required: - - number - - protocol - - name - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - - hosts - type: object - type: array - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs - on which this gateway configuration should be applied. - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - description: The ip or the Unix domain socket to which the listener - should be bound to. - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - description: The Port on which the proxy should listen for incoming - connections. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - required: - - number - - protocol - - name - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - - hosts - type: object - type: array - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs - on which this gateway configuration should be applied. - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - description: The ip or the Unix domain socket to which the listener - should be bound to. - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - description: The Port on which the proxy should listen for incoming - connections. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - required: - - number - - protocol - - name - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - - hosts - type: object - type: array - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: proxyconfigs.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ProxyConfig - listKind: ProxyConfigList - plural: proxyconfigs - singular: proxyconfig - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Provides configuration for individual workloads. See more - details at: https://istio.io/docs/reference/config/networking/proxy-config.html' - properties: - concurrency: - description: The number of worker threads to run. - format: int32 - minimum: 0 - nullable: true - type: integer - environmentVariables: - additionalProperties: - maxLength: 2048 - type: string - description: Additional environment variables for the proxy. - type: object - image: - description: Specifies the details of the proxy image. - properties: - imageType: - description: The image type of the image. - type: string - type: object - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: serviceentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - shortNames: - - se - singular: serviceentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - description: Address associated with the network endpoint without - the port. - maxLength: 256 - type: string - x-kubernetes-validations: - - message: UDS must be an absolute path or abstract socket - rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) - == ''/'' || self.substring(7,8) == ''@'') : true' - - message: UDS may not be a dir - rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') - : true' - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - maxProperties: 256 - type: object - locality: - description: The locality associated with the endpoint. - maxLength: 2048 - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - maxLength: 2048 - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - description: Set of ports associated with the endpoint. - maxProperties: 128 - type: object - x-kubernetes-validations: - - message: port name must be valid - rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - maxLength: 253 - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - - message: UDS may not include ports - rule: '(has(self.address) && self.address.startsWith(''unix://'')) - ? !has(self.ports) : true' - maxItems: 4096 - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - description: |- - Specify whether the service should be considered external to the mesh or part of the mesh. - - Valid Options: MESH_EXTERNAL, MESH_INTERNAL - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - description: The port number on the endpoint where the traffic - will be received. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - number - - name - type: object - type: array - resolution: - description: |- - Service resolution mode for the hosts. - - Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's - subject alternate name matches one of the specified values. - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - required: - - hosts - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - description: Address associated with the network endpoint without - the port. - maxLength: 256 - type: string - x-kubernetes-validations: - - message: UDS must be an absolute path or abstract socket - rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) - == ''/'' || self.substring(7,8) == ''@'') : true' - - message: UDS may not be a dir - rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') - : true' - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - maxProperties: 256 - type: object - locality: - description: The locality associated with the endpoint. - maxLength: 2048 - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - maxLength: 2048 - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - description: Set of ports associated with the endpoint. - maxProperties: 128 - type: object - x-kubernetes-validations: - - message: port name must be valid - rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - maxLength: 253 - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - - message: UDS may not include ports - rule: '(has(self.address) && self.address.startsWith(''unix://'')) - ? !has(self.ports) : true' - maxItems: 4096 - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - description: |- - Specify whether the service should be considered external to the mesh or part of the mesh. - - Valid Options: MESH_EXTERNAL, MESH_INTERNAL - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - description: The port number on the endpoint where the traffic - will be received. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - number - - name - type: object - type: array - resolution: - description: |- - Service resolution mode for the hosts. - - Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's - subject alternate name matches one of the specified values. - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - required: - - hosts - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - description: Address associated with the network endpoint without - the port. - maxLength: 256 - type: string - x-kubernetes-validations: - - message: UDS must be an absolute path or abstract socket - rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) - == ''/'' || self.substring(7,8) == ''@'') : true' - - message: UDS may not be a dir - rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') - : true' - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - maxProperties: 256 - type: object - locality: - description: The locality associated with the endpoint. - maxLength: 2048 - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - maxLength: 2048 - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - description: Set of ports associated with the endpoint. - maxProperties: 128 - type: object - x-kubernetes-validations: - - message: port name must be valid - rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - maxLength: 253 - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - - message: UDS may not include ports - rule: '(has(self.address) && self.address.startsWith(''unix://'')) - ? !has(self.ports) : true' - maxItems: 4096 - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - description: |- - Specify whether the service should be considered external to the mesh or part of the mesh. - - Valid Options: MESH_EXTERNAL, MESH_INTERNAL - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - description: The port number on the endpoint where the traffic - will be received. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - number - - name - type: object - type: array - resolution: - description: |- - Service resolution mode for the hosts. - - Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's - subject alternate name matches one of the specified values. - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - required: - - hosts - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - description: Egress specifies the configuration of the sidecar for - processing outbound traffic from the attached workload instance - to other services in the mesh. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket - to which the listener should be bound to. - type: string - captureMode: - description: |- - When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener - in `namespace/dnsName` format. - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - required: - - hosts - type: object - type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy - will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool - connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed - for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to - a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a - destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to - enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes to send - without response before deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs to be - idle before keep-alive probes start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - ingress: - description: Ingress specifies the configuration of the sidecar for - processing inbound traffic to the attached workload instance. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - description: |- - The captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - connectionPool: - description: Settings controlling the volume of connections - Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be - queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a - destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be - preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes - to send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which - traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: Set of TLS related options that will enable TLS - termination on the sidecar for requests originating from outside - the mesh. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - type: object - type: array - outboundTrafficPolicy: - description: Set the default behavior of the sidecar for handling - outbound traffic from the application. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - description: |2- - - - Valid Options: REGISTRY_ONLY, ALLOW_ANY - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `Sidecar` configuration should be applied. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - description: Egress specifies the configuration of the sidecar for - processing outbound traffic from the attached workload instance - to other services in the mesh. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket - to which the listener should be bound to. - type: string - captureMode: - description: |- - When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener - in `namespace/dnsName` format. - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - required: - - hosts - type: object - type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy - will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool - connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed - for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to - a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a - destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to - enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes to send - without response before deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs to be - idle before keep-alive probes start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - ingress: - description: Ingress specifies the configuration of the sidecar for - processing inbound traffic to the attached workload instance. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - description: |- - The captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - connectionPool: - description: Settings controlling the volume of connections - Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be - queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a - destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be - preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes - to send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which - traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: Set of TLS related options that will enable TLS - termination on the sidecar for requests originating from outside - the mesh. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - type: object - type: array - outboundTrafficPolicy: - description: Set the default behavior of the sidecar for handling - outbound traffic from the application. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - description: |2- - - - Valid Options: REGISTRY_ONLY, ALLOW_ANY - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `Sidecar` configuration should be applied. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - description: Egress specifies the configuration of the sidecar for - processing outbound traffic from the attached workload instance - to other services in the mesh. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket - to which the listener should be bound to. - type: string - captureMode: - description: |- - When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener - in `namespace/dnsName` format. - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - required: - - hosts - type: object - type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy - will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool - connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed - for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to - a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a - destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to - enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes to send - without response before deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs to be - idle before keep-alive probes start being sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - ingress: - description: Ingress specifies the configuration of the sidecar for - processing inbound traffic to the attached workload instance. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - description: |- - The captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - connectionPool: - description: Settings controlling the volume of connections - Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be - queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a - destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be - preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - idleTimeout: - description: The idle timeout for TCP connections. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - probes: - description: Maximum number of keepalive probes - to send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than - 1ms - rule: duration(self) >= duration('1ms') - type: object - type: object - type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which - traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: Set of TLS related options that will enable TLS - termination on the sidecar for requests originating from outside - the mesh. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - type: object - type: array - outboundTrafficPolicy: - description: Set the default behavior of the sidecar for handling - outbound traffic from the application. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - description: |2- - - - Valid Options: REGISTRY_ONLY, ALLOW_ANY - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `Sidecar` configuration should be applied. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: virtualservices.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - description: Indicates whether the caller is allowed to - send the actual request (not the preflight) using credentials. - nullable: true - type: boolean - allowHeaders: - description: List of HTTP headers that can be used when - requesting the resource. - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - type: array - exposeHeaders: - description: A list of HTTP headers that the browsers are - allowed to access. - items: - type: string - type: array - maxAge: - description: Specifies how long the results of a preflight - request can be cached. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - unmatchedPreflights: - description: |- - Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. - - Valid Options: FORWARD, IGNORE - enum: - - UNSPECIFIED - - FORWARD - - IGNORE - type: string - type: object - delegate: - description: Delegate is used to specify the particular VirtualService - which can be used to define delegate HTTPRoute. - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - status - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - description: Abort Http request attempts and return error - codes back to downstream service, giving the impression - that the upstream service is faulty. - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - description: Delay requests before forwarding, emulating - various failures such as network issues, overloaded upstream - service, etc. - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - authority: - description: 'HTTP Authority values are case-sensitive - and formatted as follows: - `exact: "value"` for exact - string match - `prefix: "value"` for prefix-based match - - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - description: The header keys must be lowercase and use - hyphen as the separator, e.g. - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - description: 'HTTP Method values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - description: 'URI Scheme values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to source (client) workloads with the given - labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - description: 'URI to match values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - description: Mirror HTTP traffic to a another destination in - addition to forwarding the requests to the intended destination. - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mirror_percent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - mirrors: - description: Specifies the destinations to mirror HTTP traffic - in addition to the original destination. - items: - properties: - destination: - description: Destination specifies the target of the mirror - operation. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - percentage: - description: Percentage of the traffic to be mirrored - by the `destination` field. - properties: - value: - format: double - type: number - type: object - required: - - destination - type: object - type: array - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - description: On a redirect, overwrite the Authority/Host - portion of the URL with this value. - type: string - derivePort: - description: |- - On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. - - Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - maximum: 4294967295 - minimum: 0 - type: integer - redirectCode: - description: On a redirect, Specifies the HTTP status code - to use in the redirect response. - maximum: 4294967295 - minimum: 0 - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - description: On a redirect, overwrite the Path portion of - the URL with this value. - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - description: rewrite the path (or the prefix) portion of - the URI with this value. - type: string - uriRegexRewrite: - description: rewrite the path portion of the URI with the - specified regex. - properties: - match: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - rewrite: - description: The string that should replace into matching - portions of original URI. - type: string - type: object - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - type: object - type: array - tls: - description: An ordered list of route rule for non-terminated TLS - & HTTPS traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - required: - - sniHosts - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - required: - - match - type: object - type: array - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - description: Indicates whether the caller is allowed to - send the actual request (not the preflight) using credentials. - nullable: true - type: boolean - allowHeaders: - description: List of HTTP headers that can be used when - requesting the resource. - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - type: array - exposeHeaders: - description: A list of HTTP headers that the browsers are - allowed to access. - items: - type: string - type: array - maxAge: - description: Specifies how long the results of a preflight - request can be cached. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - unmatchedPreflights: - description: |- - Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. - - Valid Options: FORWARD, IGNORE - enum: - - UNSPECIFIED - - FORWARD - - IGNORE - type: string - type: object - delegate: - description: Delegate is used to specify the particular VirtualService - which can be used to define delegate HTTPRoute. - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - status - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - description: Abort Http request attempts and return error - codes back to downstream service, giving the impression - that the upstream service is faulty. - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - description: Delay requests before forwarding, emulating - various failures such as network issues, overloaded upstream - service, etc. - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - authority: - description: 'HTTP Authority values are case-sensitive - and formatted as follows: - `exact: "value"` for exact - string match - `prefix: "value"` for prefix-based match - - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - description: The header keys must be lowercase and use - hyphen as the separator, e.g. - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - description: 'HTTP Method values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - description: 'URI Scheme values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to source (client) workloads with the given - labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - description: 'URI to match values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - description: Mirror HTTP traffic to a another destination in - addition to forwarding the requests to the intended destination. - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mirror_percent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - mirrors: - description: Specifies the destinations to mirror HTTP traffic - in addition to the original destination. - items: - properties: - destination: - description: Destination specifies the target of the mirror - operation. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - percentage: - description: Percentage of the traffic to be mirrored - by the `destination` field. - properties: - value: - format: double - type: number - type: object - required: - - destination - type: object - type: array - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - description: On a redirect, overwrite the Authority/Host - portion of the URL with this value. - type: string - derivePort: - description: |- - On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. - - Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - maximum: 4294967295 - minimum: 0 - type: integer - redirectCode: - description: On a redirect, Specifies the HTTP status code - to use in the redirect response. - maximum: 4294967295 - minimum: 0 - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - description: On a redirect, overwrite the Path portion of - the URL with this value. - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - description: rewrite the path (or the prefix) portion of - the URI with this value. - type: string - uriRegexRewrite: - description: rewrite the path portion of the URI with the - specified regex. - properties: - match: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - rewrite: - description: The string that should replace into matching - portions of original URI. - type: string - type: object - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - type: object - type: array - tls: - description: An ordered list of route rule for non-terminated TLS - & HTTPS traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - required: - - sniHosts - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - required: - - match - type: object - type: array - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - description: Indicates whether the caller is allowed to - send the actual request (not the preflight) using credentials. - nullable: true - type: boolean - allowHeaders: - description: List of HTTP headers that can be used when - requesting the resource. - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - type: array - exposeHeaders: - description: A list of HTTP headers that the browsers are - allowed to access. - items: - type: string - type: array - maxAge: - description: Specifies how long the results of a preflight - request can be cached. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - unmatchedPreflights: - description: |- - Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. - - Valid Options: FORWARD, IGNORE - enum: - - UNSPECIFIED - - FORWARD - - IGNORE - type: string - type: object - delegate: - description: Delegate is used to specify the particular VirtualService - which can be used to define delegate HTTPRoute. - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - status - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - description: Abort Http request attempts and return error - codes back to downstream service, giving the impression - that the upstream service is faulty. - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - description: Delay requests before forwarding, emulating - various failures such as network issues, overloaded upstream - service, etc. - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - authority: - description: 'HTTP Authority values are case-sensitive - and formatted as follows: - `exact: "value"` for exact - string match - `prefix: "value"` for prefix-based match - - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - description: The header keys must be lowercase and use - hyphen as the separator, e.g. - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - description: 'HTTP Method values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - description: 'URI Scheme values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to source (client) workloads with the given - labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - description: 'URI to match values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - description: Mirror HTTP traffic to a another destination in - addition to forwarding the requests to the intended destination. - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mirror_percent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - mirrors: - description: Specifies the destinations to mirror HTTP traffic - in addition to the original destination. - items: - properties: - destination: - description: Destination specifies the target of the mirror - operation. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - percentage: - description: Percentage of the traffic to be mirrored - by the `destination` field. - properties: - value: - format: double - type: number - type: object - required: - - destination - type: object - type: array - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - description: On a redirect, overwrite the Authority/Host - portion of the URL with this value. - type: string - derivePort: - description: |- - On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. - - Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - maximum: 4294967295 - minimum: 0 - type: integer - redirectCode: - description: On a redirect, Specifies the HTTP status code - to use in the redirect response. - maximum: 4294967295 - minimum: 0 - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - description: On a redirect, overwrite the Path portion of - the URL with this value. - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - description: rewrite the path (or the prefix) portion of - the URI with this value. - type: string - uriRegexRewrite: - description: rewrite the path portion of the URI with the - specified regex. - properties: - match: - description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' - type: string - rewrite: - description: The string that should replace into matching - portions of original URI. - type: string - type: object - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - type: object - type: array - tls: - description: An ordered list of route rule for non-terminated TLS - & HTTPS traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - required: - - sniHosts - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - required: - - match - type: object - type: array - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadEntry - listKind: WorkloadEntryList - plural: workloadentries - shortNames: - - we - singular: workloadentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - description: Address associated with the network endpoint without - the port. - maxLength: 256 - type: string - x-kubernetes-validations: - - message: UDS must be an absolute path or abstract socket - rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' - || self.substring(7,8) == ''@'') : true' - - message: UDS may not be a dir - rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - maxProperties: 256 - type: object - locality: - description: The locality associated with the endpoint. - maxLength: 2048 - type: string - network: - description: Network enables Istio to group endpoints resident in - the same L3 domain/network. - maxLength: 2048 - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - description: Set of ports associated with the endpoint. - maxProperties: 128 - type: object - x-kubernetes-validations: - - message: port name must be valid - rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) - serviceAccount: - description: The service account associated with the workload if a - sidecar is present in the workload. - maxLength: 253 - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - - message: UDS may not include ports - rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? - !has(self.ports) : true' - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - spec - - spec - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - description: Address associated with the network endpoint without - the port. - maxLength: 256 - type: string - x-kubernetes-validations: - - message: UDS must be an absolute path or abstract socket - rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' - || self.substring(7,8) == ''@'') : true' - - message: UDS may not be a dir - rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - maxProperties: 256 - type: object - locality: - description: The locality associated with the endpoint. - maxLength: 2048 - type: string - network: - description: Network enables Istio to group endpoints resident in - the same L3 domain/network. - maxLength: 2048 - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - description: Set of ports associated with the endpoint. - maxProperties: 128 - type: object - x-kubernetes-validations: - - message: port name must be valid - rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) - serviceAccount: - description: The service account associated with the workload if a - sidecar is present in the workload. - maxLength: 253 - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - - message: UDS may not include ports - rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? - !has(self.ports) : true' - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - spec - - spec - - spec - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - description: Address associated with the network endpoint without - the port. - maxLength: 256 - type: string - x-kubernetes-validations: - - message: UDS must be an absolute path or abstract socket - rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == ''/'' - || self.substring(7,8) == ''@'') : true' - - message: UDS may not be a dir - rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') : true' - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - maxProperties: 256 - type: object - locality: - description: The locality associated with the endpoint. - maxLength: 2048 - type: string - network: - description: Network enables Istio to group endpoints resident in - the same L3 domain/network. - maxLength: 2048 - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - description: Set of ports associated with the endpoint. - maxProperties: 128 - type: object - x-kubernetes-validations: - - message: port name must be valid - rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) - serviceAccount: - description: The service account associated with the workload if a - sidecar is present in the workload. - maxLength: 253 - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - - message: UDS may not include ports - rule: '(has(self.address) && self.address.startsWith(''unix://'')) ? - !has(self.ports) : true' - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - spec - - spec - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadgroups.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadGroup - listKind: WorkloadGroupList - plural: workloadgroups - shortNames: - - wg - singular: workloadgroup - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details - at: https://istio.io/docs/reference/config/networking/workload-group.html' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - type: integer - httpGet: - description: '`httpGet` is performed to a given endpoint and the - status/able to connect determines health.' - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - maximum: 4294967295 - minimum: 0 - type: integer - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - maximum: 4294967295 - minimum: 0 - type: integer - required: - - port - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - description: Address associated with the network endpoint without - the port. - maxLength: 256 - type: string - x-kubernetes-validations: - - message: UDS must be an absolute path or abstract socket - rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == - ''/'' || self.substring(7,8) == ''@'') : true' - - message: UDS may not be a dir - rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') - : true' - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - maxProperties: 256 - type: object - locality: - description: The locality associated with the endpoint. - maxLength: 2048 - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - maxLength: 2048 - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - description: Set of ports associated with the endpoint. - maxProperties: 128 - type: object - x-kubernetes-validations: - - message: port name must be valid - rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - maxLength: 253 - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - - message: UDS may not include ports - rule: '(has(self.address) && self.address.startsWith(''unix://'')) - ? !has(self.ports) : true' - required: - - template - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details - at: https://istio.io/docs/reference/config/networking/workload-group.html' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - type: integer - httpGet: - description: '`httpGet` is performed to a given endpoint and the - status/able to connect determines health.' - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - maximum: 4294967295 - minimum: 0 - type: integer - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - maximum: 4294967295 - minimum: 0 - type: integer - required: - - port - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - description: Address associated with the network endpoint without - the port. - maxLength: 256 - type: string - x-kubernetes-validations: - - message: UDS must be an absolute path or abstract socket - rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == - ''/'' || self.substring(7,8) == ''@'') : true' - - message: UDS may not be a dir - rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') - : true' - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - maxProperties: 256 - type: object - locality: - description: The locality associated with the endpoint. - maxLength: 2048 - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - maxLength: 2048 - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - description: Set of ports associated with the endpoint. - maxProperties: 128 - type: object - x-kubernetes-validations: - - message: port name must be valid - rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - maxLength: 253 - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - - message: UDS may not include ports - rule: '(has(self.address) && self.address.startsWith(''unix://'')) - ? !has(self.ports) : true' - required: - - template - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details - at: https://istio.io/docs/reference/config/networking/workload-group.html' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - type: integer - httpGet: - description: '`httpGet` is performed to a given endpoint and the - status/able to connect determines health.' - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - maximum: 4294967295 - minimum: 0 - type: integer - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - maximum: 4294967295 - minimum: 0 - type: integer - required: - - port - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - description: Address associated with the network endpoint without - the port. - maxLength: 256 - type: string - x-kubernetes-validations: - - message: UDS must be an absolute path or abstract socket - rule: 'self.startsWith(''unix://'') ? (self.substring(7,8) == - ''/'' || self.substring(7,8) == ''@'') : true' - - message: UDS may not be a dir - rule: 'self.startsWith(''unix://'') ? !self.endsWith(''/'') - : true' - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - maxProperties: 256 - type: object - locality: - description: The locality associated with the endpoint. - maxLength: 2048 - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - maxLength: 2048 - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: 0 < self && self <= 65535 - description: Set of ports associated with the endpoint. - maxProperties: 128 - type: object - x-kubernetes-validations: - - message: port name must be valid - rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - maxLength: 253 - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - x-kubernetes-validations: - - message: Address is required - rule: has(self.address) || has(self.network) - - message: UDS may not include ports - rule: '(has(self.address) && self.address.startsWith(''unix://'')) - ? !has(self.ports) : true' - required: - - template - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: authorizationpolicies.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: AuthorizationPolicy - listKind: AuthorizationPolicyList - plural: authorizationpolicies - shortNames: - - ap - singular: authorizationpolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The operation to take. - jsonPath: .spec.action - name: Action - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: |- - Optional. - - Valid Options: ALLOW, DENY, AUDIT, CUSTOM - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - type: string - type: array - namespaces: - description: Optional. - items: - type: string - type: array - notIpBlocks: - description: Optional. - items: - type: string - type: array - notNamespaces: - description: Optional. - items: - type: string - type: array - notPrincipals: - description: Optional. - items: - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - type: string - type: array - principals: - description: Optional. - items: - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - type: string - type: array - requestPrincipals: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - type: string - type: array - methods: - description: Optional. - items: - type: string - type: array - notHosts: - description: Optional. - items: - type: string - type: array - notMethods: - description: Optional. - items: - type: string - type: array - notPaths: - description: Optional. - items: - type: string - type: array - notPorts: - description: Optional. - items: - type: string - type: array - paths: - description: Optional. - items: - type: string - type: array - ports: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - type: string - notValues: - description: Optional. - items: - type: string - type: array - values: - description: Optional. - items: - type: string - type: array - required: - - key - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - type: array - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The operation to take. - jsonPath: .spec.action - name: Action - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: |- - Optional. - - Valid Options: ALLOW, DENY, AUDIT, CUSTOM - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - type: string - type: array - namespaces: - description: Optional. - items: - type: string - type: array - notIpBlocks: - description: Optional. - items: - type: string - type: array - notNamespaces: - description: Optional. - items: - type: string - type: array - notPrincipals: - description: Optional. - items: - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - type: string - type: array - principals: - description: Optional. - items: - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - type: string - type: array - requestPrincipals: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - type: string - type: array - methods: - description: Optional. - items: - type: string - type: array - notHosts: - description: Optional. - items: - type: string - type: array - notMethods: - description: Optional. - items: - type: string - type: array - notPaths: - description: Optional. - items: - type: string - type: array - notPorts: - description: Optional. - items: - type: string - type: array - paths: - description: Optional. - items: - type: string - type: array - ports: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - type: string - notValues: - description: Optional. - items: - type: string - type: array - values: - description: Optional. - items: - type: string - type: array - required: - - key - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - type: array - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: peerauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: PeerAuthentication - listKind: PeerAuthenticationList - plural: peerauthentications - shortNames: - - pa - singular: peerauthentication - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Defines the mTLS mode used for peer authentication. - jsonPath: .spec.mtls.mode - name: Mode - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Peer authentication configuration for workloads. See more - details at: https://istio.io/docs/reference/config/security/peer_authentication.html' - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: |- - Defines the mTLS mode used for peer authentication. - - Valid Options: DISABLE, PERMISSIVE, STRICT - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: |- - Defines the mTLS mode used for peer authentication. - - Valid Options: DISABLE, PERMISSIVE, STRICT - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - minProperties: 1 - type: object - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: self.all(key, 0 < int(key) && int(key) <= 65535) - selector: - description: The selector determines the workloads to apply the PeerAuthentication - on. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - type: object - x-kubernetes-validations: - - message: portLevelMtls requires selector - rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() - > 0) || !has(self.portLevelMtls) - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: Defines the mTLS mode used for peer authentication. - jsonPath: .spec.mtls.mode - name: Mode - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Peer authentication configuration for workloads. See more - details at: https://istio.io/docs/reference/config/security/peer_authentication.html' - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: |- - Defines the mTLS mode used for peer authentication. - - Valid Options: DISABLE, PERMISSIVE, STRICT - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: |- - Defines the mTLS mode used for peer authentication. - - Valid Options: DISABLE, PERMISSIVE, STRICT - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - minProperties: 1 - type: object - x-kubernetes-validations: - - message: port must be between 1-65535 - rule: self.all(key, 0 < int(key) && int(key) <= 65535) - selector: - description: The selector determines the workloads to apply the PeerAuthentication - on. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - type: object - x-kubernetes-validations: - - message: portLevelMtls requires selector - rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() - > 0) || !has(self.portLevelMtls) - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: requestauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: RequestAuthentication - listKind: RequestAuthenticationList - plural: requestauthentications - shortNames: - - ra - singular: requestauthentication - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Request authentication configuration for workloads. See - more details at: https://istio.io/docs/reference/config/security/request_authentication.html' - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) - that are allowed to access. - items: - minLength: 1 - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept - for the upstream request. - type: boolean - fromCookies: - description: List of cookie names from which JWT is expected. - items: - minLength: 1 - type: string - type: array - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - minLength: 1 - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - type: string - required: - - name - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - minLength: 1 - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - minLength: 1 - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - type: string - jwks_uri: - description: URL of the provider's public key set to validate - signature of the JWT. - maxLength: 2048 - minLength: 1 - type: string - x-kubernetes-validations: - - message: url must have scheme http:// or https:// - rule: url(self).getScheme() in ['http', 'https'] - jwksUri: - description: URL of the provider's public key set to validate - signature of the JWT. - maxLength: 2048 - minLength: 1 - type: string - x-kubernetes-validations: - - message: url must have scheme http:// or https:// - rule: url(self).getScheme() in ['http', 'https'] - outputClaimToHeaders: - description: This field specifies a list of operations to copy - the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - minLength: 1 - type: string - header: - description: The name of the header to be created. - minLength: 1 - pattern: ^[-_A-Za-z0-9]+$ - type: string - required: - - header - - claim - type: object - type: array - outputPayloadToHeader: - description: This field specifies the header name to output - a successfully verified JWT payload to the backend. - type: string - timeout: - description: The maximum amount of time that the resolver, determined - by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, - will spend waiting for the JWKS to be fetched. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - required: - - issuer - type: object - x-kubernetes-validations: - - message: only one of jwks or jwksUri can be set - rule: (has(self.jwksUri)?1:0)+(has(self.jwks_uri)?1:0)+(has(self.jwks)?1:0)<=1 - maxItems: 4096 - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - type: array - type: object - x-kubernetes-validations: - - message: only one of targetRefs or workloadSelector can be set - rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Request authentication configuration for workloads. See - more details at: https://istio.io/docs/reference/config/security/request_authentication.html' - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) - that are allowed to access. - items: - minLength: 1 - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept - for the upstream request. - type: boolean - fromCookies: - description: List of cookie names from which JWT is expected. - items: - minLength: 1 - type: string - type: array - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - minLength: 1 - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - type: string - required: - - name - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - minLength: 1 - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - minLength: 1 - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - type: string - jwks_uri: - description: URL of the provider's public key set to validate - signature of the JWT. - maxLength: 2048 - minLength: 1 - type: string - x-kubernetes-validations: - - message: url must have scheme http:// or https:// - rule: url(self).getScheme() in ['http', 'https'] - jwksUri: - description: URL of the provider's public key set to validate - signature of the JWT. - maxLength: 2048 - minLength: 1 - type: string - x-kubernetes-validations: - - message: url must have scheme http:// or https:// - rule: url(self).getScheme() in ['http', 'https'] - outputClaimToHeaders: - description: This field specifies a list of operations to copy - the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - minLength: 1 - type: string - header: - description: The name of the header to be created. - minLength: 1 - pattern: ^[-_A-Za-z0-9]+$ - type: string - required: - - header - - claim - type: object - type: array - outputPayloadToHeader: - description: This field specifies the header name to output - a successfully verified JWT payload to the backend. - type: string - timeout: - description: The maximum amount of time that the resolver, determined - by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, - will spend waiting for the JWKS to be fetched. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - required: - - issuer - type: object - x-kubernetes-validations: - - message: only one of jwks or jwksUri can be set - rule: (has(self.jwksUri)?1:0)+(has(self.jwks_uri)?1:0)+(has(self.jwks)?1:0)<=1 - maxItems: 4096 - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - type: array - type: object - x-kubernetes-validations: - - message: only one of targetRefs or workloadSelector can be set - rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: telemetry - release: istio - name: telemetries.telemetry.istio.io -spec: - group: telemetry.istio.io - names: - categories: - - istio-io - - telemetry-istio-io - kind: Telemetry - listKind: TelemetryList - plural: telemetries - shortNames: - - telemetry - singular: telemetry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Telemetry configuration for workloads. See more details - at: https://istio.io/docs/reference/config/telemetry.html' - properties: - accessLogging: - description: Optional. - items: - properties: - disabled: - description: Controls logging. - nullable: true - type: boolean - filter: - description: Optional. - properties: - expression: - description: CEL expression for selecting when requests/connections - should be logged. - type: string - type: object - match: - description: Allows tailoring of logging behavior to specific - conditions. - properties: - mode: - description: |- - This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - type: object - type: array - metrics: - description: Optional. - items: - properties: - overrides: - description: Optional. - items: - properties: - disabled: - description: Optional. - nullable: true - type: boolean - match: - description: Match allows providing the scope of the override. - oneOf: - - not: - anyOf: - - required: - - metric - - required: - - customMetric - - required: - - metric - - required: - - customMetric - properties: - customMetric: - description: Allows free-form specification of a metric. - minLength: 1 - type: string - metric: - description: |- - One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). - - Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES - enum: - - ALL_METRICS - - REQUEST_COUNT - - REQUEST_DURATION - - REQUEST_SIZE - - RESPONSE_SIZE - - TCP_OPENED_CONNECTIONS - - TCP_CLOSED_CONNECTIONS - - TCP_SENT_BYTES - - TCP_RECEIVED_BYTES - - GRPC_REQUEST_MESSAGES - - GRPC_RESPONSE_MESSAGES - type: string - mode: - description: |- - Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - tagOverrides: - additionalProperties: - properties: - operation: - description: |- - Operation controls whether or not to update/add a tag, or to remove it. - - Valid Options: UPSERT, REMOVE - enum: - - UPSERT - - REMOVE - type: string - value: - description: Value is only considered if the operation - is `UPSERT`. - type: string - type: object - x-kubernetes-validations: - - message: value must be set when operation is UPSERT - rule: '((has(self.operation) ? self.operation : '''') - == ''UPSERT'') ? self.value != '''' : true' - - message: value must not be set when operation is REMOVE - rule: '((has(self.operation) ? self.operation : '''') - == ''REMOVE'') ? !has(self.value) : true' - description: Optional. - type: object - type: object - type: array - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - reportingInterval: - description: Optional. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - type: array - tracing: - description: Optional. - items: - properties: - customTags: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - literal - - required: - - environment - - required: - - header - - required: - - literal - - required: - - environment - - required: - - header - properties: - environment: - description: Environment adds the value of an environment - variable to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the environment variable from - which to extract the tag value. - minLength: 1 - type: string - required: - - name - type: object - header: - description: RequestHeader adds the value of an header - from the request to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the header from which to extract - the tag value. - minLength: 1 - type: string - required: - - name - type: object - literal: - description: Literal adds the same, hard-coded value to - each span. - properties: - value: - description: The tag value to use. - minLength: 1 - type: string - required: - - value - type: object - type: object - description: Optional. - type: object - disableSpanReporting: - description: Controls span reporting. - nullable: true - type: boolean - match: - description: Allows tailoring of behavior to specific conditions. - properties: - mode: - description: |- - This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - randomSamplingPercentage: - description: Controls the rate at which traffic will be selected - for tracing if no prior sampling decision has been made. - format: double - maximum: 100 - minimum: 0 - nullable: true - type: number - useRequestIdForTraceSampling: - nullable: true - type: boolean - type: object - type: array - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Telemetry configuration for workloads. See more details - at: https://istio.io/docs/reference/config/telemetry.html' - properties: - accessLogging: - description: Optional. - items: - properties: - disabled: - description: Controls logging. - nullable: true - type: boolean - filter: - description: Optional. - properties: - expression: - description: CEL expression for selecting when requests/connections - should be logged. - type: string - type: object - match: - description: Allows tailoring of logging behavior to specific - conditions. - properties: - mode: - description: |- - This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - type: object - type: array - metrics: - description: Optional. - items: - properties: - overrides: - description: Optional. - items: - properties: - disabled: - description: Optional. - nullable: true - type: boolean - match: - description: Match allows providing the scope of the override. - oneOf: - - not: - anyOf: - - required: - - metric - - required: - - customMetric - - required: - - metric - - required: - - customMetric - properties: - customMetric: - description: Allows free-form specification of a metric. - minLength: 1 - type: string - metric: - description: |- - One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). - - Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES - enum: - - ALL_METRICS - - REQUEST_COUNT - - REQUEST_DURATION - - REQUEST_SIZE - - RESPONSE_SIZE - - TCP_OPENED_CONNECTIONS - - TCP_CLOSED_CONNECTIONS - - TCP_SENT_BYTES - - TCP_RECEIVED_BYTES - - GRPC_REQUEST_MESSAGES - - GRPC_RESPONSE_MESSAGES - type: string - mode: - description: |- - Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - tagOverrides: - additionalProperties: - properties: - operation: - description: |- - Operation controls whether or not to update/add a tag, or to remove it. - - Valid Options: UPSERT, REMOVE - enum: - - UPSERT - - REMOVE - type: string - value: - description: Value is only considered if the operation - is `UPSERT`. - type: string - type: object - x-kubernetes-validations: - - message: value must be set when operation is UPSERT - rule: '((has(self.operation) ? self.operation : '''') - == ''UPSERT'') ? self.value != '''' : true' - - message: value must not be set when operation is REMOVE - rule: '((has(self.operation) ? self.operation : '''') - == ''REMOVE'') ? !has(self.value) : true' - description: Optional. - type: object - type: object - type: array - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - reportingInterval: - description: Optional. - type: string - x-kubernetes-validations: - - message: must be a valid duration greater than 1ms - rule: duration(self) >= duration('1ms') - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - maxLength: 63 - type: string - x-kubernetes-validations: - - message: wildcard not allowed in label value match - rule: '!self.contains(''*'')' - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - maxProperties: 4096 - type: object - x-kubernetes-validations: - - message: wildcard not allowed in label key match - rule: self.all(key, !key.contains('*')) - - message: key must not be empty - rule: self.all(key, key.size() != 0) - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - description: kind is kind of the target resource. - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: name is the name of the target resource. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - x-kubernetes-validations: - - message: cross namespace referencing is not currently supported - rule: self.size() == 0 - required: - - kind - - name - type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [[''core'',''Service''], ['''',''Service''], - [''gateway.networking.k8s.io'',''Gateway''], [''networking.istio.io'',''ServiceEntry'']]' - type: array - tracing: - description: Optional. - items: - properties: - customTags: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - literal - - required: - - environment - - required: - - header - - required: - - literal - - required: - - environment - - required: - - header - properties: - environment: - description: Environment adds the value of an environment - variable to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the environment variable from - which to extract the tag value. - minLength: 1 - type: string - required: - - name - type: object - header: - description: RequestHeader adds the value of an header - from the request to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the header from which to extract - the tag value. - minLength: 1 - type: string - required: - - name - type: object - literal: - description: Literal adds the same, hard-coded value to - each span. - properties: - value: - description: The tag value to use. - minLength: 1 - type: string - required: - - value - type: object - type: object - description: Optional. - type: object - disableSpanReporting: - description: Controls span reporting. - nullable: true - type: boolean - match: - description: Allows tailoring of behavior to specific conditions. - properties: - mode: - description: |- - This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - randomSamplingPercentage: - description: Controls the rate at which traffic will be selected - for tracing if no prior sampling decision has been made. - format: double - maximum: 100 - minimum: 0 - nullable: true - type: number - useRequestIdForTraceSampling: - nullable: true - type: boolean - type: object - type: array - type: object - status: - properties: - conditions: - description: Current service state of the resource. - items: - properties: - lastProbeTime: - description: Last time we probed the condition. - format: date-time - type: string - lastTransitionTime: - description: Last time the condition transitioned from one status - to another. - format: date-time - type: string - message: - description: Human-readable message indicating details about - last transition. - type: string - reason: - description: Unique, one-word, CamelCase reason for the condition's - last transition. - type: string - status: - description: Status is the status of the condition. - type: string - type: - description: Type is the type of the condition. - type: string - type: object - type: array - observedGeneration: - anyOf: - - type: integer - - type: string - description: Resource Generation to which the Reconciled Condition - refers. - x-kubernetes-int-or-string: true - validationMessages: - description: Includes any errors or warnings detected by Istio's analyzers. - items: - properties: - documentationUrl: - description: A url pointing to the Istio documentation for this - specific error type. - type: string - level: - description: |- - Represents how severe a message is. - - Valid Options: UNKNOWN, ERROR, WARNING, INFO - enum: - - UNKNOWN - - ERROR - - WARNING - - INFO - type: string - type: - properties: - code: - description: A 7 character code matching `^IST[0-9]{4}$` - intended to uniquely identify the message type. - type: string - name: - description: A human-readable name for the message type. - type: string - type: object - type: object - type: array - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} diff --git a/resources/latest/charts/base/files/profile-ambient.yaml b/resources/latest/charts/base/files/profile-ambient.yaml deleted file mode 100644 index 2805fe46b..000000000 --- a/resources/latest/charts/base/files/profile-ambient.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/resources/latest/charts/base/files/profile-compatibility-version-1.21.yaml b/resources/latest/charts/base/files/profile-compatibility-version-1.21.yaml deleted file mode 100644 index 2b72bd93c..000000000 --- a/resources/latest/charts/base/files/profile-compatibility-version-1.21.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" - - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" - -meshConfig: - # 1.22 behavioral changes - defaultConfig: - proxyMetadata: - ISTIO_DELTA_XDS: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/latest/charts/base/files/profile-compatibility-version-1.22.yaml b/resources/latest/charts/base/files/profile-compatibility-version-1.22.yaml deleted file mode 100644 index 2badb70a5..000000000 --- a/resources/latest/charts/base/files/profile-compatibility-version-1.22.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" - -meshConfig: - defaultConfig: - proxyMetadata: - # 1.22 behavioral changes - ENABLE_DEFERRED_CLUSTER_CREATION: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/resources/latest/charts/base/files/profile-compatibility-version-1.23.yaml b/resources/latest/charts/base/files/profile-compatibility-version-1.23.yaml deleted file mode 100644 index f855500b0..000000000 --- a/resources/latest/charts/base/files/profile-compatibility-version-1.23.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" \ No newline at end of file diff --git a/resources/latest/charts/base/files/profile-demo.yaml b/resources/latest/charts/base/files/profile-demo.yaml deleted file mode 100644 index eadbde17c..000000000 --- a/resources/latest/charts/base/files/profile-demo.yaml +++ /dev/null @@ -1,90 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/resources/latest/charts/base/files/profile-openshift-ambient.yaml b/resources/latest/charts/base/files/profile-openshift-ambient.yaml deleted file mode 100644 index 444665932..000000000 --- a/resources/latest/charts/base/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift - variant: distroless - seLinuxOptions: - type: spc_t -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - env: - PILOT_ENABLE_AMBIENT: "true" \ No newline at end of file diff --git a/resources/latest/charts/base/files/profile-openshift.yaml b/resources/latest/charts/base/files/profile-openshift.yaml deleted file mode 100644 index 38357bd99..000000000 --- a/resources/latest/charts/base/files/profile-openshift.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -global: - platform: openshift -pilot: - cni: - enabled: true - provider: "multus" -platform: openshift \ No newline at end of file diff --git a/resources/latest/charts/base/files/profile-preview.yaml b/resources/latest/charts/base/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2..000000000 --- a/resources/latest/charts/base/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/latest/charts/base/files/profile-stable.yaml b/resources/latest/charts/base/files/profile-stable.yaml deleted file mode 100644 index 358282e69..000000000 --- a/resources/latest/charts/base/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/resources/latest/charts/base/templates/NOTES.txt b/resources/latest/charts/base/templates/NOTES.txt deleted file mode 100644 index f12616f57..000000000 --- a/resources/latest/charts/base/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -Istio base successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/resources/latest/charts/base/templates/crds.yaml b/resources/latest/charts/base/templates/crds.yaml deleted file mode 100644 index af9901c6e..000000000 --- a/resources/latest/charts/base/templates/crds.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{- if .Values.base.enableCRDTemplates }} -{{ .Files.Get "crds/crd-all.gen.yaml" }} -{{- end }} diff --git a/resources/latest/charts/base/templates/default.yaml b/resources/latest/charts/base/templates/default.yaml deleted file mode 100644 index 8cb76fd77..000000000 --- a/resources/latest/charts/base/templates/default.yaml +++ /dev/null @@ -1,56 +0,0 @@ -{{- if not (eq .Values.defaultRevision "") }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-default-validator - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision | quote }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: - - name: validation.istio.io - clientConfig: - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - {{- if (eq .Values.defaultRevision "default") }} - name: istiod - {{- else }} - name: istiod-{{ .Values.defaultRevision }} - {{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1"] -{{- end }} diff --git a/resources/latest/charts/base/templates/endpoints.yaml b/resources/latest/charts/base/templates/endpoints.yaml deleted file mode 100644 index 1cc26dd78..000000000 --- a/resources/latest/charts/base/templates/endpoints.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} -# if the remotePilotAddress is an IP addr -apiVersion: v1 -kind: Endpoints -metadata: - {{- if .Values.pilot.enabled }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -subsets: -- addresses: - - ip: {{ .Values.global.remotePilotAddress }} - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 15017 - name: tcp-webhook - protocol: TCP ---- -{{- end }} diff --git a/resources/latest/charts/base/templates/reader-serviceaccount.yaml b/resources/latest/charts/base/templates/reader-serviceaccount.yaml deleted file mode 100644 index 342eea41f..000000000 --- a/resources/latest/charts/base/templates/reader-serviceaccount.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# This service account aggregates reader permissions for the revisions in a given cluster -# Should be used for remote secret creation. -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} diff --git a/resources/latest/charts/base/templates/services.yaml b/resources/latest/charts/base/templates/services.yaml deleted file mode 100644 index 4290f2848..000000000 --- a/resources/latest/charts/base/templates/services.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if .Values.global.remotePilotAddress }} -apiVersion: v1 -kind: Service -metadata: - {{- if .Values.pilot.enabled }} - # when local istiod is enabled, we can't use istiod service name to reach the remote control plane - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: "istiod" - {{ include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 443 - targetPort: 15017 - name: tcp-webhook - protocol: TCP - {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }} - # if the remotePilotAddress is not an IP addr, we use ExternalName - type: ExternalName - externalName: {{ .Values.global.remotePilotAddress }} - {{- end }} -{{- if .Values.global.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} -{{- end }} -{{- if .Values.global.ipFamilies }} - ipFamilies: -{{- range .Values.global.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} ---- -{{- end }} diff --git a/resources/latest/charts/base/templates/validatingadmissionpolicy.yaml b/resources/latest/charts/base/templates/validatingadmissionpolicy.yaml deleted file mode 100644 index 2616b09c9..000000000 --- a/resources/latest/charts/base/templates/validatingadmissionpolicy.yaml +++ /dev/null @@ -1,53 +0,0 @@ -{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-default-policy.istio.io" - labels: - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision }} - app.kubernetes.io/name: "istiod" - {{ include "istio.labels" . | nindent 4 }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-default-policy-binding.istio.io" -spec: - policyName: "stable-channel-default-policy.istio.io" - validationActions: [Deny] -{{- end }} diff --git a/resources/latest/charts/base/templates/zzz_profile.yaml b/resources/latest/charts/base/templates/zzz_profile.yaml deleted file mode 100644 index b96dcafcb..000000000 --- a/resources/latest/charts/base/templates/zzz_profile.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- $globals := $.Values.global | default dict | deepCopy }} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} -{{- $profile := dict }} -{{- with .Values.profile }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" $.Values.profile) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults $globals }} -{{- end }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/resources/latest/charts/base/values.yaml b/resources/latest/charts/base/values.yaml deleted file mode 100644 index fae4e61e4..000000000 --- a/resources/latest/charts/base/values.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. -defaults: - global: - - # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - - # Used to locate istiod. - istioNamespace: istio-system - - externalIstiod: false - remotePilotAddress: "" - - # Platform where Istio is deployed. Possible values are: "openshift", "gcp". - # An empty value means it is a vanilla Kubernetes distribution, therefore no special - # treatment will be considered. - platform: "" - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - # This is intended only for use with external istiod. - ipFamilyPolicy: "" - ipFamilies: [] - - base: - # Used for helm2 to add the CRDs to templates. - enableCRDTemplates: false - - # Validation webhook configuration url - # For example: https://$remotePilotAddress:15017/validate - validationURL: "" - # Validation webhook caBundle value. Useful when running pilot with a well known cert - validationCABundle: "" - - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - defaultRevision: "default" - experimental: - stableValidationPolicy: false diff --git a/resources/latest/charts/cni/Chart.yaml b/resources/latest/charts/cni/Chart.yaml deleted file mode 100644 index 72b0cbb69..000000000 --- a/resources/latest/charts/cni/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 -description: Helm chart for istio-cni components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-cni -- istio -name: cni -sources: -- https://github.com/istio/istio -version: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 diff --git a/resources/latest/charts/cni/README.md b/resources/latest/charts/cni/README.md deleted file mode 100644 index a8b78d5bd..000000000 --- a/resources/latest/charts/cni/README.md +++ /dev/null @@ -1,65 +0,0 @@ -# Istio CNI Helm Chart - -This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) -for more information. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-cni`: - -```console -helm install istio-cni istio/cni -n kube-system -``` - -Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) -`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow -'system-node-critical' outside of kube-system. - -## Configuration - -To view support configuration options and documentation, run: - -```console -helm show values istio/istio-cni -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### Ambient - -To enable ambient, you can use the ambient profile: `--set profile=ambient`. - -#### Calico - -For Calico, you must also modify the settings to allow source spoofing: - -- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` -- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) - -### GKE notes - -On GKE, 'kube-system' is required. - -If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` -it is auto-detected. diff --git a/resources/latest/charts/cni/files/profile-ambient.yaml b/resources/latest/charts/cni/files/profile-ambient.yaml deleted file mode 100644 index 2805fe46b..000000000 --- a/resources/latest/charts/cni/files/profile-ambient.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/resources/latest/charts/cni/files/profile-compatibility-version-1.21.yaml b/resources/latest/charts/cni/files/profile-compatibility-version-1.21.yaml deleted file mode 100644 index 2b72bd93c..000000000 --- a/resources/latest/charts/cni/files/profile-compatibility-version-1.21.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" - - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" - -meshConfig: - # 1.22 behavioral changes - defaultConfig: - proxyMetadata: - ISTIO_DELTA_XDS: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/latest/charts/cni/files/profile-compatibility-version-1.22.yaml b/resources/latest/charts/cni/files/profile-compatibility-version-1.22.yaml deleted file mode 100644 index 2badb70a5..000000000 --- a/resources/latest/charts/cni/files/profile-compatibility-version-1.22.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" - -meshConfig: - defaultConfig: - proxyMetadata: - # 1.22 behavioral changes - ENABLE_DEFERRED_CLUSTER_CREATION: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/resources/latest/charts/cni/files/profile-compatibility-version-1.23.yaml b/resources/latest/charts/cni/files/profile-compatibility-version-1.23.yaml deleted file mode 100644 index f855500b0..000000000 --- a/resources/latest/charts/cni/files/profile-compatibility-version-1.23.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" \ No newline at end of file diff --git a/resources/latest/charts/cni/files/profile-demo.yaml b/resources/latest/charts/cni/files/profile-demo.yaml deleted file mode 100644 index eadbde17c..000000000 --- a/resources/latest/charts/cni/files/profile-demo.yaml +++ /dev/null @@ -1,90 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/resources/latest/charts/cni/files/profile-openshift-ambient.yaml b/resources/latest/charts/cni/files/profile-openshift-ambient.yaml deleted file mode 100644 index 444665932..000000000 --- a/resources/latest/charts/cni/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift - variant: distroless - seLinuxOptions: - type: spc_t -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - env: - PILOT_ENABLE_AMBIENT: "true" \ No newline at end of file diff --git a/resources/latest/charts/cni/files/profile-openshift.yaml b/resources/latest/charts/cni/files/profile-openshift.yaml deleted file mode 100644 index 38357bd99..000000000 --- a/resources/latest/charts/cni/files/profile-openshift.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -global: - platform: openshift -pilot: - cni: - enabled: true - provider: "multus" -platform: openshift \ No newline at end of file diff --git a/resources/latest/charts/cni/files/profile-preview.yaml b/resources/latest/charts/cni/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2..000000000 --- a/resources/latest/charts/cni/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/latest/charts/cni/files/profile-stable.yaml b/resources/latest/charts/cni/files/profile-stable.yaml deleted file mode 100644 index 358282e69..000000000 --- a/resources/latest/charts/cni/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/resources/latest/charts/cni/templates/NOTES.txt b/resources/latest/charts/cni/templates/NOTES.txt deleted file mode 100644 index fb35525b9..000000000 --- a/resources/latest/charts/cni/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -"{{ .Release.Name }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/resources/latest/charts/cni/templates/_helpers.tpl b/resources/latest/charts/cni/templates/_helpers.tpl deleted file mode 100644 index 73cc17b2f..000000000 --- a/resources/latest/charts/cni/templates/_helpers.tpl +++ /dev/null @@ -1,8 +0,0 @@ -{{- define "name" -}} - istio-cni -{{- end }} - - -{{- define "istio-tag" -}} - {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}} -{{- end }} diff --git a/resources/latest/charts/cni/templates/clusterrole.yaml b/resources/latest/charts/cni/templates/clusterrole.yaml deleted file mode 100644 index a1640c5d4..000000000 --- a/resources/latest/charts/cni/templates/clusterrole.yaml +++ /dev/null @@ -1,80 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "name" . }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -rules: -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: ["privileged"] - verbs: ["use"] -- apiGroups: [""] - resources: ["pods","nodes","namespaces"] - verbs: ["get", "list", "watch"] -{{- if (eq .Values.platform "openshift") }} -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: ["privileged"] - verbs: ["use"] -{{- end }} ---- -{{- if .Values.repair.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "name" . }}-repair-role - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["watch", "get", "list"] -{{- if .Values.repair.repairPods }} -{{- /* No privileges needed*/}} -{{- else if .Values.repair.deletePods }} - - apiGroups: [""] - resources: ["pods"] - verbs: ["delete"] -{{- else if .Values.repair.labelPods }} - - apiGroups: [""] - {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} - resources: ["pods/status"] - verbs: ["patch", "update"] -{{- end }} -{{- end }} ---- -{{- if .Values.ambient.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "name" . }}-ambient - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -rules: -- apiGroups: [""] - {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} - resources: ["pods/status"] - verbs: ["patch", "update"] -{{- end }} diff --git a/resources/latest/charts/cni/templates/clusterrolebinding.yaml b/resources/latest/charts/cni/templates/clusterrolebinding.yaml deleted file mode 100644 index 032b3e3f2..000000000 --- a/resources/latest/charts/cni/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,66 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "name" . }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "name" . }} -subjects: -- kind: ServiceAccount - name: {{ template "name" . }} - namespace: {{ .Release.Namespace }} ---- -{{- if .Values.repair.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "name" . }}-repair-rolebinding - labels: - k8s-app: {{ template "name" . }}-repair - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: {{ template "name" . }} - namespace: {{ .Release.Namespace}} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "name" . }}-repair-role -{{- end }} ---- -{{- if .Values.ambient.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "name" . }}-ambient - labels: - k8s-app: {{ template "name" . }}-repair - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: {{ template "name" . }} - namespace: {{ .Release.Namespace}} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "name" . }}-ambient -{{- end }} diff --git a/resources/latest/charts/cni/templates/configmap-cni.yaml b/resources/latest/charts/cni/templates/configmap-cni.yaml deleted file mode 100644 index 30a0edd9a..000000000 --- a/resources/latest/charts/cni/templates/configmap-cni.yaml +++ /dev/null @@ -1,30 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: {{ template "name" . }}-config - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -data: - CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} - AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} - AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | default "false" | quote }} - AMBIENT_IPV6: {{ .Values.ambient.ipv6 | default "false" | quote }} - {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values - CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. - {{- end }} - CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} - EXCLUDED_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" - REPAIR_ENABLED: {{ .Values.chained | quote }} - REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} - REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} - REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} - REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} - REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} - REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} diff --git a/resources/latest/charts/cni/templates/daemonset.yaml b/resources/latest/charts/cni/templates/daemonset.yaml deleted file mode 100644 index fad5c3287..000000000 --- a/resources/latest/charts/cni/templates/daemonset.yaml +++ /dev/null @@ -1,213 +0,0 @@ -# This manifest installs the Istio install-cni container, as well -# as the Istio CNI plugin and config on -# each master and worker node in a Kubernetes cluster. -{{- $defaultBinDir := - (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary - "/home/kubernetes/bin" - "/opt/cni/bin" -}} -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: {{ template "name" . }}-node - namespace: {{ .Release.Namespace }} - labels: - k8s-app: {{ template "name" . }}-node - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -spec: - selector: - matchLabels: - k8s-app: {{ template "name" . }}-node - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: {{ .Values.rollingMaxUnavailable }} - template: - metadata: - labels: - k8s-app: {{ template "name" . }}-node - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 8 }} - annotations: - sidecar.istio.io/inject: "false" - # Add Prometheus Scrape annotations - prometheus.io/scrape: 'true' - prometheus.io/port: "15014" - prometheus.io/path: '/metrics' - # Custom annotations - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: - {{if .Values.ambient.enabled }}hostNetwork: true{{ end }} - nodeSelector: - kubernetes.io/os: linux - # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - tolerations: - # Make sure istio-cni-node gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - priorityClassName: system-node-critical - serviceAccountName: {{ template "name" . }} - # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force - # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. - terminationGracePeriodSeconds: 5 - containers: - # This container installs the Istio CNI binaries - # and CNI network config file on each node. - - name: install-cni -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" -{{- end }} -{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} -{{- end }} - ports: - - containerPort: 15014 - hostPort: 15014 - name: metrics - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8000 - securityContext: - privileged: true # always requires privilege to be useful (install node plugin, etc) - runAsGroup: 0 - runAsUser: 0 - runAsNonRoot: false - # Both ambient and sidecar repair mode require elevated node privileges to function. - # But we don't need _everything_ in `privileged`, so drop+readd capabilities based on feature. - # privileged is redundant with CAP_SYS_ADMIN - # since it's redundant, hardcode it to `true`, then manually drop ALL + readd granular - # capabilities we actually require - capabilities: - drop: - - ALL - add: - # CAP_NET_ADMIN is required to allow ipset and route table access - - NET_ADMIN - # CAP_NET_RAW is required to allow iptables mutation of the `nat` table - - NET_RAW - # CAP_SYS_ADMIN is required for both ambient and repair, in order to open - # network namespaces in `/proc` to obtain descriptors for entering pod netnamespaces. - # There does not appear to be a more granular capability for this. - - SYS_ADMIN -{{- if .Values.seccompProfile }} - seccompProfile: -{{ toYaml .Values.seccompProfile | trim | indent 14 }} -{{- end }} - command: ["install-cni"] - args: - {{- if or .Values.logging.level .Values.global.logging.level }} - - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} - {{- end}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end}} - envFrom: - - configMapRef: - name: {{ template "name" . }}-config - env: - - name: REPAIR_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: REPAIR_RUN_AS_DAEMON - value: "true" - - name: REPAIR_SIDECAR_ANNOTATION - value: "sidecar.istio.io/status" - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - {{- if or .Values.repair.repairPods .Values.ambient.enabled }} - - mountPath: /host/proc - name: cni-host-procfs - readOnly: true - {{- end }} - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - - mountPath: /var/run/istio-cni - name: cni-socket-dir - {{- if .Values.ambient.enabled }} - - mountPath: /host/var/run/netns - mountPropagation: HostToContainer - name: cni-netns-dir - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - {{ end }} - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - volumes: - # Used to install CNI. - - name: cni-bin-dir - hostPath: - path: {{ .Values.cniBinDir | default $defaultBinDir }} - {{- if or .Values.repair.repairPods .Values.ambient.enabled }} - - name: cni-host-procfs - hostPath: - path: /proc - type: Directory - {{- end }} - {{- if .Values.ambient.enabled }} - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate - {{- end }} - - name: cni-net-dir - hostPath: - path: {{ default "/etc/cni/net.d" .Values.cniConfDir }} - # Used for UDS sockets for logging, ambient eventing - - name: cni-socket-dir - hostPath: - path: /var/run/istio-cni - - name: cni-netns-dir - hostPath: - path: {{ .Values.cniNetnsDir | default "/var/run/netns" }} - type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, - # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. - # Once the CNI does mount this, it will get populated and we're good. diff --git a/resources/latest/charts/cni/templates/network-attachment-definition.yaml b/resources/latest/charts/cni/templates/network-attachment-definition.yaml deleted file mode 100644 index 86a2eb7c0..000000000 --- a/resources/latest/charts/cni/templates/network-attachment-definition.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if eq .Values.provider "multus" }} -apiVersion: k8s.cni.cncf.io/v1 -kind: NetworkAttachmentDefinition -metadata: - name: {{ template "name" . }} - namespace: default - labels: - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -{{- end }} diff --git a/resources/latest/charts/cni/templates/resourcequota.yaml b/resources/latest/charts/cni/templates/resourcequota.yaml deleted file mode 100644 index 9a6d61ff9..000000000 --- a/resources/latest/charts/cni/templates/resourcequota.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{- if .Values.resourceQuotas.enabled }} -apiVersion: v1 -kind: ResourceQuota -metadata: - name: {{ template "name" . }}-resource-quota - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} -spec: - hard: - pods: {{ .Values.resourceQuotas.pods | quote }} - scopeSelector: - matchExpressions: - - operator: In - scopeName: PriorityClass - values: - - system-node-critical -{{- end }} diff --git a/resources/latest/charts/cni/templates/serviceaccount.yaml b/resources/latest/charts/cni/templates/serviceaccount.yaml deleted file mode 100644 index 41ac7dd83..000000000 --- a/resources/latest/charts/cni/templates/serviceaccount.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: {{ template "name" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "name" . }} - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" - app.kubernetes.io/name: {{ template "name" . }} - {{- include "istio.labels" . | nindent 4 }} diff --git a/resources/latest/charts/cni/templates/zzy_descope_legacy.yaml b/resources/latest/charts/cni/templates/zzy_descope_legacy.yaml deleted file mode 100644 index a9584ac29..000000000 --- a/resources/latest/charts/cni/templates/zzy_descope_legacy.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix. -Due to the file naming, this always happens after zzz_profile.yaml */}} -{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }} \ No newline at end of file diff --git a/resources/latest/charts/cni/templates/zzz_profile.yaml b/resources/latest/charts/cni/templates/zzz_profile.yaml deleted file mode 100644 index b96dcafcb..000000000 --- a/resources/latest/charts/cni/templates/zzz_profile.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- $globals := $.Values.global | default dict | deepCopy }} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} -{{- $profile := dict }} -{{- with .Values.profile }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" $.Values.profile) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults $globals }} -{{- end }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/resources/latest/charts/cni/values.yaml b/resources/latest/charts/cni/values.yaml deleted file mode 100644 index ff80bed0a..000000000 --- a/resources/latest/charts/cni/values.yaml +++ /dev/null @@ -1,143 +0,0 @@ -# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. -defaults: - hub: "" - tag: "" - variant: "" - image: install-cni - pullPolicy: "" - - # Same as `global.logging.level`, but will override it if set - logging: - level: "" - - # Configuration file to insert istio-cni plugin configuration - # by default this will be the first file found in the cni-conf-dir - # Example - # cniConfFileName: 10-calico.conflist - - # CNI bin and conf dir override settings - # defaults: - cniBinDir: "" # Auto-detected based on version; defaults to /opt/cni/bin. - cniConfDir: /etc/cni/net.d - cniConfFileName: "" - # This directory must exist on the node, if it does not, consult your container runtime - # documentation for the appropriate path. - cniNetnsDir: # Defaults to '/var/run/netns', in minikube/docker/others can be '/var/run/docker/netns'. - - - excludeNamespaces: - - kube-system - - # Allows user to set custom affinity for the DaemonSet - affinity: {} - - # Custom annotations on pod level, if you need them - podAnnotations: {} - - # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? - # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case - chained: true - - # Custom configuration happens based on the CNI provider. - # Possible values: "default", "multus" - provider: "default" - - # Configure ambient settings - ambient: - # If enabled, ambient redirection will be enabled - enabled: false - # Set ambient config dir path: defaults to /etc/ambient-config - configDir: "" - # If enabled, and ambient is enabled, DNS redirection will be enabled - dnsCapture: false - # If enabled, and ambient is enabled, enables ipv6 support - ipv6: true - - - repair: - enabled: true - hub: "" - tag: "" - - # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. - # This defines the action the controller will take when a pod is detected as broken. - - # labelPods will label all pods with =. - # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). - # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. - labelPods: false - # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. - # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. - deletePods: false - # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. - # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. - # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. - repairPods: true - - initContainerName: "istio-validation" - - brokenPodLabelKey: "cni.istio.io/uninitialized" - brokenPodLabelValue: "true" - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - resources: - requests: - cpu: 100m - memory: 100Mi - - resourceQuotas: - enabled: false - pods: 5000 - - # The number of pods that can be unavailable during rolling update (see - # `updateStrategy.rollingUpdate.maxUnavailable` here: - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - # May be specified as a number of pods or as a percent of the total number - # of pods at the start of the update. - rollingMaxUnavailable: 1 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # For Helm compatibility. - ownerName: "" - - global: - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-testing - - # Default tag for Istio images. - tag: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 - - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # change cni scope level to control logging out of istio-cni-node DaemonSet - logging: - level: info - - logAsJson: false - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Default resources allocated - defaultResources: - requests: - cpu: 100m - memory: 100Mi diff --git a/resources/latest/charts/gateway/Chart.yaml b/resources/latest/charts/gateway/Chart.yaml deleted file mode 100644 index 344196f94..000000000 --- a/resources/latest/charts/gateway/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 -description: Helm chart for deploying Istio gateways -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- gateways -name: gateway -sources: -- https://github.com/istio/istio -type: application -version: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 diff --git a/resources/latest/charts/gateway/README.md b/resources/latest/charts/gateway/README.md deleted file mode 100644 index 5c064d165..000000000 --- a/resources/latest/charts/gateway/README.md +++ /dev/null @@ -1,170 +0,0 @@ -# Istio Gateway Helm Chart - -This chart installs an Istio gateway deployment. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-ingressgateway`: - -```console -helm install istio-ingressgateway istio/gateway -``` - -## Uninstalling the Chart - -To uninstall/delete the `istio-ingressgateway` deployment: - -```console -helm delete istio-ingressgateway -``` - -## Configuration - -To view support configuration options and documentation, run: - -```console -helm show values istio/gateway -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### OpenShift - -When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: - -```console -helm install istio-ingressgateway istio/gateway --set profile=openshift -``` - -### `image: auto` Information - -The image used by the chart, `auto`, may be unintuitive. -This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). -This allows the same configurations and lifecycle to apply to gateways as sidecars. - -Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. -See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. - -### Examples - -#### Egress Gateway - -Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): - -```yaml -service: - # Egress gateways do not need an external LoadBalancer IP - type: ClusterIP -``` - -#### Multi-network/VM Gateway - -Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: - -```yaml -networkGateway: network-1 -``` - -### Migrating from other installation methods - -Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts -following the guidance below. -If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. - -WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. - -#### Legacy Gateway Helm charts - -Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. -These are replaced by this chart. -While not required, it is recommended all new users use this chart, and existing users migrate when possible. - -This chart has the following benefits and differences: -* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). -* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. -* Published to official Istio Helm repository. -* Single chart for all gateways (Ingress, Egress, East West). - -#### General concerns - -For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. - -If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: - -```yaml -app: istio-gateway -istio: gateway # the release name with leading istio- prefix stripped -``` - -If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels -`foo=bar,istio=ingressgateway`: - -```yaml -name: my-custom-gateway # Override the name to match existing resources -labels: - app: "" # Unset default app selector label - istio: ingressgateway # override default istio selector label - foo: bar # Add the existing custom selector label -``` - -#### Migrating an existing Helm release - -An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous -installation was done like: - -```console -helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system -``` - -It could be upgraded with - -```console -helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway -``` - -Note the name and labels are overridden to match the names of the existing installation. - -Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. -If you have AuthorizationPolicies that reference port these ports, you should update them during this process, -or customize the ports to match the old defaults. -See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. - -#### Other migrations - -If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. - -The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: - -```console -KINDS=(service deployment) -RELEASE=istio-ingressgateway -NAMESPACE=istio-system -for KIND in "${KINDS[@]}"; do - kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE - kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE - kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm -done -``` - -You may ignore errors about resources not being found. diff --git a/resources/latest/charts/gateway/files/profile-ambient.yaml b/resources/latest/charts/gateway/files/profile-ambient.yaml deleted file mode 100644 index 2805fe46b..000000000 --- a/resources/latest/charts/gateway/files/profile-ambient.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/resources/latest/charts/gateway/files/profile-compatibility-version-1.21.yaml b/resources/latest/charts/gateway/files/profile-compatibility-version-1.21.yaml deleted file mode 100644 index 2b72bd93c..000000000 --- a/resources/latest/charts/gateway/files/profile-compatibility-version-1.21.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" - - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" - -meshConfig: - # 1.22 behavioral changes - defaultConfig: - proxyMetadata: - ISTIO_DELTA_XDS: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/latest/charts/gateway/files/profile-compatibility-version-1.22.yaml b/resources/latest/charts/gateway/files/profile-compatibility-version-1.22.yaml deleted file mode 100644 index 2badb70a5..000000000 --- a/resources/latest/charts/gateway/files/profile-compatibility-version-1.22.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" - -meshConfig: - defaultConfig: - proxyMetadata: - # 1.22 behavioral changes - ENABLE_DEFERRED_CLUSTER_CREATION: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/resources/latest/charts/gateway/files/profile-compatibility-version-1.23.yaml b/resources/latest/charts/gateway/files/profile-compatibility-version-1.23.yaml deleted file mode 100644 index f855500b0..000000000 --- a/resources/latest/charts/gateway/files/profile-compatibility-version-1.23.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" \ No newline at end of file diff --git a/resources/latest/charts/gateway/files/profile-demo.yaml b/resources/latest/charts/gateway/files/profile-demo.yaml deleted file mode 100644 index eadbde17c..000000000 --- a/resources/latest/charts/gateway/files/profile-demo.yaml +++ /dev/null @@ -1,90 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/resources/latest/charts/gateway/files/profile-openshift-ambient.yaml b/resources/latest/charts/gateway/files/profile-openshift-ambient.yaml deleted file mode 100644 index 444665932..000000000 --- a/resources/latest/charts/gateway/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift - variant: distroless - seLinuxOptions: - type: spc_t -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - env: - PILOT_ENABLE_AMBIENT: "true" \ No newline at end of file diff --git a/resources/latest/charts/gateway/files/profile-openshift.yaml b/resources/latest/charts/gateway/files/profile-openshift.yaml deleted file mode 100644 index 38357bd99..000000000 --- a/resources/latest/charts/gateway/files/profile-openshift.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -global: - platform: openshift -pilot: - cni: - enabled: true - provider: "multus" -platform: openshift \ No newline at end of file diff --git a/resources/latest/charts/gateway/files/profile-preview.yaml b/resources/latest/charts/gateway/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2..000000000 --- a/resources/latest/charts/gateway/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/latest/charts/gateway/files/profile-stable.yaml b/resources/latest/charts/gateway/files/profile-stable.yaml deleted file mode 100644 index 358282e69..000000000 --- a/resources/latest/charts/gateway/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/resources/latest/charts/gateway/templates/NOTES.txt b/resources/latest/charts/gateway/templates/NOTES.txt deleted file mode 100644 index fd0142911..000000000 --- a/resources/latest/charts/gateway/templates/NOTES.txt +++ /dev/null @@ -1,9 +0,0 @@ -"{{ include "gateway.name" . }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} - -Next steps: - * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ - * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/resources/latest/charts/gateway/templates/_helpers.tpl b/resources/latest/charts/gateway/templates/_helpers.tpl deleted file mode 100644 index e5a0a9b3c..000000000 --- a/resources/latest/charts/gateway/templates/_helpers.tpl +++ /dev/null @@ -1,40 +0,0 @@ -{{- define "gateway.name" -}} -{{- if eq .Release.Name "RELEASE-NAME" -}} - {{- .Values.name | default "istio-ingressgateway" -}} -{{- else -}} - {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} -{{- end -}} -{{- end }} - -{{- define "gateway.labels" -}} -{{ include "gateway.selectorLabels" . }} -{{- range $key, $val := .Values.labels }} -{{- if and (ne $key "app") (ne $key "istio") }} -{{ $key | quote }}: {{ $val | quote }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "gateway.selectorLabels" -}} -app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }} -istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} -{{- end }} - -{{/* -Keep sidecar injection labels together -https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy -*/}} -{{- define "gateway.sidecarInjectionLabels" -}} -sidecar.istio.io/inject: "true" -{{- with .Values.revision }} -istio.io/rev: {{ . | quote }} -{{- end }} -{{- end }} - -{{- define "gateway.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} -{{- else }} -{{- .Values.serviceAccount.name | default "default" }} -{{- end }} -{{- end }} diff --git a/resources/latest/charts/gateway/templates/deployment.yaml b/resources/latest/charts/gateway/templates/deployment.yaml deleted file mode 100644 index 73ecc1a73..000000000 --- a/resources/latest/charts/gateway/templates/deployment.yaml +++ /dev/null @@ -1,117 +0,0 @@ -apiVersion: apps/v1 -kind: {{ .Values.kind | default "Deployment" }} -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - {{- with .Values.replicaCount }} - replicas: {{ . }} - {{- end }} - {{- end }} - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} - {{- include "gateway.selectorLabels" . | nindent 8 }} - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 8}} - {{- range $key, $val := .Values.labels }} - {{- if and (ne $key "app") (ne $key "istio") }} - {{ $key | quote }}: {{ $val | quote }} - {{- end }} - {{- end }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "gateway.serviceAccountName" . }} - securityContext: - {{- if .Values.securityContext }} - {{- toYaml .Values.securityContext | nindent 8 }} - {{- else }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - {{- with .Values.volumes }} - volumes: - {{ toYaml . | nindent 8 }} - {{- end }} - containers: - - name: istio-proxy - # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection - image: auto - {{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - securityContext: - {{- if .Values.containerSecurityContext }} - {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- else }} - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - {{- if not (eq .Values.platform "openshift") }} - runAsUser: 1337 - runAsGroup: 1337 - {{- end }} - runAsNonRoot: true - {{- end }} - env: - {{- with .Values.networkGateway }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: "{{.}}" - {{- end }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.volumeMounts }} - volumeMounts: - {{ toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} - {{- with .Values.priorityClassName }} - priorityClassName: {{ . }} - {{- end }} diff --git a/resources/latest/charts/gateway/templates/hpa.yaml b/resources/latest/charts/gateway/templates/hpa.yaml deleted file mode 100644 index 64ecb6a4c..000000000 --- a/resources/latest/charts/gateway/templates/hpa.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4 }} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: {{ .Values.kind | default "Deployment" }} - name: {{ include "gateway.name" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - target: - averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - type: Utilization - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - target: - averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - type: Utilization - {{- end }} - {{- if .Values.autoscaling.autoscaleBehavior }} - behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} - {{- end }} -{{- end }} diff --git a/resources/latest/charts/gateway/templates/poddisruptionbudget.yaml b/resources/latest/charts/gateway/templates/poddisruptionbudget.yaml deleted file mode 100644 index b0155cdf0..000000000 --- a/resources/latest/charts/gateway/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.podDisruptionBudget }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} -spec: - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - {{- with .Values.podDisruptionBudget }} - {{- toYaml . | nindent 2 }} - {{- end }} -{{- end }} diff --git a/resources/latest/charts/gateway/templates/role.yaml b/resources/latest/charts/gateway/templates/role.yaml deleted file mode 100644 index 3d1607963..000000000 --- a/resources/latest/charts/gateway/templates/role.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} -{{- if .Values.rbac.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "gateway.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "gateway.serviceAccountName" . }} -{{- end }} diff --git a/resources/latest/charts/gateway/templates/service.yaml b/resources/latest/charts/gateway/templates/service.yaml deleted file mode 100644 index 25ce3bcb0..000000000 --- a/resources/latest/charts/gateway/templates/service.yaml +++ /dev/null @@ -1,66 +0,0 @@ -{{- if not (eq .Values.service.type "None") }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.networkGateway }} - topology.istio.io/network: "{{.}}" - {{- end }} - annotations: - {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} -spec: -{{- with .Values.service.loadBalancerIP }} - loadBalancerIP: "{{ . }}" -{{- end }} -{{- if eq .Values.service.type "LoadBalancer" }} - {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} - allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} - {{- end }} -{{- end }} -{{- if .Values.service.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} -{{- end }} -{{- if .Values.service.ipFamilies }} - ipFamilies: -{{- range .Values.service.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} -{{- with .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml . | indent 4 }} -{{- end }} -{{- with .Values.service.externalTrafficPolicy }} - externalTrafficPolicy: "{{ . }}" -{{- end }} - type: {{ .Values.service.type }} - ports: -{{- if .Values.networkGateway }} - - name: status-port - port: 15021 - targetPort: 15021 - - name: tls - port: 15443 - targetPort: 15443 - - name: tls-istiod - port: 15012 - targetPort: 15012 - - name: tls-webhook - port: 15017 - targetPort: 15017 -{{- else }} -{{ .Values.service.ports | toYaml | indent 4 }} -{{- end }} -{{- if .Values.service.externalIPs }} - externalIPs: {{- range .Values.service.externalIPs }} - - {{.}} - {{- end }} -{{- end }} - selector: - {{- include "gateway.selectorLabels" . | nindent 4 }} -{{- end }} diff --git a/resources/latest/charts/gateway/templates/serviceaccount.yaml b/resources/latest/charts/gateway/templates/serviceaccount.yaml deleted file mode 100644 index c88afeadd..000000000 --- a/resources/latest/charts/gateway/templates/serviceaccount.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "gateway.name" . }} - {{- include "istio.labels" . | nindent 4}} - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/resources/latest/charts/gateway/templates/zzz_profile.yaml b/resources/latest/charts/gateway/templates/zzz_profile.yaml deleted file mode 100644 index b96dcafcb..000000000 --- a/resources/latest/charts/gateway/templates/zzz_profile.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- $globals := $.Values.global | default dict | deepCopy }} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} -{{- $profile := dict }} -{{- with .Values.profile }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" $.Values.profile) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults $globals }} -{{- end }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/resources/latest/charts/gateway/values.schema.json b/resources/latest/charts/gateway/values.schema.json deleted file mode 100644 index 4c4f0836d..000000000 --- a/resources/latest/charts/gateway/values.schema.json +++ /dev/null @@ -1,301 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "type": "object", - "additionalProperties": false, - "$defs": { - "values": { - "type": "object", - "properties": { - "global": { - "type": "object" - }, - "affinity": { - "type": "object" - }, - "securityContext": { - "type": [ - "object", - "null" - ] - }, - "containerSecurityContext": { - "type": [ - "object", - "null" - ] - }, - "kind": { - "type": "string", - "enum": [ - "Deployment", - "DaemonSet" - ] - }, - "annotations": { - "additionalProperties": { - "type": [ - "string", - "integer" - ] - }, - "type": "object" - }, - "autoscaling": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "maxReplicas": { - "type": "integer" - }, - "minReplicas": { - "type": "integer" - }, - "targetCPUUtilizationPercentage": { - "type": "integer" - } - } - }, - "env": { - "type": "object" - }, - "labels": { - "type": "object" - }, - "name": { - "type": "string" - }, - "nodeSelector": { - "type": "object" - }, - "podAnnotations": { - "type": "object", - "properties": { - "inject.istio.io/templates": { - "type": "string" - }, - "prometheus.io/path": { - "type": "string" - }, - "prometheus.io/port": { - "type": "string" - }, - "prometheus.io/scrape": { - "type": "string" - } - } - }, - "replicaCount": { - "type": [ - "integer", - "null" - ] - }, - "resources": { - "type": "object", - "properties": { - "limits": { - "type": "object", - "properties": { - "cpu": { - "type": ["string", "null"] - }, - "memory": { - "type": ["string", "null"] - } - } - }, - "requests": { - "type": "object", - "properties": { - "cpu": { - "type": ["string", "null"] - }, - "memory": { - "type": ["string", "null"] - } - } - } - } - }, - "revision": { - "type": "string" - }, - "compatibilityVersion": { - "type": "string" - }, - "runAsRoot": { - "type": "boolean" - }, - "unprivilegedPort": { - "type": [ - "string", - "boolean" - ], - "enum": [ - true, - false, - "auto" - ] - }, - "service": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "externalTrafficPolicy": { - "type": "string" - }, - "loadBalancerIP": { - "type": "string" - }, - "loadBalancerSourceRanges": { - "type": "array" - }, - "ipFamilies": { - "items": { - "type": "string", - "enum": [ - "IPv4", - "IPv6" - ] - } - }, - "ipFamilyPolicy": { - "type": "string", - "enum": [ - "", - "SingleStack", - "PreferDualStack", - "RequireDualStack" - ] - }, - "ports": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "port": { - "type": "integer" - }, - "protocol": { - "type": "string" - }, - "targetPort": { - "type": "integer" - } - } - } - }, - "type": { - "type": "string" - } - } - }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "name": { - "type": "string" - }, - "create": { - "type": "boolean" - } - } - }, - "rbac": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "tolerations": { - "type": "array" - }, - "topologySpreadConstraints": { - "type": "array" - }, - "networkGateway": { - "type": "string" - }, - "imagePullPolicy": { - "type": "string", - "enum": [ - "", - "Always", - "IfNotPresent", - "Never" - ] - }, - "imagePullSecrets": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - } - } - } - }, - "podDisruptionBudget": { - "type": "object", - "properties": { - "minAvailable": { - "type": [ - "integer", - "string" - ] - }, - "maxUnavailable": { - "type": [ - "integer", - "string" - ] - }, - "unhealthyPodEvictionPolicy": { - "type": "string", - "enum": [ - "", - "IfHealthyBudget", - "AlwaysAllow" - ] - } - } - }, - "terminationGracePeriodSeconds": { - "type": "number" - }, - "volumes": { - "type": "array", - "items": { - "type": "object" - } - }, - "volumeMounts": { - "type": "array", - "items": { - "type": "object" - } - }, - "priorityClassName": { - "type": "string" - } - } - } - }, - "defaults": { - "$ref": "#/$defs/values" - }, - "$ref": "#/$defs/values" -} diff --git a/resources/latest/charts/gateway/values.yaml b/resources/latest/charts/gateway/values.yaml deleted file mode 100644 index 72205b4a1..000000000 --- a/resources/latest/charts/gateway/values.yaml +++ /dev/null @@ -1,154 +0,0 @@ -# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. -defaults: - # Name allows overriding the release name. Generally this should not be set - name: "" - # revision declares which revision this gateway is a part of - revision: "" - - # Controls the spec.replicas setting for the Gateway deployment if set. - # Otherwise defaults to Kubernetes Deployment default (1). - replicaCount: - - kind: Deployment - - rbac: - # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed - # when using http://gateway-api.org/. - enabled: true - - serviceAccount: - # If set, a service account will be created. Otherwise, the default is used - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set, the release name is used - name: "" - - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - inject.istio.io/templates: "gateway" - sidecar.istio.io/inject: "true" - - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - containerSecurityContext: {} - - service: - # Type of service. Set to "None" to disable the service entirely - type: LoadBalancer - ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 - annotations: {} - loadBalancerIP: "" - loadBalancerSourceRanges: [] - externalTrafficPolicy: "" - externalIPs: [] - ipFamilyPolicy: "" - ipFamilies: [] - ## Whether to automatically allocate NodePorts (only for LoadBalancers). - # allocateLoadBalancerNodePorts: false - - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - autoscaling: - enabled: true - minReplicas: 1 - maxReplicas: 5 - targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: {} - autoscaleBehavior: {} - - # Pod environment variables - env: {} - - # Labels to apply to all resources - labels: {} - - # Annotations to apply to all resources - annotations: {} - - nodeSelector: {} - - tolerations: [] - - topologySpreadConstraints: [] - - affinity: {} - - # If specified, the gateway will act as a network gateway for the given network. - networkGateway: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent - imagePullPolicy: "" - - imagePullSecrets: [] - - # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. - # - # By default, the `podDisruptionBudget` is disabled (set to `{}`), - # which means that no PodDisruptionBudget resource will be created. - # - # To enable the PodDisruptionBudget, configure it by specifying the - # `minAvailable` or `maxUnavailable`. For example, to set the - # minimum number of available replicas to 1, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # - # Or, to allow a maximum of 1 unavailable replica, you can set: - # - # podDisruptionBudget: - # maxUnavailable: 1 - # - # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. - # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # unhealthyPodEvictionPolicy: AlwaysAllow - # - # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: - # - # podDisruptionBudget: {} - # - podDisruptionBudget: {} - - terminationGracePeriodSeconds: 30 - - # A list of `Volumes` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumes: [] - - # A list of `VolumeMounts` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumeMounts: [] - - # Configure this to a higher priority class in order to make sure your Istio gateway pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" diff --git a/resources/latest/charts/istiod-remote/Chart.yaml b/resources/latest/charts/istiod-remote/Chart.yaml deleted file mode 100644 index 1f72b8275..000000000 --- a/resources/latest/charts/istiod-remote/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 -description: Helm chart for a remote cluster using an external istio control plane -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- external-istiod -name: istiod-remote -sources: -- https://github.com/istio/istio -version: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 diff --git a/resources/latest/charts/istiod-remote/NOTES.txt b/resources/latest/charts/istiod-remote/NOTES.txt deleted file mode 100644 index 0230b6f86..000000000 --- a/resources/latest/charts/istiod-remote/NOTES.txt +++ /dev/null @@ -1,4 +0,0 @@ -Install for a remote cluster using an external control plane. - -The templates in this directory are copies of base and istio-discovery templates. -DO NOT EDIT! Make changes in the corresponding files in base or istio-discovery and they will be copied here by make gen. diff --git a/resources/latest/charts/istiod-remote/files/gateway-injection-template.yaml b/resources/latest/charts/istiod-remote/files/gateway-injection-template.yaml deleted file mode 100644 index 97ffb71f2..000000000 --- a/resources/latest/charts/istiod-remote/files/gateway-injection-template.yaml +++ /dev/null @@ -1,250 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if eq (len $containers) 1 }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{ end }} - } -spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 4 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - securityContext: - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/resources/latest/charts/istiod-remote/files/injection-template.yaml b/resources/latest/charts/istiod-remote/files/injection-template.yaml deleted file mode 100644 index 63bc0e734..000000000 --- a/resources/latest/charts/istiod-remote/files/injection-template.yaml +++ /dev/null @@ -1,536 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} -{{- if .Values.pilot.cni.enabled }} - {{- if eq .Values.pilot.cni.provider "multus" }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} -{{- end }} - } -spec: - {{- $holdProxy := and - (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) - (not $nativeSidecar) }} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.pilot.cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - - "-u" - - {{ .ProxyUID | default "1337" | quote }} - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if .Values.pilot.cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.pilot.cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.pilot.cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsUser: {{ .ProxyUID | default "1337" }} - runAsNonRoot: true - {{- end }} - {{ end -}} - {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} - {{ if not $nativeSidecar }} - containers: - {{ end }} - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{ if $nativeSidecar }}restartPolicy: Always{{end}} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- else if $nativeSidecar }} - {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} - lifecycle: - preStop: - exec: - command: - - pilot-agent - - request - - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - - POST - - drain - {{- end }} - env: - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - {{ if .Values.global.proxy.startupProbe.enabled }} - startupProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: 0 - periodSeconds: 1 - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} - {{ end }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - add: - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - - NET_ADMIN - {{- end }} - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - runAsNonRoot: false - runAsUser: 0 - {{- else -}} - runAsNonRoot: true - runAsUser: {{ .ProxyUID | default "1337" }} - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/resources/latest/charts/istiod-remote/files/profile-ambient.yaml b/resources/latest/charts/istiod-remote/files/profile-ambient.yaml deleted file mode 100644 index 2805fe46b..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-ambient.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml b/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml deleted file mode 100644 index 2b72bd93c..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.21.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" - - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" - -meshConfig: - # 1.22 behavioral changes - defaultConfig: - proxyMetadata: - ISTIO_DELTA_XDS: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml b/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml deleted file mode 100644 index 2badb70a5..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.22.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" - -meshConfig: - defaultConfig: - proxyMetadata: - # 1.22 behavioral changes - ENABLE_DEFERRED_CLUSTER_CREATION: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.23.yaml b/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.23.yaml deleted file mode 100644 index f855500b0..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-compatibility-version-1.23.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" \ No newline at end of file diff --git a/resources/latest/charts/istiod-remote/files/profile-demo.yaml b/resources/latest/charts/istiod-remote/files/profile-demo.yaml deleted file mode 100644 index eadbde17c..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-demo.yaml +++ /dev/null @@ -1,90 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/resources/latest/charts/istiod-remote/files/profile-openshift-ambient.yaml b/resources/latest/charts/istiod-remote/files/profile-openshift-ambient.yaml deleted file mode 100644 index 444665932..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift - variant: distroless - seLinuxOptions: - type: spc_t -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - env: - PILOT_ENABLE_AMBIENT: "true" \ No newline at end of file diff --git a/resources/latest/charts/istiod-remote/files/profile-openshift.yaml b/resources/latest/charts/istiod-remote/files/profile-openshift.yaml deleted file mode 100644 index 38357bd99..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-openshift.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -global: - platform: openshift -pilot: - cni: - enabled: true - provider: "multus" -platform: openshift \ No newline at end of file diff --git a/resources/latest/charts/istiod-remote/files/profile-preview.yaml b/resources/latest/charts/istiod-remote/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/latest/charts/istiod-remote/files/profile-stable.yaml b/resources/latest/charts/istiod-remote/files/profile-stable.yaml deleted file mode 100644 index 358282e69..000000000 --- a/resources/latest/charts/istiod-remote/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/resources/latest/charts/istiod-remote/templates/_helpers.tpl b/resources/latest/charts/istiod-remote/templates/_helpers.tpl deleted file mode 100644 index 042c92538..000000000 --- a/resources/latest/charts/istiod-remote/templates/_helpers.tpl +++ /dev/null @@ -1,23 +0,0 @@ -{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} -{{ define "default-prometheus" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} -{{ define "default-sd-metrics" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. */}} -{{ define "default-sd-logs" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/clusterrole.yaml b/resources/latest/charts/istiod-remote/templates/clusterrole.yaml deleted file mode 100644 index b2eeb92cc..000000000 --- a/resources/latest/charts/istiod-remote/templates/clusterrole.yaml +++ /dev/null @@ -1,167 +0,0 @@ -{{- if .Values.global.configCluster }} -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update"] - # TODO: should be on just */status but wildcard is not supported - resources: ["*"] - - # Needed because status reporter sets the config map owner reference to the istiod pod - - apiGroups: [""] - verbs: ["update"] - resources: ["pods/finalizers"] -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status" ] - - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch" ] - resources: [ "serviceentries/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - -{{- if .Values.taint.enabled }} - - apiGroups: [""] - resources: ["nodes"] - verbs: ["patch"] -{{- end }} - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} -{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: -{{- range .Values.global.certSigners }} - - {{ . | quote }} -{{- end }} - verbs: ["approve"] -{{- end}} - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] # TODO: should be on just */status but wildcard is not supported - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: [ "get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: ["apps"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "deployments" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "serviceaccounts"] -{{- end }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/clusterrolebinding.yaml b/resources/latest/charts/istiod-remote/templates/clusterrolebinding.yaml deleted file mode 100644 index ced064bdc..000000000 --- a/resources/latest/charts/istiod-remote/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- if .Values.global.configCluster }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: -- kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/configmap.yaml b/resources/latest/charts/istiod-remote/templates/configmap.yaml deleted file mode 100644 index 109e2bb82..000000000 --- a/resources/latest/charts/istiod-remote/templates/configmap.yaml +++ /dev/null @@ -1,114 +0,0 @@ -{{- define "mesh" }} - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The namespace to treat as the administrative root namespace for Istio configuration. - # When processing a leaf namespace Istio will search for declarations in that namespace first - # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace - # is processed as if it were declared in the leaf namespace. - rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} - - {{ $prom := include "default-prometheus" . | eq "true" }} - {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} - {{ $sdLogs := include "default-sd-logs" . | eq "true" }} - {{- if or $prom $sdMetrics $sdLogs }} - defaultProviders: - {{- if or $prom $sdMetrics }} - metrics: - {{ if $prom }}- prometheus{{ end }} - {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} - {{- end }} - {{- if and $sdMetrics $sdLogs }} - accessLogging: - - stackdriver - {{- end }} - {{- end }} - - defaultConfig: - {{- if .Values.global.meshID }} - meshId: "{{ .Values.global.meshID }}" - {{- end }} - {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} - image: - imageType: {{. | quote}} - {{- end }} - {{- if not (eq .Values.global.proxy.tracer "none") }} - tracing: - {{- if eq .Values.global.proxy.tracer "lightstep" }} - lightstep: - # Address of the LightStep Satellite pool - address: {{ .Values.global.tracer.lightstep.address }} - # Access Token used to communicate with the Satellite pool - accessToken: {{ .Values.global.tracer.lightstep.accessToken }} - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - zipkin: - # Address of the Zipkin collector - address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} - {{- else if eq .Values.global.proxy.tracer "datadog" }} - datadog: - # Address of the Datadog Agent - address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} - {{- else if eq .Values.global.proxy.tracer "stackdriver" }} - stackdriver: - # enables trace output to stdout. - debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} - # The global default max number of attributes per span. - maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} - # The global default max number of annotation events per span. - maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} - # The global default max number of message events per span. - maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} - {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} - {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} -{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} - {{- end }} - {{- end }} - {{- if .Values.global.remotePilotAddress }} - {{- if .Values.enabled }} - discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 - {{- else }} - discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 - {{- end }} - {{- else }} - discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 - {{- end }} -{{- end }} - -{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} -{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} -{{- $originalMesh := include "mesh" . | fromYaml }} -{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} - -{{- if .Values.configMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - {{- if .Values.global.meshNetworks }} - networks: -{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} - {{- else }} - networks: {} - {{- end }} - - mesh: |- -{{- if .Values.meshConfig }} -{{ $mesh | toYaml | indent 4 }} -{{- else }} -{{- include "mesh" . }} -{{- end }} ---- -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/default.yaml b/resources/latest/charts/istiod-remote/templates/default.yaml deleted file mode 100644 index bfc464439..000000000 --- a/resources/latest/charts/istiod-remote/templates/default.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- if .Values.global.configCluster }} -{{- if not (eq .Values.defaultRevision "") }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-default-validator - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision | quote }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: - - name: validation.istio.io - clientConfig: - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - {{- if (eq .Values.defaultRevision "default") }} - name: istiod - {{- else }} - name: istiod-{{ .Values.defaultRevision }} - {{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1"] -{{- end }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml b/resources/latest/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml deleted file mode 100644 index 857f04eb3..000000000 --- a/resources/latest/charts/istiod-remote/templates/defaultrevisionvalidatingadmissionpolicy.yaml +++ /dev/null @@ -1,55 +0,0 @@ -{{- if .Values.global.configCluster }} -{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-default-policy.istio.io" - labels: - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision }} - app.kubernetes.io/name: "istiod" - {{ include "istio.labels" . | nindent 4 }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-default-policy-binding.istio.io" -spec: - policyName: "stable-channel-default-policy.istio.io" - validationActions: [Deny] -{{- end }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/endpoints.yaml b/resources/latest/charts/istiod-remote/templates/endpoints.yaml deleted file mode 100644 index 1cc26dd78..000000000 --- a/resources/latest/charts/istiod-remote/templates/endpoints.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} -# if the remotePilotAddress is an IP addr -apiVersion: v1 -kind: Endpoints -metadata: - {{- if .Values.pilot.enabled }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -subsets: -- addresses: - - ip: {{ .Values.global.remotePilotAddress }} - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 15017 - name: tcp-webhook - protocol: TCP ---- -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/istiod-injector-configmap.yaml b/resources/latest/charts/istiod-remote/templates/istiod-injector-configmap.yaml deleted file mode 100644 index b87691742..000000000 --- a/resources/latest/charts/istiod-remote/templates/istiod-injector-configmap.yaml +++ /dev/null @@ -1,82 +0,0 @@ -{{- if not .Values.global.omitSidecarInjectorConfigMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: -{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} - values: |- -{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}} -{{ $pilotVals := pick .Values "cni" -}} -{{ $vals = set $vals "pilot" $pilotVals -}} -{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}} -{{ $vals = set $vals "gateways" $gatewayVals -}} -{{ $vals | toPrettyJson | indent 4 }} - - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching - # and istiod webhook functionality. - # - # New fields should not use Values - it is a 'primary' config object, users should be able - # to fine tune it or use it with kube-inject. - config: |- - # defaultTemplates defines the default template to use for pods that do not explicitly specify a template - {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} - defaultTemplates: -{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} - - {{ . }} -{{- end }} - {{- else }} - defaultTemplates: [sidecar] - {{- end }} - policy: {{ .Values.global.proxy.autoInject }} - alwaysInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} - neverInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} - injectedAnnotations: - {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} - "{{ $key }}": {{ $val | quote }} - {{- end }} - {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template - which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". - This should make it obvious that their installation is broken. - */}} - template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} - templates: -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} - sidecar: | -{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} - gateway: | -{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} - grpc-simple: | -{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} - grpc-agent: | -{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} - waypoint: | -{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} - kube-gateway: | -{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} -{{- end }} -{{- with .Values.sidecarInjectorWebhook.templates }} -{{ toYaml . | trim | indent 6 }} -{{- end }} - -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/mutatingwebhook.yaml b/resources/latest/charts/istiod-remote/templates/mutatingwebhook.yaml deleted file mode 100644 index 5b7e734e4..000000000 --- a/resources/latest/charts/istiod-remote/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,160 +0,0 @@ -{{- /* Core defines the common configuration used by all webhook segments */}} -{{/* Copy just what we need to avoid expensive deepCopy */}} -{{- $whv := dict - "revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - {{- if .caBundle }} - caBundle: "{{ .caBundle }}" - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} -{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} -{{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq .Release.Namespace "istio-system"}} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- else }} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -{{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} - app.kubernetes.io/name: "sidecar-injector" - {{- include "istio.labels" . | nindent 4 }} -webhooks: -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} - -{{- /* Case 1: namespace selector matches, and object doesn't disable */}} -{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - -{{- /* Webhooks for default revision */}} -{{- if (eq .Values.revision "") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/reader-clusterrole.yaml b/resources/latest/charts/istiod-remote/templates/reader-clusterrole.yaml deleted file mode 100644 index 85707cb87..000000000 --- a/resources/latest/charts/istiod-remote/templates/reader-clusterrole.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - - "telemetry.istio.io" - - "extensions.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["gateways"] - verbs: ["get", "watch", "list"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] -{{- if .Values.global.externalIstiod }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} diff --git a/resources/latest/charts/istiod-remote/templates/reader-clusterrolebinding.yaml b/resources/latest/charts/istiod-remote/templates/reader-clusterrolebinding.yaml deleted file mode 100644 index aea9f01f7..000000000 --- a/resources/latest/charts/istiod-remote/templates/reader-clusterrolebinding.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} diff --git a/resources/latest/charts/istiod-remote/templates/reader-serviceaccount.yaml b/resources/latest/charts/istiod-remote/templates/reader-serviceaccount.yaml deleted file mode 100644 index 342eea41f..000000000 --- a/resources/latest/charts/istiod-remote/templates/reader-serviceaccount.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# This service account aggregates reader permissions for the revisions in a given cluster -# Should be used for remote secret creation. -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} diff --git a/resources/latest/charts/istiod-remote/templates/role.yaml b/resources/latest/charts/istiod-remote/templates/role.yaml deleted file mode 100644 index c9c4e47c1..000000000 --- a/resources/latest/charts/istiod-remote/templates/role.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if .Values.global.configCluster }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] - -# For status controller, so it can delete the distribution report configmap -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["delete"] - -# For gateway deployment controller -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "update", "patch", "create"] -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/rolebinding.yaml b/resources/latest/charts/istiod-remote/templates/rolebinding.yaml deleted file mode 100644 index 717eeabee..000000000 --- a/resources/latest/charts/istiod-remote/templates/rolebinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.global.configCluster }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/serviceaccount.yaml b/resources/latest/charts/istiod-remote/templates/serviceaccount.yaml deleted file mode 100644 index c2dad3b70..000000000 --- a/resources/latest/charts/istiod-remote/templates/serviceaccount.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.global.configCluster }} -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} - {{- if .Values.serviceAccountAnnotations }} - annotations: -{{- toYaml .Values.serviceAccountAnnotations | indent 4 }} - {{- end }} ---- -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/services.yaml b/resources/latest/charts/istiod-remote/templates/services.yaml deleted file mode 100644 index 4290f2848..000000000 --- a/resources/latest/charts/istiod-remote/templates/services.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if .Values.global.remotePilotAddress }} -apiVersion: v1 -kind: Service -metadata: - {{- if .Values.pilot.enabled }} - # when local istiod is enabled, we can't use istiod service name to reach the remote control plane - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: "istiod" - {{ include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 443 - targetPort: 15017 - name: tcp-webhook - protocol: TCP - {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }} - # if the remotePilotAddress is not an IP addr, we use ExternalName - type: ExternalName - externalName: {{ .Values.global.remotePilotAddress }} - {{- end }} -{{- if .Values.global.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} -{{- end }} -{{- if .Values.global.ipFamilies }} - ipFamilies: -{{- range .Values.global.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} ---- -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/validatingadmissionpolicy.yaml b/resources/latest/charts/istiod-remote/templates/validatingadmissionpolicy.yaml deleted file mode 100644 index 71ea407ad..000000000 --- a/resources/latest/charts/istiod-remote/templates/validatingadmissionpolicy.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{- if .Values.global.configCluster }} -{{- if .Values.experimental.stableValidationPolicy }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - labels: - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" -spec: - policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - validationActions: [Deny] -{{- end }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml b/resources/latest/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index c9e9eb22e..000000000 --- a/resources/latest/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,67 +0,0 @@ -{{- if .Values.global.configCluster }} -{{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} ---- -{{- end }} -{{- end }} diff --git a/resources/latest/charts/istiod-remote/templates/zzy_descope_legacy.yaml b/resources/latest/charts/istiod-remote/templates/zzy_descope_legacy.yaml deleted file mode 100644 index ae8fced29..000000000 --- a/resources/latest/charts/istiod-remote/templates/zzy_descope_legacy.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix. -Due to the file naming, this always happens after zzz_profile.yaml */}} -{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }} \ No newline at end of file diff --git a/resources/latest/charts/istiod-remote/templates/zzz_profile.yaml b/resources/latest/charts/istiod-remote/templates/zzz_profile.yaml deleted file mode 100644 index b96dcafcb..000000000 --- a/resources/latest/charts/istiod-remote/templates/zzz_profile.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- $globals := $.Values.global | default dict | deepCopy }} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} -{{- $profile := dict }} -{{- with .Values.profile }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" $.Values.profile) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults $globals }} -{{- end }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/resources/latest/charts/istiod-remote/values.yaml b/resources/latest/charts/istiod-remote/values.yaml deleted file mode 100644 index 3d511673d..000000000 --- a/resources/latest/charts/istiod-remote/values.yaml +++ /dev/null @@ -1,441 +0,0 @@ -# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. -defaults: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - hub: "" - tag: "" - variant: "" - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - # Additional container arguments - extraContainerArgs: [] - env: {} - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - affinity: {} - tolerations: [] - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - # Additional volumes to the istiod pod - volumes: [] - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - topologySpreadConstraints: [] - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - # Additional labels to apply to the deployment. - deploymentLabels: {} - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: false - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - rewriteAppHTTPProbe: true - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - injectionCABundle: "" - telemetry: - enabled: false - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - # For Helm compatibility. - ownerName: "" - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - experimental: - stableValidationPolicy: false - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-testing - # Default tag for Istio images. - tag: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - omitSidecarInjectorConfigMap: true - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - proxy: - image: proxyv2 - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - # If set, newly injected sidecars will have core dumps enabled. - enableCoreDump: false - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - # The period between readiness probes. - readinessPeriodSeconds: 15 - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - # Configure a remote cluster data plane controlled by an external istiod. - # When set to true, istiod is not deployed locally and only a subset of the other - # discovery charts are enabled. - externalIstiod: true - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - multiCluster: - # Set to true to connect two kubernetes clusters via their respective - # ingressgateway services when pods in each cluster cannot directly - # talk to one another. All clusters should be using Istio mTLS and must - # have a shared root CA for this model to work. - enabled: false - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} diff --git a/resources/latest/charts/istiod/Chart.yaml b/resources/latest/charts/istiod/Chart.yaml deleted file mode 100644 index 5dfee6540..000000000 --- a/resources/latest/charts/istiod/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 -description: Helm chart for istio control plane -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- istiod -- istio-discovery -name: istiod -sources: -- https://github.com/istio/istio -version: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 diff --git a/resources/latest/charts/istiod/README.md b/resources/latest/charts/istiod/README.md deleted file mode 100644 index ddbfbc8fe..000000000 --- a/resources/latest/charts/istiod/README.md +++ /dev/null @@ -1,73 +0,0 @@ -# Istiod Helm Chart - -This chart installs an Istiod deployment. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). - -To install the chart with the release name `istiod`: - -```console -kubectl create namespace istio-system -helm install istiod istio/istiod --namespace istio-system -``` - -## Uninstalling the Chart - -To uninstall/delete the `istiod` deployment: - -```console -helm delete istiod --namespace istio-system -``` - -## Configuration - -To view support configuration options and documentation, run: - -```console -helm show values istio/istiod -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### Examples - -#### Configuring mesh configuration settings - -Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: - -```yaml -meshConfig: - accessLogFile: /dev/stdout -``` - -#### Revisions - -Control plane revisions allow deploying multiple versions of the control plane in the same cluster. -This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) - -```yaml -revision: my-revision-name -``` diff --git a/resources/latest/charts/istiod/files/gateway-injection-template.yaml b/resources/latest/charts/istiod/files/gateway-injection-template.yaml deleted file mode 100644 index 97ffb71f2..000000000 --- a/resources/latest/charts/istiod/files/gateway-injection-template.yaml +++ /dev/null @@ -1,250 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if eq (len $containers) 1 }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{ end }} - } -spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 4 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - securityContext: - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/resources/latest/charts/istiod/files/grpc-agent.yaml b/resources/latest/charts/istiod/files/grpc-agent.yaml deleted file mode 100644 index 7290fcdca..000000000 --- a/resources/latest/charts/istiod/files/grpc-agent.yaml +++ /dev/null @@ -1,310 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} - sidecar.istio.io/rewriteAppHTTPProbers: "false", - } -spec: - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15020 - protocol: TCP - name: mesh-metrics - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - - --url=http://localhost:15020/healthz/ready - env: - - name: ISTIO_META_GENERATOR - value: grpc - - name: OUTPUT_CERTS - value: /var/lib/istio/data - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - # grpc uses xds:/// to resolve – no need to resolve VIP - - name: ISTIO_META_DNS_CAPTURE - value: "false" - - name: DISABLE_ENVOY - value: "true" - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15020 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} -{{- range $index, $container := .Spec.Containers }} -{{ if not (eq $container.Name "istio-proxy") }} - - name: {{ $container.Name }} - env: - - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" - value: "true" - - name: "GRPC_XDS_BOOTSTRAP" - value: "/etc/istio/proxy/grpc-bootstrap.json" - volumeMounts: - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} -{{- end }} -{{- end }} - volumes: - - emptyDir: - name: workload-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-xds - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/resources/latest/charts/istiod/files/grpc-simple.yaml b/resources/latest/charts/istiod/files/grpc-simple.yaml deleted file mode 100644 index 9ba0c7a46..000000000 --- a/resources/latest/charts/istiod/files/grpc-simple.yaml +++ /dev/null @@ -1,65 +0,0 @@ -metadata: - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "false" -spec: - initContainers: - - name: grpc-bootstrap-init - image: busybox:1.28 - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - env: - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ISTIO_NAMESPACE - value: | - {{ .Values.global.istioNamespace }} - command: - - sh - - "-c" - - |- - NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" - SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" - echo ' - { - "xds_servers": [ - { - "server_uri": "'${SERVER_URI}'", - "channel_creds": [{"type": "insecure"}], - "server_features" : ["xds_v3"] - } - ], - "node": { - "id": "'${NODE_ID}'", - "metadata": { - "GENERATOR": "grpc" - } - } - }' > /var/lib/grpc/data/bootstrap.json - containers: - {{- range $index, $container := .Spec.Containers }} - - name: {{ $container.Name }} - env: - - name: GRPC_XDS_BOOTSTRAP - value: /var/lib/grpc/data/bootstrap.json - - name: GRPC_GO_LOG_VERBOSITY_LEVEL - value: "99" - - name: GRPC_GO_LOG_SEVERITY_LEVEL - value: info - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - {{- end }} - volumes: - - name: grpc-io-proxyless-bootstrap - emptyDir: {} diff --git a/resources/latest/charts/istiod/files/injection-template.yaml b/resources/latest/charts/istiod/files/injection-template.yaml deleted file mode 100644 index 63bc0e734..000000000 --- a/resources/latest/charts/istiod/files/injection-template.yaml +++ /dev/null @@ -1,536 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} -{{- if .Values.pilot.cni.enabled }} - {{- if eq .Values.pilot.cni.provider "multus" }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} -{{- end }} - } -spec: - {{- $holdProxy := and - (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) - (not $nativeSidecar) }} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.pilot.cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - - "-u" - - {{ .ProxyUID | default "1337" | quote }} - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if .Values.pilot.cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.pilot.cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.pilot.cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsUser: {{ .ProxyUID | default "1337" }} - runAsNonRoot: true - {{- end }} - {{ end -}} - {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} - {{ if not $nativeSidecar }} - containers: - {{ end }} - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{ if $nativeSidecar }}restartPolicy: Always{{end}} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.outlierLogPath }} - - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} - {{- end}} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- else if $nativeSidecar }} - {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} - lifecycle: - preStop: - exec: - command: - - pilot-agent - - request - - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - - POST - - drain - {{- end }} - env: - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - {{ if .Values.global.proxy.startupProbe.enabled }} - startupProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: 0 - periodSeconds: 1 - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} - {{ end }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - add: - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - - NET_ADMIN - {{- end }} - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - runAsNonRoot: false - runAsUser: 0 - {{- else -}} - runAsNonRoot: true - runAsUser: {{ .ProxyUID | default "1337" }} - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/resources/latest/charts/istiod/files/kube-gateway.yaml b/resources/latest/charts/istiod/files/kube-gateway.yaml deleted file mode 100644 index a2b1c904a..000000000 --- a/resources/latest/charts/istiod/files/kube-gateway.yaml +++ /dev/null @@ -1,341 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": {{.Name}} - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-gateway-controller" - ) | nindent 8 }} - spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 8 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- if .Values.gateways.seccompProfile }} - seccompProfile: - {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} - {{- end }} - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{- if .Values.global.proxy.resources }} - resources: - {{- toYaml .Values.global.proxy.resources | nindent 10 }} - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - securityContext: - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: true - ports: - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} - {{- end }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: "[]" - - name: ISTIO_META_APP_CONTAINERS - value: "" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} - - name: ISTIO_META_NETWORK - value: {{.|quote}} - {{- end }} - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName|quote}} - - name: ISTIO_META_OWNER - value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- with (index .InfrastructureLabels "topology.istio.io/network") }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: {{.|quote}} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: {{.UID}} -spec: - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": {{.Name}} - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- diff --git a/resources/latest/charts/istiod/files/profile-ambient.yaml b/resources/latest/charts/istiod/files/profile-ambient.yaml deleted file mode 100644 index 2805fe46b..000000000 --- a/resources/latest/charts/istiod/files/profile-ambient.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/resources/latest/charts/istiod/files/profile-compatibility-version-1.21.yaml b/resources/latest/charts/istiod/files/profile-compatibility-version-1.21.yaml deleted file mode 100644 index 2b72bd93c..000000000 --- a/resources/latest/charts/istiod/files/profile-compatibility-version-1.21.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" - - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" - -meshConfig: - # 1.22 behavioral changes - defaultConfig: - proxyMetadata: - ISTIO_DELTA_XDS: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/latest/charts/istiod/files/profile-compatibility-version-1.22.yaml b/resources/latest/charts/istiod/files/profile-compatibility-version-1.22.yaml deleted file mode 100644 index 2badb70a5..000000000 --- a/resources/latest/charts/istiod/files/profile-compatibility-version-1.22.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" - -meshConfig: - defaultConfig: - proxyMetadata: - # 1.22 behavioral changes - ENABLE_DEFERRED_CLUSTER_CREATION: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/resources/latest/charts/istiod/files/profile-compatibility-version-1.23.yaml b/resources/latest/charts/istiod/files/profile-compatibility-version-1.23.yaml deleted file mode 100644 index f855500b0..000000000 --- a/resources/latest/charts/istiod/files/profile-compatibility-version-1.23.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" \ No newline at end of file diff --git a/resources/latest/charts/istiod/files/profile-demo.yaml b/resources/latest/charts/istiod/files/profile-demo.yaml deleted file mode 100644 index eadbde17c..000000000 --- a/resources/latest/charts/istiod/files/profile-demo.yaml +++ /dev/null @@ -1,90 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/resources/latest/charts/istiod/files/profile-openshift-ambient.yaml b/resources/latest/charts/istiod/files/profile-openshift-ambient.yaml deleted file mode 100644 index 444665932..000000000 --- a/resources/latest/charts/istiod/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift - variant: distroless - seLinuxOptions: - type: spc_t -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - env: - PILOT_ENABLE_AMBIENT: "true" \ No newline at end of file diff --git a/resources/latest/charts/istiod/files/profile-openshift.yaml b/resources/latest/charts/istiod/files/profile-openshift.yaml deleted file mode 100644 index 38357bd99..000000000 --- a/resources/latest/charts/istiod/files/profile-openshift.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -global: - platform: openshift -pilot: - cni: - enabled: true - provider: "multus" -platform: openshift \ No newline at end of file diff --git a/resources/latest/charts/istiod/files/profile-preview.yaml b/resources/latest/charts/istiod/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2..000000000 --- a/resources/latest/charts/istiod/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/latest/charts/istiod/files/profile-stable.yaml b/resources/latest/charts/istiod/files/profile-stable.yaml deleted file mode 100644 index 358282e69..000000000 --- a/resources/latest/charts/istiod/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/resources/latest/charts/istiod/files/waypoint.yaml b/resources/latest/charts/istiod/files/waypoint.yaml deleted file mode 100644 index e01409503..000000000 --- a/resources/latest/charts/istiod/files/waypoint.yaml +++ /dev/null @@ -1,305 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-mesh-controller" - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": "{{.Name}}" - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "istio.io/dataplane-mode" "none" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-mesh-controller" - ) | nindent 8}} - spec: - terminationGracePeriodSeconds: 2 - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - ports: - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - args: - - proxy - - waypoint - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - - {{.ServiceAccount}}.$(POD_NAMESPACE) - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - env: - - name: ISTIO_META_SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - {{- if .ProxyConfig.ProxyMetadata }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} - {{- if $network }} - - name: ISTIO_META_NETWORK - value: "{{ $network }}" - {{- end }} - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName}} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- if .Values.global.waypoint.resources }} - resources: - {{- toYaml .Values.global.waypoint.resources | nindent 10 }} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - privileged: false - runAsGroup: 1337 - runAsUser: 1337 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.gateways.seccompProfile }} - seccompProfile: -{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} -{{- end }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: - medium: Memory - name: go-proxy-envoy - - emptyDir: {} - name: istio-data - - emptyDir: {} - name: go-proxy-data - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - configMap: - name: istio-ca-root-cert - name: istiod-ca-cert - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - ipFamilyPolicy: PreferDualStack - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": "{{.Name}}" - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- diff --git a/resources/latest/charts/istiod/templates/NOTES.txt b/resources/latest/charts/istiod/templates/NOTES.txt deleted file mode 100644 index 0d07ea7f4..000000000 --- a/resources/latest/charts/istiod/templates/NOTES.txt +++ /dev/null @@ -1,82 +0,0 @@ -"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} - -Next steps: -{{- $profile := default "" .Values.profile }} -{{- if (eq $profile "ambient") }} - * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/ - * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/ -{{- else }} - * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ - * Try out our tasks to get started on common configurations: - * https://istio.io/latest/docs/tasks/traffic-management - * https://istio.io/latest/docs/tasks/security/ - * https://istio.io/latest/docs/tasks/policy-enforcement/ -{{- end }} - * Review the list of actively supported releases, CVE publications and our hardening guide: - * https://istio.io/latest/docs/releases/supported-releases/ - * https://istio.io/latest/news/security/ - * https://istio.io/latest/docs/ops/best-practices/security/ - -For further documentation see https://istio.io website - -{{- - $deps := dict - "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" - "global.certificates" "meshConfig.certificates" - "global.localityLbSetting" "meshConfig.localityLbSetting" - "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" - "global.enableTracing" "meshConfig.enableTracing" - "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" - "global.proxy.accessLogFile" "meshConfig.accessLogFile" - "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" - "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" - "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" - "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" - "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" - "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" - "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" - "global.mtls.enabled" "the PeerAuthentication resource" - "global.mtls.auto" "meshConfig.enableAutoMtls" - "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" - "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" - "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" - "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" - "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" - "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" -}} -{{- range $dep, $replace := $deps }} -{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} -{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} -{{- if not (eq $res "")}} -WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. -{{- end }} -{{- end }} -{{- - $failDeps := dict - "telemetry.v2.prometheus.configOverride" - "telemetry.v2.stackdriver.configOverride" - "telemetry.v2.stackdriver.disableOutbound" - "telemetry.v2.stackdriver.outboundAccessLogging" - "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" - "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" - "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" - "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" - "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers" - "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers" - "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers" - "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers" -}} -{{- range $dep, $replace := $failDeps }} -{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} -{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} -{{- if not (eq $res "")}} -{{fail (print $dep " is removed")}} -{{- end }} -{{- end }} -{{- if eq $.Values.global.pilotCertProvider "kubernetes" }} -{{- fail "pilotCertProvider=kubernetes is not supported" }} -{{- end }} \ No newline at end of file diff --git a/resources/latest/charts/istiod/templates/_helpers.tpl b/resources/latest/charts/istiod/templates/_helpers.tpl deleted file mode 100644 index 042c92538..000000000 --- a/resources/latest/charts/istiod/templates/_helpers.tpl +++ /dev/null @@ -1,23 +0,0 @@ -{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} -{{ define "default-prometheus" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} -{{ define "default-sd-metrics" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. */}} -{{ define "default-sd-logs" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} diff --git a/resources/latest/charts/istiod/templates/autoscale.yaml b/resources/latest/charts/istiod/templates/autoscale.yaml deleted file mode 100644 index 5283a5090..000000000 --- a/resources/latest/charts/istiod/templates/autoscale.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - maxReplicas: {{ .Values.autoscaleMax }} - minReplicas: {{ .Values.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.cpu.targetAverageUtilization }} - {{- if .Values.memory.targetAverageUtilization }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ .Values.memory.targetAverageUtilization }} - {{- end }} - {{- if .Values.autoscaleBehavior }} - behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} - {{- end }} ---- -{{- end }} diff --git a/resources/latest/charts/istiod/templates/clusterrole.yaml b/resources/latest/charts/istiod/templates/clusterrole.yaml deleted file mode 100644 index ac86e28b6..000000000 --- a/resources/latest/charts/istiod/templates/clusterrole.yaml +++ /dev/null @@ -1,165 +0,0 @@ -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update"] - # TODO: should be on just */status but wildcard is not supported - resources: ["*"] - - # Needed because status reporter sets the config map owner reference to the istiod pod - - apiGroups: [""] - verbs: ["update"] - resources: ["pods/finalizers"] -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status" ] - - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch" ] - resources: [ "serviceentries/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - -{{- if .Values.taint.enabled }} - - apiGroups: [""] - resources: ["nodes"] - verbs: ["patch"] -{{- end }} - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} -{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: -{{- range .Values.global.certSigners }} - - {{ . | quote }} -{{- end }} - verbs: ["approve"] -{{- end}} - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] # TODO: should be on just */status but wildcard is not supported - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: [ "get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: ["apps"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "deployments" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "serviceaccounts"] -{{- end }} diff --git a/resources/latest/charts/istiod/templates/clusterrolebinding.yaml b/resources/latest/charts/istiod/templates/clusterrolebinding.yaml deleted file mode 100644 index 8a1a70f86..000000000 --- a/resources/latest/charts/istiod/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} ---- -{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: -- kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} diff --git a/resources/latest/charts/istiod/templates/configmap-jwks.yaml b/resources/latest/charts/istiod/templates/configmap-jwks.yaml deleted file mode 100644 index df60db12a..000000000 --- a/resources/latest/charts/istiod/templates/configmap-jwks.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.jwksResolverExtraRootCA }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} -{{- end }} diff --git a/resources/latest/charts/istiod/templates/configmap.yaml b/resources/latest/charts/istiod/templates/configmap.yaml deleted file mode 100644 index 109e2bb82..000000000 --- a/resources/latest/charts/istiod/templates/configmap.yaml +++ /dev/null @@ -1,114 +0,0 @@ -{{- define "mesh" }} - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The namespace to treat as the administrative root namespace for Istio configuration. - # When processing a leaf namespace Istio will search for declarations in that namespace first - # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace - # is processed as if it were declared in the leaf namespace. - rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} - - {{ $prom := include "default-prometheus" . | eq "true" }} - {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} - {{ $sdLogs := include "default-sd-logs" . | eq "true" }} - {{- if or $prom $sdMetrics $sdLogs }} - defaultProviders: - {{- if or $prom $sdMetrics }} - metrics: - {{ if $prom }}- prometheus{{ end }} - {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} - {{- end }} - {{- if and $sdMetrics $sdLogs }} - accessLogging: - - stackdriver - {{- end }} - {{- end }} - - defaultConfig: - {{- if .Values.global.meshID }} - meshId: "{{ .Values.global.meshID }}" - {{- end }} - {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} - image: - imageType: {{. | quote}} - {{- end }} - {{- if not (eq .Values.global.proxy.tracer "none") }} - tracing: - {{- if eq .Values.global.proxy.tracer "lightstep" }} - lightstep: - # Address of the LightStep Satellite pool - address: {{ .Values.global.tracer.lightstep.address }} - # Access Token used to communicate with the Satellite pool - accessToken: {{ .Values.global.tracer.lightstep.accessToken }} - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - zipkin: - # Address of the Zipkin collector - address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} - {{- else if eq .Values.global.proxy.tracer "datadog" }} - datadog: - # Address of the Datadog Agent - address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} - {{- else if eq .Values.global.proxy.tracer "stackdriver" }} - stackdriver: - # enables trace output to stdout. - debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} - # The global default max number of attributes per span. - maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} - # The global default max number of annotation events per span. - maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} - # The global default max number of message events per span. - maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} - {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} - {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} -{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} - {{- end }} - {{- end }} - {{- if .Values.global.remotePilotAddress }} - {{- if .Values.enabled }} - discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 - {{- else }} - discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 - {{- end }} - {{- else }} - discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 - {{- end }} -{{- end }} - -{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} -{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} -{{- $originalMesh := include "mesh" . | fromYaml }} -{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} - -{{- if .Values.configMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - {{- if .Values.global.meshNetworks }} - networks: -{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} - {{- else }} - networks: {} - {{- end }} - - mesh: |- -{{- if .Values.meshConfig }} -{{ $mesh | toYaml | indent 4 }} -{{- else }} -{{- include "mesh" . }} -{{- end }} ---- -{{- end }} diff --git a/resources/latest/charts/istiod/templates/deployment.yaml b/resources/latest/charts/istiod/templates/deployment.yaml deleted file mode 100644 index 3b8ea75d9..000000000 --- a/resources/latest/charts/istiod/templates/deployment.yaml +++ /dev/null @@ -1,277 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -{{- range $key, $val := .Values.deploymentLabels }} - {{ $key }}: "{{ $val }}" -{{- end }} -spec: -{{- if not .Values.autoscaleEnabled }} -{{- if .Values.replicaCount }} - replicas: {{ .Values.replicaCount }} -{{- end }} -{{- end }} - strategy: - rollingUpdate: - maxSurge: {{ .Values.rollingMaxSurge }} - maxUnavailable: {{ .Values.rollingMaxUnavailable }} - selector: - matchLabels: - {{- if ne .Values.revision "" }} - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - {{- else }} - istio: pilot - {{- end }} - template: - metadata: - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - sidecar.istio.io/inject: "false" - operator.istio.io/component: "Pilot" - {{- if ne .Values.revision "" }} - istio: istiod - {{- else }} - istio: pilot - {{- end }} - {{- range $key, $val := .Values.podLabels }} - {{ $key }}: "{{ $val }}" - {{- end }} - istio.io/dataplane-mode: none - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 8 }} - annotations: - prometheus.io/port: "15014" - prometheus.io/scrape: "true" - sidecar.istio.io/inject: "false" - {{- if .Values.podAnnotations }} -{{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- with .Values.affinity }} - affinity: -{{- toYaml . | nindent 8 }} -{{- end }} - tolerations: - - key: cni.istio.io/not-ready - operator: "Exists" -{{- with .Values.tolerations }} -{{- toYaml . | nindent 8 }} -{{- end }} -{{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: -{{- toYaml . | nindent 8 }} -{{- end }} - serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: discovery -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - args: - - "discovery" - - --monitoringAddr=:15014 -{{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} -{{- end}} -{{- if .Values.global.logAsJson }} - - --log_as_json -{{- end }} - - --domain - - {{ .Values.global.proxy.clusterDomain }} -{{- if .Values.taint.namespace }} - - --cniNamespace={{ .Values.taint.namespace }} -{{- end }} - - --keepaliveMaxServerConnectionAge - - "{{ .Values.keepaliveMaxServerConnectionAge }}" -{{- if .Values.extraContainerArgs }} - {{- with .Values.extraContainerArgs }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- end }} - ports: - - containerPort: 8080 - protocol: TCP - - containerPort: 15010 - protocol: TCP - - containerPort: 15017 - protocol: TCP - - containerPort: 15014 - protocol: TCP - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 - env: - - name: REVISION - value: "{{ .Values.revision | default `default` }}" - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: KUBECONFIG - value: /var/run/secrets/remote/config - # If you explicitly told us where ztunnel lives, use that. - # Otherwise, assume it lives in our namespace - # Also, check for an explicit ENV override (legacy approach) and prefer that - # if present - {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} - {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} - - name: CA_TRUSTED_NODE_ACCOUNTS - value: "{{ $ztTrustedNS }}/ztunnel" - {{- end }} - {{- if .Values.env }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} -{{- if .Values.traceSampling }} - - name: PILOT_TRACE_SAMPLING - value: "{{ .Values.traceSampling }}" -{{- end }} -# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then -# don't set it here to avoid duplication. -# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 -{{- if and .Values.global.externalIstiod (not (and .Values.pilot.env .Values.pilot.env.EXTERNAL_ISTIOD)) }} - - name: EXTERNAL_ISTIOD - value: "{{ .Values.global.externalIstiod }}" -{{- end }} - - name: PILOT_ENABLE_ANALYSIS - value: "{{ .Values.global.istiod.enableAnalysis }}" - - name: CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PLATFORM - value: "{{ .Values.global.platform }}" - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.seccompProfile }} - seccompProfile: -{{ toYaml .Values.seccompProfile | trim | indent 14 }} -{{- end }} - volumeMounts: - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true - - name: local-certs - mountPath: /var/run/secrets/istio-dns - - name: cacerts - mountPath: /etc/cacerts - readOnly: true - - name: istio-kubeconfig - mountPath: /var/run/secrets/remote - readOnly: true - {{- if .Values.jwksResolverExtraRootCA }} - - name: extracacerts - mountPath: /cacerts - {{- end }} - - name: istio-csr-dns-cert - mountPath: /var/run/secrets/istiod/tls - readOnly: true - - name: istio-csr-ca-configmap - mountPath: /var/run/secrets/istiod/ca - readOnly: true - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 10 }} - {{- end }} - volumes: - # Technically not needed on this pod - but it helps debugging/testing SDS - # Should be removed after everything works. - - emptyDir: - medium: Memory - name: local-certs - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: {{ .Values.global.sds.token.aud }} - expirationSeconds: 43200 - path: istio-token - # Optional: user-generated root - - name: cacerts - secret: - secretName: cacerts - optional: true - - name: istio-kubeconfig - secret: - secretName: istio-kubeconfig - optional: true - # Optional: istio-csr dns pilot certs - - name: istio-csr-dns-cert - secret: - secretName: istiod-tls - optional: true - - name: istio-csr-ca-configmap - configMap: - name: istio-ca-root-cert - defaultMode: 420 - optional: true - {{- if .Values.jwksResolverExtraRootCA }} - - name: extracacerts - configMap: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- end }} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} - ---- diff --git a/resources/latest/charts/istiod/templates/istiod-injector-configmap.yaml b/resources/latest/charts/istiod/templates/istiod-injector-configmap.yaml deleted file mode 100644 index b87691742..000000000 --- a/resources/latest/charts/istiod/templates/istiod-injector-configmap.yaml +++ /dev/null @@ -1,82 +0,0 @@ -{{- if not .Values.global.omitSidecarInjectorConfigMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -data: -{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} - values: |- -{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}} -{{ $pilotVals := pick .Values "cni" -}} -{{ $vals = set $vals "pilot" $pilotVals -}} -{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}} -{{ $vals = set $vals "gateways" $gatewayVals -}} -{{ $vals | toPrettyJson | indent 4 }} - - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching - # and istiod webhook functionality. - # - # New fields should not use Values - it is a 'primary' config object, users should be able - # to fine tune it or use it with kube-inject. - config: |- - # defaultTemplates defines the default template to use for pods that do not explicitly specify a template - {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} - defaultTemplates: -{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} - - {{ . }} -{{- end }} - {{- else }} - defaultTemplates: [sidecar] - {{- end }} - policy: {{ .Values.global.proxy.autoInject }} - alwaysInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} - neverInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} - injectedAnnotations: - {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} - "{{ $key }}": {{ $val | quote }} - {{- end }} - {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template - which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". - This should make it obvious that their installation is broken. - */}} - template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} - templates: -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} - sidecar: | -{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} - gateway: | -{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} - grpc-simple: | -{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} - grpc-agent: | -{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} - waypoint: | -{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} - kube-gateway: | -{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} -{{- end }} -{{- with .Values.sidecarInjectorWebhook.templates }} -{{ toYaml . | trim | indent 6 }} -{{- end }} - -{{- end }} diff --git a/resources/latest/charts/istiod/templates/mutatingwebhook.yaml b/resources/latest/charts/istiod/templates/mutatingwebhook.yaml deleted file mode 100644 index 5b7e734e4..000000000 --- a/resources/latest/charts/istiod/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,160 +0,0 @@ -{{- /* Core defines the common configuration used by all webhook segments */}} -{{/* Copy just what we need to avoid expensive deepCopy */}} -{{- $whv := dict - "revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - {{- if .caBundle }} - caBundle: "{{ .caBundle }}" - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1"] -{{- end }} -{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} -{{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq .Release.Namespace "istio-system"}} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- else }} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -{{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} - app.kubernetes.io/name: "sidecar-injector" - {{- include "istio.labels" . | nindent 4 }} -webhooks: -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} - -{{- /* Case 1: namespace selector matches, and object doesn't disable */}} -{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - -{{- /* Webhooks for default revision */}} -{{- if (eq .Values.revision "") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} -{{- end }} diff --git a/resources/latest/charts/istiod/templates/poddisruptionbudget.yaml b/resources/latest/charts/istiod/templates/poddisruptionbudget.yaml deleted file mode 100644 index ed8931727..000000000 --- a/resources/latest/charts/istiod/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - istio: pilot - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - minAvailable: 1 - selector: - matchLabels: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - istio: pilot - {{- end }} ---- -{{- end }} diff --git a/resources/latest/charts/istiod/templates/reader-clusterrole.yaml b/resources/latest/charts/istiod/templates/reader-clusterrole.yaml deleted file mode 100644 index 85707cb87..000000000 --- a/resources/latest/charts/istiod/templates/reader-clusterrole.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - - "telemetry.istio.io" - - "extensions.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["gateways"] - verbs: ["get", "watch", "list"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] -{{- if .Values.global.externalIstiod }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} diff --git a/resources/latest/charts/istiod/templates/reader-clusterrolebinding.yaml b/resources/latest/charts/istiod/templates/reader-clusterrolebinding.yaml deleted file mode 100644 index aea9f01f7..000000000 --- a/resources/latest/charts/istiod/templates/reader-clusterrolebinding.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} - app.kubernetes.io/name: "istio-reader" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} diff --git a/resources/latest/charts/istiod/templates/revision-tags.yaml b/resources/latest/charts/istiod/templates/revision-tags.yaml deleted file mode 100644 index 1d13d62d5..000000000 --- a/resources/latest/charts/istiod/templates/revision-tags.yaml +++ /dev/null @@ -1,143 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -{{- $whv := dict - "revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1"] -{{- end }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} - app.kubernetes.io/name: "sidecar-injector" - {{- include "istio.labels" $ | nindent 4 }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} diff --git a/resources/latest/charts/istiod/templates/role.yaml b/resources/latest/charts/istiod/templates/role.yaml deleted file mode 100644 index 68e44d4de..000000000 --- a/resources/latest/charts/istiod/templates/role.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] - -# For status controller, so it can delete the distribution report configmap -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["delete"] - -# For gateway deployment controller -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "update", "patch", "create"] diff --git a/resources/latest/charts/istiod/templates/rolebinding.yaml b/resources/latest/charts/istiod/templates/rolebinding.yaml deleted file mode 100644 index cdb3f5dab..000000000 --- a/resources/latest/charts/istiod/templates/rolebinding.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} diff --git a/resources/latest/charts/istiod/templates/service.yaml b/resources/latest/charts/istiod/templates/service.yaml deleted file mode 100644 index d474462c6..000000000 --- a/resources/latest/charts/istiod/templates/service.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - {{- if .Values.serviceAnnotations }} - annotations: -{{ toYaml .Values.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if .Values.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} - {{- end }} - {{- if .Values.ipFamilies }} - ipFamilies: - {{- range .Values.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} ---- diff --git a/resources/latest/charts/istiod/templates/serviceaccount.yaml b/resources/latest/charts/istiod/templates/serviceaccount.yaml deleted file mode 100644 index 280695d5a..000000000 --- a/resources/latest/charts/istiod/templates/serviceaccount.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} - {{- if .Values.serviceAccountAnnotations }} - annotations: -{{- toYaml .Values.serviceAccountAnnotations | indent 4 }} - {{- end }} ---- diff --git a/resources/latest/charts/istiod/templates/validatingadmissionpolicy.yaml b/resources/latest/charts/istiod/templates/validatingadmissionpolicy.yaml deleted file mode 100644 index acf732916..000000000 --- a/resources/latest/charts/istiod/templates/validatingadmissionpolicy.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{- if .Values.experimental.stableValidationPolicy }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - labels: - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" -spec: - policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - validationActions: [Deny] -{{- end }} diff --git a/resources/latest/charts/istiod/templates/validatingwebhookconfiguration.yaml b/resources/latest/charts/istiod/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index 116ce4ce7..000000000 --- a/resources/latest/charts/istiod/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,65 +0,0 @@ -{{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - app.kubernetes.io/name: "istiod" - {{- include "istio.labels" . | nindent 4 }} -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} ---- -{{- end }} diff --git a/resources/latest/charts/istiod/templates/zzy_descope_legacy.yaml b/resources/latest/charts/istiod/templates/zzy_descope_legacy.yaml deleted file mode 100644 index ae8fced29..000000000 --- a/resources/latest/charts/istiod/templates/zzy_descope_legacy.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix. -Due to the file naming, this always happens after zzz_profile.yaml */}} -{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }} \ No newline at end of file diff --git a/resources/latest/charts/istiod/templates/zzz_profile.yaml b/resources/latest/charts/istiod/templates/zzz_profile.yaml deleted file mode 100644 index b96dcafcb..000000000 --- a/resources/latest/charts/istiod/templates/zzz_profile.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- $globals := $.Values.global | default dict | deepCopy }} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} -{{- $profile := dict }} -{{- with .Values.profile }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" $.Values.profile) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if false }} -{{- $a := mustMergeOverwrite $defaults $globals }} -{{- end }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/resources/latest/charts/istiod/values.yaml b/resources/latest/charts/istiod/values.yaml deleted file mode 100644 index bc83baf91..000000000 --- a/resources/latest/charts/istiod/values.yaml +++ /dev/null @@ -1,521 +0,0 @@ -# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. -defaults: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - # Ambient mode only. - # Set this if you install ztunnel to a different namespace from `istiod`. - # If set, `istiod` will allow connections from trusted node proxy ztunnels - # in the provided namespace. - # If unset, `istiod` will assume the trusted node proxy ztunnel resides - # in the same namespace as itself. - trustedZtunnelNamespace: "" - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: gcr.io/istio-testing - # Default tag for Istio images. - tag: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - omitSidecarInjectorConfigMap: false - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # If set, newly injected sidecars will have core dumps enabled. - enableCoreDump: false - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - # Specify the path to the outlier event log. - # Example: /dev/stdout - outlierLogPath: "" - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Configure a remote cluster data plane controlled by an external istiod. - # When set to true, istiod is not deployed locally and only a subset of the other - # discovery charts are enabled. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Set to true to connect two kubernetes clusters via their respective - # ingressgateway services when pods in each cluster cannot directly - # talk to one another. All clusters should be using Istio mTLS and must - # have a shared root CA for this model to work. - enabled: false - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - waypoint: - # Resources for the waypoint proxy. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: "2" - memory: 1Gi - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - - # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it - seccompProfile: {} diff --git a/resources/latest/charts/ztunnel/Chart.yaml b/resources/latest/charts/ztunnel/Chart.yaml deleted file mode 100644 index 4eb63bbed..000000000 --- a/resources/latest/charts/ztunnel/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v2 -appVersion: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 -description: Helm chart for istio ztunnel components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-ztunnel -- istio -name: ztunnel -sources: -- https://github.com/istio/istio -version: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 diff --git a/resources/latest/charts/ztunnel/README.md b/resources/latest/charts/ztunnel/README.md deleted file mode 100644 index ffe0b94fe..000000000 --- a/resources/latest/charts/ztunnel/README.md +++ /dev/null @@ -1,50 +0,0 @@ -# Istio Ztunnel Helm Chart - -This chart installs an Istio ztunnel. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart: - -```console -helm install ztunnel istio/ztunnel -``` - -## Uninstalling the Chart - -To uninstall/delete the chart: - -```console -helm delete ztunnel -``` - -## Configuration - -To view support configuration options and documentation, run: - -```console -helm show values istio/ztunnel -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/resources/latest/charts/ztunnel/files/profile-ambient.yaml b/resources/latest/charts/ztunnel/files/profile-ambient.yaml deleted file mode 100644 index 2805fe46b..000000000 --- a/resources/latest/charts/ztunnel/files/profile-ambient.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" -cni: - ambient: - enabled: true diff --git a/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.21.yaml b/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.21.yaml deleted file mode 100644 index 2b72bd93c..000000000 --- a/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.21.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" - - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" - -meshConfig: - # 1.22 behavioral changes - defaultConfig: - proxyMetadata: - ISTIO_DELTA_XDS: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.22.yaml b/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.22.yaml deleted file mode 100644 index 2badb70a5..000000000 --- a/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.22.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" - - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" - -meshConfig: - defaultConfig: - proxyMetadata: - # 1.22 behavioral changes - ENABLE_DEFERRED_CLUSTER_CREATION: "false" - # 1.23 behavioral changes - ENABLE_DELIMITED_STATS_TAG_REGEX: "false" diff --git a/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.23.yaml b/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.23.yaml deleted file mode 100644 index f855500b0..000000000 --- a/resources/latest/charts/ztunnel/files/profile-compatibility-version-1.23.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.24 behavioral changes - ENABLE_INBOUND_RETRY_POLICY: "false" - EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" - PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" \ No newline at end of file diff --git a/resources/latest/charts/ztunnel/files/profile-demo.yaml b/resources/latest/charts/ztunnel/files/profile-demo.yaml deleted file mode 100644 index eadbde17c..000000000 --- a/resources/latest/charts/ztunnel/files/profile-demo.yaml +++ /dev/null @@ -1,90 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - -cni: - resources: - requests: - cpu: 10m - memory: 40Mi - -ztunnel: - resources: - requests: - cpu: 10m - memory: 40Mi - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - waypoint: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/resources/latest/charts/ztunnel/files/profile-openshift-ambient.yaml b/resources/latest/charts/ztunnel/files/profile-openshift-ambient.yaml deleted file mode 100644 index 444665932..000000000 --- a/resources/latest/charts/ztunnel/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift - variant: distroless - seLinuxOptions: - type: spc_t -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - env: - PILOT_ENABLE_AMBIENT: "true" \ No newline at end of file diff --git a/resources/latest/charts/ztunnel/files/profile-openshift.yaml b/resources/latest/charts/ztunnel/files/profile-openshift.yaml deleted file mode 100644 index 38357bd99..000000000 --- a/resources/latest/charts/ztunnel/files/profile-openshift.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -global: - platform: openshift -pilot: - cni: - enabled: true - provider: "multus" -platform: openshift \ No newline at end of file diff --git a/resources/latest/charts/ztunnel/files/profile-preview.yaml b/resources/latest/charts/ztunnel/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2..000000000 --- a/resources/latest/charts/ztunnel/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/latest/charts/ztunnel/files/profile-stable.yaml b/resources/latest/charts/ztunnel/files/profile-stable.yaml deleted file mode 100644 index 358282e69..000000000 --- a/resources/latest/charts/ztunnel/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/resources/latest/charts/ztunnel/templates/NOTES.txt b/resources/latest/charts/ztunnel/templates/NOTES.txt deleted file mode 100644 index 244f59db0..000000000 --- a/resources/latest/charts/ztunnel/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -ztunnel successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/resources/latest/charts/ztunnel/templates/_helpers.tpl b/resources/latest/charts/ztunnel/templates/_helpers.tpl deleted file mode 100644 index 5ef0d0e40..000000000 --- a/resources/latest/charts/ztunnel/templates/_helpers.tpl +++ /dev/null @@ -1,10 +0,0 @@ -{{- define "istio-labels" }} - app.kubernetes.io/name: ztunnel - {{- if .Release.Service }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - {{- end }} - {{- if .Release.Name}} - app.kubernetes.io/instance: {{ .Release.Name }} - {{- end }} - app.kubernetes.io/part-of: istio -{{- end }} diff --git a/resources/latest/charts/ztunnel/templates/daemonset.yaml b/resources/latest/charts/ztunnel/templates/daemonset.yaml deleted file mode 100644 index 6025871e9..000000000 --- a/resources/latest/charts/ztunnel/templates/daemonset.yaml +++ /dev/null @@ -1,197 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: ztunnel - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -spec: - updateStrategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - selector: - matchLabels: - app: ztunnel - template: - metadata: - labels: - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - app: ztunnel - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 8}} -{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} - annotations: - sidecar.istio.io/inject: "false" -{{- if .Values.revision }} - istio.io/rev: {{ .Values.revision }} -{{- end }} -{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} - spec: - nodeSelector: - kubernetes.io/os: linux -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | trim | indent 8 }} -{{- end }} - serviceAccountName: ztunnel - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - containers: - - name: istio-proxy -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" -{{- end }} - ports: - - containerPort: 15020 - name: ztunnel-stats - protocol: TCP - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 10 }} -{{- end }} -{{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} -{{- end }} - securityContext: - # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true - # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 - allowPrivilegeEscalation: true - privileged: false - capabilities: - drop: - - ALL - add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html - - NET_ADMIN # Required for TPROXY and setsockopt - - SYS_ADMIN # Required for `setns` - doing things in other netns - - NET_RAW # Required for RAW/PACKET sockets, TPROXY - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: false - runAsUser: 0 -{{- if .Values.seLinuxOptions }} - seLinuxOptions: -{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} -{{- end }} - readinessProbe: - httpGet: - port: 15021 - path: /healthz/ready - args: - - proxy - - ztunnel - env: - - name: CA_ADDRESS - {{- if .Values.caAddress }} - value: {{ .Values.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - - name: XDS_ADDRESS - {{- if .Values.xdsAddress }} - value: {{ .Values.xdsAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - {{- if .Values.logAsJson }} - - name: LOG_FORMAT - value: json - {{- end}} - - name: RUST_LOG - value: {{ .Values.logLevel | quote }} - - name: RUST_BACKTRACE - value: "1" - - name: ISTIO_META_CLUSTER_ID - value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} - - name: INPOD_ENABLED - value: "true" - - name: TERMINATION_GRACE_PERIOD_SECONDS - value: "{{ .Values.terminationGracePeriodSeconds }}" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} - {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- with .Values.env }} - {{- range $key, $val := . }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - - mountPath: /tmp - name: tmp - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 8 }} - {{- end }} - priorityClassName: system-node-critical - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - volumes: - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: istio-ca - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate # ideally this would be a socket, but ztunnel may not have started yet. - # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one - - name: tmp - emptyDir: {} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} diff --git a/resources/latest/charts/ztunnel/templates/rbac.yaml b/resources/latest/charts/ztunnel/templates/rbac.yaml deleted file mode 100644 index a9ea6fb6a..000000000 --- a/resources/latest/charts/ztunnel/templates/rbac.yaml +++ /dev/null @@ -1,74 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount - {{- with .Values.imagePullSecrets }} -imagePullSecrets: - {{- range . }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: ztunnel - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} ---- -{{- if (eq .Values.platform "openshift") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ztunnel - labels: - app: ztunnel - release: {{ .Release.Name }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -rules: -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: ["privileged"] - verbs: ["use"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ztunnel - labels: - app: ztunnel - release: {{ .Release.Name }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - app.kubernetes.io/name: ztunnel - {{- include "istio.labels" . | nindent 4}} - annotations: -{{- if .Values.revision }} - {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} - {{- toYaml $annos | nindent 4}} -{{- else }} - {{- .Values.annotations | toYaml | nindent 4 }} -{{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ztunnel -subjects: -- kind: ServiceAccount - name: ztunnel - namespace: {{ .Release.Namespace }} -{{- end }} ---- diff --git a/resources/latest/charts/ztunnel/templates/zzz_profile.yaml b/resources/latest/charts/ztunnel/templates/zzz_profile.yaml deleted file mode 100644 index 68a66eec6..000000000 --- a/resources/latest/charts/ztunnel/templates/zzz_profile.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- $globals := $.Values.global | default dict | deepCopy }} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} -{{- $profile := dict }} -{{- with .Values.profile }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" $.Values.profile) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -# Flatten globals, if defined on a per-chart basis -{{- if true }} -{{- $a := mustMergeOverwrite $defaults $globals }} -{{- end }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} - -{{/* -Labels that should be applied to ALL resources. -*/}} -{{- define "istio.labels" -}} -{{- if .Release.Service -}} -app.kubernetes.io/managed-by: {{ .Release.Service | quote }} -{{- end }} -{{- if .Release.Name }} -app.kubernetes.io/instance: {{ .Release.Name | quote }} -{{- end }} -app.kubernetes.io/part-of: "istio" -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -{{- if and .Chart.Name .Chart.Version }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end -}} diff --git a/resources/latest/charts/ztunnel/values.yaml b/resources/latest/charts/ztunnel/values.yaml deleted file mode 100644 index 955528f5b..000000000 --- a/resources/latest/charts/ztunnel/values.yaml +++ /dev/null @@ -1,98 +0,0 @@ -# "defaults" is a workaround for Helm limitations. Users should NOT set ".defaults" explicitly, but rather directly set the fields internally. -# For instance, instead of `--set defaults.foo=bar`, just set `--set foo=bar`. -defaults: - # Hub to pull from. Image will be `Hub/Image:Tag-Variant` - hub: gcr.io/istio-testing - # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.24-alpha.b28bdd77da4c7f0f4f3631db514f1c4f79a90289 - # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. - variant: "" - - # Image name to pull from. Image will be `Hub/Image:Tag-Variant` - # If Image contains a "/", it will replace the entire `image` in the pod. - image: ztunnel - - # Labels to apply to all top level resources - labels: {} - # Annotations to apply to all top level resources - annotations: {} - - # Additional volumeMounts to the ztunnel container - volumeMounts: [] - - # Additional volumes to the ztunnel pod - volumes: [] - - # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - - # Additional labels to apply on the pod level - podLabels: {} - - # Pod resource configuration - resources: - requests: - cpu: 200m - # Ztunnel memory scales with the size of the cluster and traffic load - # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. - memory: 512Mi - - # List of secret names to add to the service account as image pull secrets - imagePullSecrets: [] - - # A `key: value` mapping of environment variables to add to the pod - env: {} - - # Override for the pod imagePullPolicy - imagePullPolicy: "" - - # Settings for multicluster - multiCluster: - # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent - # with Istiod configuration. - clusterName: "" - - # meshConfig defines runtime configuration of components. - # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other - # components. - # TODO: https://github.com/istio/istio/issues/43248 - meshConfig: - defaultConfig: - proxyMetadata: {} - - # This value defines: - # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) - # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) - # Default K8S value is 30 seconds - terminationGracePeriodSeconds: 30 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. - revision: "" - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - caAddress: "" - - # The customized XDS address to retrieve configuration. - # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. - # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 - xdsAddress: "" - - # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. - istioNamespace: istio-system - - # Configuration log level of ztunnel binary, default is info. - # Valid values are: trace, debug, info, warn, error - logLevel: info - - # To output all logs in json format - logAsJson: false - - # Set to `type: RuntimeDefault` to use the default profile if available. - seLinuxOptions: {} - # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead - #seLinuxOptions: - # type: spc_t diff --git a/resources/latest/profiles/ambient.yaml b/resources/latest/profiles/ambient.yaml deleted file mode 100644 index ddaaa4415..000000000 --- a/resources/latest/profiles/ambient.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1alpha1 -kind: Istio -spec: - values: - profile: ambient diff --git a/resources/latest/profiles/default.yaml b/resources/latest/profiles/default.yaml deleted file mode 100644 index 1f44cc310..000000000 --- a/resources/latest/profiles/default.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: sailoperator.io/v1alpha1 -kind: Istio -spec: - # Most default values come from the helm chart's values.yaml - # Below are the things that differ - values: - defaultRevision: "" - global: - istioNamespace: istio-system - configValidation: true diff --git a/resources/latest/profiles/demo.yaml b/resources/latest/profiles/demo.yaml deleted file mode 100644 index fad37e4c2..000000000 --- a/resources/latest/profiles/demo.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1alpha1 -kind: Istio -spec: - values: - profile: demo diff --git a/resources/latest/profiles/empty.yaml b/resources/latest/profiles/empty.yaml deleted file mode 100644 index 01052de7f..000000000 --- a/resources/latest/profiles/empty.yaml +++ /dev/null @@ -1,5 +0,0 @@ -# The empty profile has everything disabled -# This is useful as a base for custom user configuration -apiVersion: sailoperator.io/v1alpha1 -kind: Istio -spec: {} diff --git a/resources/latest/profiles/openshift-ambient.yaml b/resources/latest/profiles/openshift-ambient.yaml deleted file mode 100644 index a30b2099b..000000000 --- a/resources/latest/profiles/openshift-ambient.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1alpha1 -kind: Istio -spec: - values: - profile: openshift-ambient diff --git a/resources/latest/profiles/openshift.yaml b/resources/latest/profiles/openshift.yaml deleted file mode 100644 index a75886e87..000000000 --- a/resources/latest/profiles/openshift.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1alpha1 -kind: Istio -spec: - values: - profile: openshift diff --git a/resources/latest/profiles/preview.yaml b/resources/latest/profiles/preview.yaml deleted file mode 100644 index 485687d6a..000000000 --- a/resources/latest/profiles/preview.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -apiVersion: sailoperator.io/v1alpha1 -kind: Istio -spec: - values: - profile: preview diff --git a/resources/latest/profiles/stable.yaml b/resources/latest/profiles/stable.yaml deleted file mode 100644 index 594344792..000000000 --- a/resources/latest/profiles/stable.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1alpha1 -kind: Istio -spec: - values: - profile: stable diff --git a/resources/v1.21.5/charts/base/Chart.yaml b/resources/v1.21.5/charts/base/Chart.yaml deleted file mode 100644 index 61e7978b9..000000000 --- a/resources/v1.21.5/charts/base/Chart.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -appVersion: 1.21.5 -description: Helm chart for deploying Istio cluster resources and CRDs -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -name: base -sources: -- https://github.com/istio/istio -version: 1.21.5 diff --git a/resources/v1.21.5/charts/base/README.md b/resources/v1.21.5/charts/base/README.md deleted file mode 100644 index ae8f6d5b0..000000000 --- a/resources/v1.21.5/charts/base/README.md +++ /dev/null @@ -1,35 +0,0 @@ -# Istio base Helm Chart - -This chart installs resources shared by all Istio revisions. This includes Istio CRDs. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-base`: - -```console -kubectl create namespace istio-system -helm install istio-base istio/base -n istio-system -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/resources/v1.21.5/charts/base/crds/crd-all.gen.yaml b/resources/v1.21.5/charts/base/crds/crd-all.gen.yaml deleted file mode 100644 index 93cbd3fb4..000000000 --- a/resources/v1.21.5/charts/base/crds/crd-all.gen.yaml +++ /dev/null @@ -1,8457 +0,0 @@ -# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: wasmplugins.extensions.istio.io -spec: - group: extensions.istio.io - names: - categories: - - istio-io - - extensions-istio-io - kind: WasmPlugin - listKind: WasmPluginList - plural: wasmplugins - singular: wasmplugin - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Extend the functionality provided by the Istio proxy through - WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' - properties: - failStrategy: - description: Specifies the failure behavior for the plugin due to - fatal errors. - enum: - - FAIL_CLOSE - - FAIL_OPEN - type: string - imagePullPolicy: - description: The pull behaviour to be applied when fetching Wasm module - by either OCI image or `http/https`. - enum: - - UNSPECIFIED_POLICY - - IfNotPresent - - Always - type: string - imagePullSecret: - description: Credentials to use for OCI image pulling. - maxLength: 253 - minLength: 1 - type: string - match: - description: Specifies the criteria to determine which traffic is - passed to WasmPlugin. - items: - properties: - mode: - description: Criteria for selecting traffic by their direction. - enum: - - UNDEFINED - - CLIENT - - SERVER - - CLIENT_AND_SERVER - type: string - ports: - description: Criteria for selecting traffic by their destination - port. - items: - properties: - number: - maximum: 65535 - minimum: 1 - type: integer - required: - - number - type: object - type: array - x-kubernetes-list-map-keys: - - number - x-kubernetes-list-type: map - type: object - type: array - phase: - description: Determines where in the filter chain this `WasmPlugin` - is to be injected. - enum: - - UNSPECIFIED_PHASE - - AUTHN - - AUTHZ - - STATS - type: string - pluginConfig: - description: The configuration that will be passed on to the plugin. - type: object - x-kubernetes-preserve-unknown-fields: true - pluginName: - description: The plugin name to be used in the Envoy configuration - (used to be called `rootID`). - maxLength: 256 - minLength: 1 - type: string - priority: - description: Determines ordering of `WasmPlugins` in the same `phase`. - nullable: true - type: integer - selector: - description: Criteria used to select the specific set of pods/VMs - on which this plugin configuration should be applied. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - sha256: - description: SHA256 checksum that will be used to verify Wasm module - or OCI container. - pattern: (^$|^[a-f0-9]{64}$) - type: string - targetRef: - description: Optional. - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: - description: Specifies the type of Wasm Extension to be used. - enum: - - UNSPECIFIED_PLUGIN_TYPE - - HTTP - - NETWORK - type: string - url: - description: URL of a Wasm module or OCI container. - minLength: 1 - type: string - x-kubernetes-validations: - - message: url must have schema one of [http, https, file, oci] - rule: 'isURL(self) ? (url(self).getScheme() in ['''', ''http'', - ''https'', ''oci'', ''file'']) : (isURL(''http://'' + self) && - url(''http://'' +self).getScheme() in ['''', ''http'', ''https'', - ''oci'', ''file''])' - verificationKey: - type: string - vmConfig: - description: Configuration for a Wasm VM. - properties: - env: - description: Specifies environment variables to be injected to - this VM. - items: - properties: - name: - description: Name of the environment variable. - maxLength: 256 - minLength: 1 - type: string - value: - description: Value for the environment variable. - maxLength: 2048 - type: string - valueFrom: - description: Source for the environment variable's value. - enum: - - INLINE - - HOST - type: string - required: - - name - type: object - x-kubernetes-validations: - - message: value may only be set when valueFrom is INLINE - rule: '(has(self.valueFrom) ? self.valueFrom : '''') != ''HOST'' - || !has(self.value)' - maxItems: 256 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - required: - - url - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: destinationrules.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: DestinationRule - listKind: DestinationRuleList - plural: destinationrules - shortNames: - - dr - singular: destinationrule - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - description: One or more named sets that represent individual versions - of a service. - items: - properties: - labels: - additionalProperties: - type: string - description: Labels apply a filter over the endpoints of a service - in the service registry. - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - min_health_percent hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection - should be upgraded to http2 for the associated - destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that - will be queued while waiting for a ready - connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent - streams allowed for a peer on one HTTP/2 - connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that - can be outstanding to all hosts in a cluster - at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - description: Maximum number of keepalive - probes to send without response before - deciding the connection is dead. - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - description: The minimum number of virtual - nodes to use for the hash ring. - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the - traffic will fail over to when endpoints - in the 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of - Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally - originated failures before ejection occurs. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled - as long as the associated load balancing pool - has at least min_health_percent hosts in healthy - mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the - destination service on which this policy is being - applied. - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in - verifying a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds - the TLS certs for the client including the CA - certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature - and SAN for the server certificate corresponding - to the host.' - nullable: true - type: boolean - mode: - description: Indicates whether connections to - this port should be secured using TLS. - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify - the subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: The PROXY protocol version to use. - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: Indicates whether connections to this port - should be secured using TLS. - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - type: integer - required: - - targetHost - - targetPort - type: object - type: object - required: - - name - type: object - type: array - trafficPolicy: - description: Traffic policies to apply (load balancing policy, connection - pool sizes, outlier detection). - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes to - send without response before deciding the connection - is dead. - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes to - use for the hash ring. - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic will - fail over to when endpoints in the 'from' region - becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing pool - for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long as - the associated load balancing pool has at least min_health_percent - hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - min_health_percent hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the destination - service on which this policy is being applied. - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: Indicates whether connections to this port - should be secured using TLS. - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: The PROXY protocol version to use. - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing certificate - authority certificates to use in verifying a presented server - certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS certs - for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether the proxy - should skip verifying the CA signature and SAN for the server - certificate corresponding to the host.' - nullable: true - type: boolean - mode: - description: Indicates whether connections to this port should - be secured using TLS. - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - type: integer - required: - - targetHost - - targetPort - type: object - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `DestinationRule` configuration should be applied. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - required: - - host - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - description: One or more named sets that represent individual versions - of a service. - items: - properties: - labels: - additionalProperties: - type: string - description: Labels apply a filter over the endpoints of a service - in the service registry. - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - min_health_percent hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection - should be upgraded to http2 for the associated - destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that - will be queued while waiting for a ready - connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent - streams allowed for a peer on one HTTP/2 - connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that - can be outstanding to all hosts in a cluster - at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - description: Maximum number of keepalive - probes to send without response before - deciding the connection is dead. - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - description: The minimum number of virtual - nodes to use for the hash ring. - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the - traffic will fail over to when endpoints - in the 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of - Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally - originated failures before ejection occurs. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled - as long as the associated load balancing pool - has at least min_health_percent hosts in healthy - mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the - destination service on which this policy is being - applied. - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in - verifying a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds - the TLS certs for the client including the CA - certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature - and SAN for the server certificate corresponding - to the host.' - nullable: true - type: boolean - mode: - description: Indicates whether connections to - this port should be secured using TLS. - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify - the subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: The PROXY protocol version to use. - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: Indicates whether connections to this port - should be secured using TLS. - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - type: integer - required: - - targetHost - - targetPort - type: object - type: object - required: - - name - type: object - type: array - trafficPolicy: - description: Traffic policies to apply (load balancing policy, connection - pool sizes, outlier detection). - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes to - send without response before deciding the connection - is dead. - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes to - use for the hash ring. - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic will - fail over to when endpoints in the 'from' region - becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing pool - for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long as - the associated load balancing pool has at least min_health_percent - hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should - be upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - type: integer - type: object - minimumRingSize: - description: Deprecated. - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - min_health_percent hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the destination - service on which this policy is being applied. - properties: - number: - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: Indicates whether connections to this port - should be secured using TLS. - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: The PROXY protocol version to use. - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing certificate - authority certificates to use in verifying a presented server - certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS certs - for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether the proxy - should skip verifying the CA signature and SAN for the server - certificate corresponding to the host.' - nullable: true - type: boolean - mode: - description: Indicates whether connections to this port should - be secured using TLS. - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - type: integer - required: - - targetHost - - targetPort - type: object - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `DestinationRule` configuration should be applied. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - required: - - host - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - listKind: EnvoyFilterList - plural: envoyfilters - singular: envoyfilter - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See - more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' - properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - description: Specifies where in the Envoy configuration, the - patch should be applied. - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG - - BOOTSTRAP - - LISTENER_FILTER - type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - type: string - portNumber: - description: The service port for which this cluster - was generated. - type: integer - service: - description: The fully qualified service name for this - cluster. - type: string - subset: - description: The subset associated with the service. - type: string - type: object - context: - description: The specific config generation context to match - on. - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. - properties: - filterChain: - description: Match a specific filter chain in a listener. - properties: - applicationProtocols: - description: Applies only to sidecars. - type: string - destinationPort: - description: The destination_port value used by - a filter chain's match condition. - type: integer - filter: - description: The name of a specific filter to apply - the patch to. - properties: - name: - description: The filter name to match on. - type: string - subFilter: - description: The next level filter within this - filter to match upon. - properties: - name: - description: The filter name to match on. - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. - type: string - sni: - description: The SNI value used by a filter chain's - match condition. - type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. - type: string - type: object - listenerFilter: - description: Match a specific listener filter. - type: string - name: - description: Match a specific listener by its name. - type: string - portName: - type: string - portNumber: - description: The service port/gateway port to which - traffic is being sent/received. - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - type: string - description: Match on the node metadata supplied by - a proxy when connecting to Istio Pilot. - type: object - proxyVersion: - description: A regular expression in golang regex format - (RE2) that can be used to select proxies using a specific - version of istio proxy. - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. - properties: - gateway: - description: The Istio gateway config's namespace/name - for which this route configuration was generated. - type: string - name: - description: Route configuration name to match on. - type: string - portName: - description: Applicable only for GATEWAY context. - type: string - portNumber: - description: The service port number or gateway server - port number for which this route configuration was - generated. - type: integer - vhost: - description: Match a specific virtual host in a route - configuration and apply the patch to the virtual host. - properties: - name: - description: The VirtualHosts objects generated - by Istio are named as host:port, where the host - typically corresponds to the VirtualService's - host field or the hostname of a service in the - registry. - type: string - route: - description: Match a specific route within the virtual - host. - properties: - action: - description: Match a route with specific action - type. - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string - name: - description: The Route objects generated by - default are named as default. - type: string - type: object - type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: Determines the filter insertion order. - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: Determines how the patch should be applied. - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - priority: - description: Priority defines the order in which patch sets are applied - within a context. - format: int32 - type: integer - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this patch configuration should be applied. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: gateways.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Gateway - listKind: GatewayList - plural: gateways - shortNames: - - gw - singular: gateway - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs - on which this gateway configuration should be applied. - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - description: The ip or the Unix domain socket to which the listener - should be bound to. - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - description: The Port on which the proxy should listen for incoming - connections. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - required: - - number - - protocol - - name - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: 'Optional: Indicates whether connections to - this port should be secured using TLS.' - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - - hosts - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs - on which this gateway configuration should be applied. - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - description: The ip or the Unix domain socket to which the listener - should be bound to. - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - description: The Port on which the proxy should listen for incoming - connections. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - required: - - number - - protocol - - name - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: 'Optional: Indicates whether connections to - this port should be secured using TLS.' - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - - hosts - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: proxyconfigs.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ProxyConfig - listKind: ProxyConfigList - plural: proxyconfigs - singular: proxyconfig - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Provides configuration for individual workloads. See more - details at: https://istio.io/docs/reference/config/networking/proxy-config.html' - properties: - concurrency: - description: The number of worker threads to run. - nullable: true - type: integer - environmentVariables: - additionalProperties: - type: string - description: Additional environment variables for the proxy. - type: object - image: - description: Specifies the details of the proxy image. - properties: - imageType: - description: The image type of the image. - type: string - type: object - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: serviceentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - shortNames: - - se - singular: serviceentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - description: Specify whether the service should be considered external - to the mesh or part of the mesh. - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - description: The port number on the endpoint where the traffic - will be received. - type: integer - required: - - number - - name - type: object - type: array - resolution: - description: Service resolution mode for the hosts. - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's - subject alternate name matches one of the specified values. - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - required: - - hosts - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - description: Specify whether the service should be considered external - to the mesh or part of the mesh. - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - description: The port number on the endpoint where the traffic - will be received. - type: integer - required: - - number - - name - type: object - type: array - resolution: - description: Service resolution mode for the hosts. - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's - subject alternate name matches one of the specified values. - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - required: - - hosts - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - description: Egress specifies the configuration of the sidecar for - processing outbound traffic from the attached workload instance - to other services in the mesh. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket - to which the listener should be bound to. - type: string - captureMode: - description: When the bind address is an IP, the captureMode - option dictates how traffic to the listener is expected to - be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener - in `namespace/dnsName` format. - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - required: - - hosts - type: object - type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy - will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool - connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed - for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to - a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a - destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to - enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - description: Maximum number of keepalive probes to send - without response before deciding the connection is dead. - type: integer - time: - description: The time duration a connection needs to be - idle before keep-alive probes start being sent. - type: string - type: object - type: object - type: object - ingress: - description: Ingress specifies the configuration of the sidecar for - processing inbound traffic to the attached workload instance. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - description: The captureMode option dictates how traffic to - the listener is expected to be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - connectionPool: - description: Settings controlling the volume of connections - Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be - upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be - queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a - destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be - preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the connection - is dead. - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - type: object - type: object - type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which - traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that will enable TLS - termination on the sidecar for requests originating from outside - the mesh. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: 'Optional: Indicates whether connections to - this port should be secured using TLS.' - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `Sidecar` configuration should be applied. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - description: Egress specifies the configuration of the sidecar for - processing outbound traffic from the attached workload instance - to other services in the mesh. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket - to which the listener should be bound to. - type: string - captureMode: - description: When the bind address is an IP, the captureMode - option dictates how traffic to the listener is expected to - be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener - in `namespace/dnsName` format. - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - required: - - hosts - type: object - type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy - will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be upgraded - to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool - connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed - for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to - a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a - destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to - enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - description: Maximum number of keepalive probes to send - without response before deciding the connection is dead. - type: integer - time: - description: The time duration a connection needs to be - idle before keep-alive probes start being sent. - type: string - type: object - type: object - type: object - ingress: - description: Ingress specifies the configuration of the sidecar for - processing inbound traffic to the attached workload instance. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - description: The captureMode option dictates how traffic to - the listener is expected to be captured (or not). - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - connectionPool: - description: Settings controlling the volume of connections - Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: Specify if http1.1 connection should be - upgraded to http2 for the associated destination. - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be - queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a - destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be - preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the connection - is dead. - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - type: object - type: object - type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which - traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that will enable TLS - termination on the sidecar for requests originating from outside - the mesh. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: 'Optional: Indicates whether connections to - this port should be secured using TLS.' - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `Sidecar` configuration should be applied. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: virtualservices.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - description: Indicates whether the caller is allowed to - send the actual request (not the preflight) using credentials. - nullable: true - type: boolean - allowHeaders: - description: List of HTTP headers that can be used when - requesting the resource. - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - description: A list of HTTP headers that the browsers are - allowed to access. - items: - type: string - type: array - maxAge: - description: Specifies how long the results of a preflight - request can be cached. - type: string - type: object - delegate: - description: Delegate is used to specify the particular VirtualService - which can be used to define delegate HTTPRoute. - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - type: integer - required: - - status - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - description: Abort Http request attempts and return error - codes back to downstream service, giving the impression - that the upstream service is faulty. - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - description: Delay requests before forwarding, emulating - various failures such as network issues, overloaded upstream - service, etc. - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - authority: - description: 'HTTP Authority values are case-sensitive - and formatted as follows: - `exact: "value"` for exact - string match - `prefix: "value"` for prefix-based match - - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: The header keys must be lowercase and use - hyphen as the separator, e.g. - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - description: 'HTTP Method values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - description: 'URI Scheme values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to source (client) workloads with the given - labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - description: 'URI to match values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - description: Mirror HTTP traffic to a another destination in - addition to forwarding the requests to the intended destination. - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mirror_percent: - nullable: true - type: integer - mirrorPercent: - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - mirrors: - description: Specifies the destinations to mirror HTTP traffic - in addition to the original destination. - items: - properties: - destination: - description: Destination specifies the target of the mirror - operation. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - percentage: - description: Percentage of the traffic to be mirrored - by the `destination` field. - properties: - value: - format: double - type: number - type: object - required: - - destination - type: object - type: array - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - description: On a redirect, overwrite the Authority/Host - portion of the URL with this value. - type: string - derivePort: - description: 'On a redirect, dynamically set the port: * - FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP - and 443 for HTTPS.' - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - type: integer - redirectCode: - description: On a redirect, Specifies the HTTP status code - to use in the redirect response. - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - description: On a redirect, overwrite the Path portion of - the URL with this value. - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - description: rewrite the path (or the prefix) portion of - the URI with this value. - type: string - uriRegexRewrite: - description: rewrite the path portion of the URI with the - specified regex. - properties: - match: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - rewrite: - description: The string that should replace into matching - portions of original URI. - type: string - type: object - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - type: object - type: array - tls: - description: An ordered list of route rule for non-terminated TLS - & HTTPS traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - required: - - sniHosts - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - required: - - match - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - description: Indicates whether the caller is allowed to - send the actual request (not the preflight) using credentials. - nullable: true - type: boolean - allowHeaders: - description: List of HTTP headers that can be used when - requesting the resource. - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - description: A list of HTTP headers that the browsers are - allowed to access. - items: - type: string - type: array - maxAge: - description: Specifies how long the results of a preflight - request can be cached. - type: string - type: object - delegate: - description: Delegate is used to specify the particular VirtualService - which can be used to define delegate HTTPRoute. - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - type: integer - required: - - status - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - description: Abort Http request attempts and return error - codes back to downstream service, giving the impression - that the upstream service is faulty. - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - description: Delay requests before forwarding, emulating - various failures such as network issues, overloaded upstream - service, etc. - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - authority: - description: 'HTTP Authority values are case-sensitive - and formatted as follows: - `exact: "value"` for exact - string match - `prefix: "value"` for prefix-based match - - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: The header keys must be lowercase and use - hyphen as the separator, e.g. - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - description: 'HTTP Method values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - description: 'URI Scheme values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to source (client) workloads with the given - labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - description: 'URI to match values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - description: Mirror HTTP traffic to a another destination in - addition to forwarding the requests to the intended destination. - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mirror_percent: - nullable: true - type: integer - mirrorPercent: - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - mirrors: - description: Specifies the destinations to mirror HTTP traffic - in addition to the original destination. - items: - properties: - destination: - description: Destination specifies the target of the mirror - operation. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - percentage: - description: Percentage of the traffic to be mirrored - by the `destination` field. - properties: - value: - format: double - type: number - type: object - required: - - destination - type: object - type: array - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - description: On a redirect, overwrite the Authority/Host - portion of the URL with this value. - type: string - derivePort: - description: 'On a redirect, dynamically set the port: * - FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP - and 443 for HTTPS.' - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - type: integer - redirectCode: - description: On a redirect, Specifies the HTTP status code - to use in the redirect response. - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - description: On a redirect, overwrite the Path portion of - the URL with this value. - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - description: rewrite the path (or the prefix) portion of - the URI with this value. - type: string - uriRegexRewrite: - description: rewrite the path portion of the URI with the - specified regex. - properties: - match: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - rewrite: - description: The string that should replace into matching - portions of original URI. - type: string - type: object - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - type: object - type: array - tls: - description: An ordered list of route rule for non-terminated TLS - & HTTPS traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - required: - - sniHosts - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - required: - - match - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadEntry - listKind: WorkloadEntryList - plural: workloadentries - shortNames: - - we - singular: workloadentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident in - the same L3 domain/network. - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload if a - sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident in - the same L3 domain/network. - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload if a - sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadgroups.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadGroup - listKind: WorkloadGroupList - plural: workloadgroups - shortNames: - - wg - singular: workloadgroup - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details - at: https://istio.io/docs/reference/config/networking/workload-group.html' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - type: integer - httpGet: - description: '`httpGet` is performed to a given endpoint and the - status/able to connect determines health.' - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - type: integer - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - type: integer - required: - - port - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - required: - - template - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: '`WorkloadGroup` enables specifying the properties of a single - workload for bootstrap and provides a template for `WorkloadEntry`, - similar to how `Deployment` specifies properties of workloads via `Pod` - templates.' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - type: integer - httpGet: - description: '`httpGet` is performed to a given endpoint and the - status/able to connect determines health.' - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - type: integer - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - type: integer - required: - - port - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - type: string - ports: - additionalProperties: - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - type: integer - type: object - required: - - template - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: authorizationpolicies.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: AuthorizationPolicy - listKind: AuthorizationPolicyList - plural: authorizationpolicies - singular: authorizationpolicy - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - type: string - type: array - namespaces: - description: Optional. - items: - type: string - type: array - notIpBlocks: - description: Optional. - items: - type: string - type: array - notNamespaces: - description: Optional. - items: - type: string - type: array - notPrincipals: - description: Optional. - items: - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - type: string - type: array - principals: - description: Optional. - items: - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - type: string - type: array - requestPrincipals: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - type: string - type: array - methods: - description: Optional. - items: - type: string - type: array - notHosts: - description: Optional. - items: - type: string - type: array - notMethods: - description: Optional. - items: - type: string - type: array - notPaths: - description: Optional. - items: - type: string - type: array - notPorts: - description: Optional. - items: - type: string - type: array - paths: - description: Optional. - items: - type: string - type: array - ports: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - type: string - notValues: - description: Optional. - items: - type: string - type: array - values: - description: Optional. - items: - type: string - type: array - required: - - key - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: - description: Optional. - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: Optional. - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - type: string - type: array - namespaces: - description: Optional. - items: - type: string - type: array - notIpBlocks: - description: Optional. - items: - type: string - type: array - notNamespaces: - description: Optional. - items: - type: string - type: array - notPrincipals: - description: Optional. - items: - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - type: string - type: array - principals: - description: Optional. - items: - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - type: string - type: array - requestPrincipals: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - type: string - type: array - methods: - description: Optional. - items: - type: string - type: array - notHosts: - description: Optional. - items: - type: string - type: array - notMethods: - description: Optional. - items: - type: string - type: array - notPaths: - description: Optional. - items: - type: string - type: array - notPorts: - description: Optional. - items: - type: string - type: array - paths: - description: Optional. - items: - type: string - type: array - ports: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - type: string - notValues: - description: Optional. - items: - type: string - type: array - values: - description: Optional. - items: - type: string - type: array - required: - - key - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: - description: Optional. - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: peerauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: PeerAuthentication - listKind: PeerAuthenticationList - plural: peerauthentications - shortNames: - - pa - singular: peerauthentication - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Defines the mTLS mode used for peer authentication. - jsonPath: .spec.mtls.mode - name: Mode - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Peer authentication configuration for workloads. See more - details at: https://istio.io/docs/reference/config/security/peer_authentication.html' - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: Defines the mTLS mode used for peer authentication. - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the PeerAuthentication - on. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: requestauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: RequestAuthentication - listKind: RequestAuthenticationList - plural: requestauthentications - shortNames: - - ra - singular: requestauthentication - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Request authentication configuration for workloads. See - more details at: https://istio.io/docs/reference/config/security/request_authentication.html' - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) - that are allowed to access. - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept - for the upstream request. - type: boolean - fromCookies: - description: List of cookie names from which JWT is expected. - items: - type: string - type: array - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - type: string - required: - - name - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - type: string - jwks_uri: - description: URL of the provider's public key set to validate - signature of the JWT. - type: string - jwksUri: - description: URL of the provider's public key set to validate - signature of the JWT. - type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy - the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object - type: array - outputPayloadToHeader: - description: This field specifies the header name to output - a successfully verified JWT payload to the backend. - type: string - required: - - issuer - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: - description: Optional. - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Request authentication configuration for workloads. See - more details at: https://istio.io/docs/reference/config/security/request_authentication.html' - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) - that are allowed to access. - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept - for the upstream request. - type: boolean - fromCookies: - description: List of cookie names from which JWT is expected. - items: - type: string - type: array - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - type: string - required: - - name - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - type: string - jwks_uri: - description: URL of the provider's public key set to validate - signature of the JWT. - type: string - jwksUri: - description: URL of the provider's public key set to validate - signature of the JWT. - type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy - the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object - type: array - outputPayloadToHeader: - description: This field specifies the header name to output - a successfully verified JWT payload to the backend. - type: string - required: - - issuer - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: - description: Optional. - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: telemetry - release: istio - name: telemetries.telemetry.istio.io -spec: - group: telemetry.istio.io - names: - categories: - - istio-io - - telemetry-istio-io - kind: Telemetry - listKind: TelemetryList - plural: telemetries - shortNames: - - telemetry - singular: telemetry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Telemetry configuration for workloads. See more details - at: https://istio.io/docs/reference/config/telemetry.html' - properties: - accessLogging: - description: Optional. - items: - properties: - disabled: - description: Controls logging. - nullable: true - type: boolean - filter: - description: Optional. - properties: - expression: - description: CEL expression for selecting when requests/connections - should be logged. - type: string - type: object - match: - description: Allows tailoring of logging behavior to specific - conditions. - properties: - mode: - description: This determines whether or not to apply the - access logging configuration based on the direction of - traffic relative to the proxied workload. - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - type: object - type: array - metrics: - description: Optional. - items: - properties: - overrides: - description: Optional. - items: - properties: - disabled: - description: Optional. - nullable: true - type: boolean - match: - description: Match allows providing the scope of the override. - oneOf: - - not: - anyOf: - - required: - - metric - - required: - - customMetric - - required: - - metric - - required: - - customMetric - properties: - customMetric: - description: Allows free-form specification of a metric. - minLength: 1 - type: string - metric: - description: One of the well-known [Istio Standard - Metrics](https://istio.io/latest/docs/reference/config/metrics/). - enum: - - ALL_METRICS - - REQUEST_COUNT - - REQUEST_DURATION - - REQUEST_SIZE - - RESPONSE_SIZE - - TCP_OPENED_CONNECTIONS - - TCP_CLOSED_CONNECTIONS - - TCP_SENT_BYTES - - TCP_RECEIVED_BYTES - - GRPC_REQUEST_MESSAGES - - GRPC_RESPONSE_MESSAGES - type: string - mode: - description: 'Controls which mode of metrics generation - is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`.' - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - tagOverrides: - additionalProperties: - properties: - operation: - description: Operation controls whether or not to - update/add a tag, or to remove it. - enum: - - UPSERT - - REMOVE - type: string - value: - description: Value is only considered if the operation - is `UPSERT`. - type: string - type: object - x-kubernetes-validations: - - message: value must be set when operation is UPSERT - rule: '((has(self.operation) ? self.operation : '''') - == ''UPSERT'') ? self.value != '''' : true' - - message: value must not be set when operation is REMOVE - rule: '((has(self.operation) ? self.operation : '''') - == ''REMOVE'') ? !has(self.value) : true' - description: Optional. - type: object - type: object - type: array - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - reportingInterval: - description: Optional. - type: string - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: - description: Optional. - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - tracing: - description: Optional. - items: - properties: - customTags: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - literal - - required: - - environment - - required: - - header - - required: - - literal - - required: - - environment - - required: - - header - properties: - environment: - description: Environment adds the value of an environment - variable to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the environment variable from - which to extract the tag value. - minLength: 1 - type: string - required: - - name - type: object - header: - description: RequestHeader adds the value of an header - from the request to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the header from which to extract - the tag value. - minLength: 1 - type: string - required: - - name - type: object - literal: - description: Literal adds the same, hard-coded value to - each span. - properties: - value: - description: The tag value to use. - minLength: 1 - type: string - required: - - value - type: object - type: object - description: Optional. - type: object - disableSpanReporting: - description: Controls span reporting. - nullable: true - type: boolean - match: - description: Allows tailoring of behavior to specific conditions. - properties: - mode: - description: This determines whether or not to apply the - tracing configuration based on the direction of traffic - relative to the proxied workload. - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - randomSamplingPercentage: - description: Controls the rate at which traffic will be selected - for tracing if no prior sampling decision has been made. - maximum: 100 - minimum: 0 - nullable: true - type: number - useRequestIdForTraceSampling: - nullable: true - type: boolean - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} diff --git a/resources/v1.21.5/charts/base/files/profile-ambient.yaml b/resources/v1.21.5/charts/base/files/profile-ambient.yaml deleted file mode 100644 index 59dd9114e..000000000 --- a/resources/v1.21.5/charts/base/files/profile-ambient.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -variant: distroless -pilot: - variant: distroless - env: - # Setup more secure default that is off in 'default' only for backwards compatibility - VERIFY_CERTIFICATE_AT_CLIENT: "true" - ENABLE_AUTO_SNI: "true" - - PILOT_ENABLE_HBONE: "true" - CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" - PILOT_ENABLE_AMBIENT_CONTROLLERS: "true" -cni: - logLevel: info - privileged: true - ambient: - enabled: true - - # Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni - excludeNamespaces: - - kube-system diff --git a/resources/v1.21.5/charts/base/files/profile-compatibility-version-1.20.yaml b/resources/v1.21.5/charts/base/files/profile-compatibility-version-1.20.yaml deleted file mode 100644 index 9f0fd563b..000000000 --- a/resources/v1.21.5/charts/base/files/profile-compatibility-version-1.20.yaml +++ /dev/null @@ -1,6 +0,0 @@ -pilot: - env: - ENABLE_EXTERNAL_NAME_ALIAS: "false" - PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" - VERIFY_CERTIFICATE_AT_CLIENT: "false" - ENABLE_AUTO_SNI: "false" diff --git a/resources/v1.21.5/charts/base/files/profile-demo.yaml b/resources/v1.21.5/charts/base/files/profile-demo.yaml deleted file mode 100644 index 4ed37fed3..000000000 --- a/resources/v1.21.5/charts/base/files/profile-demo.yaml +++ /dev/null @@ -1,69 +0,0 @@ -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.istio-system.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.otel-collector.svc.cluster.local - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/resources/v1.21.5/charts/base/files/profile-openshift.yaml b/resources/v1.21.5/charts/base/files/profile-openshift.yaml deleted file mode 100644 index 100ca578c..000000000 --- a/resources/v1.21.5/charts/base/files/profile-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - excludeNamespaces: - - istio-system - - kube-system - logLevel: info - privileged: true - provider: "multus" -global: - platform: openshift -istio_cni: - enabled: true - chained: false -platform: openshift \ No newline at end of file diff --git a/resources/v1.21.5/charts/base/files/profile-preview.yaml b/resources/v1.21.5/charts/base/files/profile-preview.yaml deleted file mode 100644 index 390ed749f..000000000 --- a/resources/v1.21.5/charts/base/files/profile-preview.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.21.5/charts/base/templates/NOTES.txt b/resources/v1.21.5/charts/base/templates/NOTES.txt deleted file mode 100644 index 006450167..000000000 --- a/resources/v1.21.5/charts/base/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -Istio base successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} - $ helm get all {{ .Release.Name }} diff --git a/resources/v1.21.5/charts/base/templates/crds.yaml b/resources/v1.21.5/charts/base/templates/crds.yaml deleted file mode 100644 index af9901c6e..000000000 --- a/resources/v1.21.5/charts/base/templates/crds.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{- if .Values.base.enableCRDTemplates }} -{{ .Files.Get "crds/crd-all.gen.yaml" }} -{{- end }} diff --git a/resources/v1.21.5/charts/base/templates/default.yaml b/resources/v1.21.5/charts/base/templates/default.yaml deleted file mode 100644 index b6e663161..000000000 --- a/resources/v1.21.5/charts/base/templates/default.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if not (eq .Values.defaultRevision "") }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-default-validator - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision | quote }} -webhooks: - - name: validation.istio.io - clientConfig: - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - {{- if (eq .Values.defaultRevision "default") }} - name: istiod - {{- else }} - name: istiod-{{ .Values.defaultRevision }} - {{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] -{{- end }} diff --git a/resources/v1.21.5/charts/base/templates/endpoints.yaml b/resources/v1.21.5/charts/base/templates/endpoints.yaml deleted file mode 100644 index 36575202d..000000000 --- a/resources/v1.21.5/charts/base/templates/endpoints.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} -# if the remotePilotAddress is an IP addr -apiVersion: v1 -kind: Endpoints -metadata: - {{- if .Values.pilot.enabled }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} -subsets: -- addresses: - - ip: {{ .Values.global.remotePilotAddress }} - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 15017 - name: tcp-webhook - protocol: TCP ---- -{{- end }} diff --git a/resources/v1.21.5/charts/base/templates/reader-serviceaccount.yaml b/resources/v1.21.5/charts/base/templates/reader-serviceaccount.yaml deleted file mode 100644 index d9ce18c27..000000000 --- a/resources/v1.21.5/charts/base/templates/reader-serviceaccount.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# This service account aggregates reader permissions for the revisions in a given cluster -# Should be used for remote secret creation. -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} diff --git a/resources/v1.21.5/charts/base/templates/services.yaml b/resources/v1.21.5/charts/base/templates/services.yaml deleted file mode 100644 index fc1fa1a2f..000000000 --- a/resources/v1.21.5/charts/base/templates/services.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- if .Values.global.remotePilotAddress }} -apiVersion: v1 -kind: Service -metadata: - {{- if .Values.pilot.enabled }} - # when local istiod is enabled, we can't use istiod service name to reach the remote control plane - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 443 - targetPort: 15017 - name: tcp-webhook - protocol: TCP - {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }} - # if the remotePilotAddress is not an IP addr, we use ExternalName - type: ExternalName - externalName: {{ .Values.global.remotePilotAddress }} - {{- end }} -{{- if .Values.global.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} -{{- end }} -{{- if .Values.global.ipFamilies }} - ipFamilies: -{{- range .Values.global.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} ---- -{{- end }} diff --git a/resources/v1.21.5/charts/base/templates/zzz_profile.yaml b/resources/v1.21.5/charts/base/templates/zzz_profile.yaml deleted file mode 100644 index 6588debf9..000000000 --- a/resources/v1.21.5/charts/base/templates/zzz_profile.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} -{{- $profile := dict }} -{{- with .Values.profile }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" $.Values.profile) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.21.5/charts/base/values.yaml b/resources/v1.21.5/charts/base/values.yaml deleted file mode 100644 index d8ace42cf..000000000 --- a/resources/v1.21.5/charts/base/values.yaml +++ /dev/null @@ -1,40 +0,0 @@ -defaults: - global: - - # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - - # Used to locate istiod. - istioNamespace: istio-system - - istiod: - enableAnalysis: false - - configValidation: true - externalIstiod: false - remotePilotAddress: "" - - # Platform where Istio is deployed. Possible values are: "openshift", "gcp". - # An empty value means it is a vanilla Kubernetes distribution, therefore no special - # treatment will be considered. - platform: "" - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - # This is intended only for use with external istiod. - ipFamilyPolicy: "" - ipFamilies: [] - - base: - # Used for helm2 to add the CRDs to templates. - enableCRDTemplates: false - - # Validation webhook configuration url - # For example: https://$remotePilotAddress:15017/validate - validationURL: "" - - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - defaultRevision: "default" diff --git a/resources/v1.21.5/charts/cni/Chart.yaml b/resources/v1.21.5/charts/cni/Chart.yaml deleted file mode 100644 index 8c4d91551..000000000 --- a/resources/v1.21.5/charts/cni/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -appVersion: 1.21.5 -description: Helm chart for istio-cni components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-cni -- istio -name: cni -sources: -- https://github.com/istio/istio/tree/release-1.21/cni -version: 1.21.5 diff --git a/resources/v1.21.5/charts/cni/README.md b/resources/v1.21.5/charts/cni/README.md deleted file mode 100644 index a8b78d5bd..000000000 --- a/resources/v1.21.5/charts/cni/README.md +++ /dev/null @@ -1,65 +0,0 @@ -# Istio CNI Helm Chart - -This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) -for more information. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-cni`: - -```console -helm install istio-cni istio/cni -n kube-system -``` - -Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) -`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow -'system-node-critical' outside of kube-system. - -## Configuration - -To view support configuration options and documentation, run: - -```console -helm show values istio/istio-cni -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### Ambient - -To enable ambient, you can use the ambient profile: `--set profile=ambient`. - -#### Calico - -For Calico, you must also modify the settings to allow source spoofing: - -- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` -- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) - -### GKE notes - -On GKE, 'kube-system' is required. - -If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` -it is auto-detected. diff --git a/resources/v1.21.5/charts/cni/files/profile-ambient.yaml b/resources/v1.21.5/charts/cni/files/profile-ambient.yaml deleted file mode 100644 index 59dd9114e..000000000 --- a/resources/v1.21.5/charts/cni/files/profile-ambient.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -variant: distroless -pilot: - variant: distroless - env: - # Setup more secure default that is off in 'default' only for backwards compatibility - VERIFY_CERTIFICATE_AT_CLIENT: "true" - ENABLE_AUTO_SNI: "true" - - PILOT_ENABLE_HBONE: "true" - CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" - PILOT_ENABLE_AMBIENT_CONTROLLERS: "true" -cni: - logLevel: info - privileged: true - ambient: - enabled: true - - # Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni - excludeNamespaces: - - kube-system diff --git a/resources/v1.21.5/charts/cni/files/profile-compatibility-version-1.20.yaml b/resources/v1.21.5/charts/cni/files/profile-compatibility-version-1.20.yaml deleted file mode 100644 index 9f0fd563b..000000000 --- a/resources/v1.21.5/charts/cni/files/profile-compatibility-version-1.20.yaml +++ /dev/null @@ -1,6 +0,0 @@ -pilot: - env: - ENABLE_EXTERNAL_NAME_ALIAS: "false" - PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" - VERIFY_CERTIFICATE_AT_CLIENT: "false" - ENABLE_AUTO_SNI: "false" diff --git a/resources/v1.21.5/charts/cni/files/profile-demo.yaml b/resources/v1.21.5/charts/cni/files/profile-demo.yaml deleted file mode 100644 index 4ed37fed3..000000000 --- a/resources/v1.21.5/charts/cni/files/profile-demo.yaml +++ /dev/null @@ -1,69 +0,0 @@ -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.istio-system.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.otel-collector.svc.cluster.local - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/resources/v1.21.5/charts/cni/files/profile-openshift.yaml b/resources/v1.21.5/charts/cni/files/profile-openshift.yaml deleted file mode 100644 index 100ca578c..000000000 --- a/resources/v1.21.5/charts/cni/files/profile-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - excludeNamespaces: - - istio-system - - kube-system - logLevel: info - privileged: true - provider: "multus" -global: - platform: openshift -istio_cni: - enabled: true - chained: false -platform: openshift \ No newline at end of file diff --git a/resources/v1.21.5/charts/cni/files/profile-preview.yaml b/resources/v1.21.5/charts/cni/files/profile-preview.yaml deleted file mode 100644 index 390ed749f..000000000 --- a/resources/v1.21.5/charts/cni/files/profile-preview.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.21.5/charts/cni/templates/NOTES.txt b/resources/v1.21.5/charts/cni/templates/NOTES.txt deleted file mode 100644 index 994628240..000000000 --- a/resources/v1.21.5/charts/cni/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -"{{ .Release.Name }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} - $ helm get all {{ .Release.Name }} diff --git a/resources/v1.21.5/charts/cni/templates/clusterrole.yaml b/resources/v1.21.5/charts/cni/templates/clusterrole.yaml deleted file mode 100644 index fda1c15fc..000000000 --- a/resources/v1.21.5/charts/cni/templates/clusterrole.yaml +++ /dev/null @@ -1,74 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-cni - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -rules: -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: ["privileged"] - verbs: ["use"] -- apiGroups: [""] - resources: ["pods","nodes","namespaces"] - verbs: ["get", "list", "watch"] -{{- if (eq .Values.platform "openshift") }} -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: ["privileged"] - verbs: ["use"] -{{- end }} ---- -{{- if .Values.cni.repair.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-cni-repair-role - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["watch", "get", "list"] -{{- if .Values.cni.repair.repairPods }} -{{- /* No privileges needed*/}} -{{- else if .Values.cni.repair.deletePods }} - - apiGroups: [""] - resources: ["pods"] - verbs: ["delete"] -{{- else if .Values.cni.repair.labelPods }} - - apiGroups: [""] - {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} - resources: ["pods/status"] - verbs: ["patch", "update"] -{{- end }} -{{- end }} ---- -{{- if .Values.cni.ambient.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-cni-ambient - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -rules: -- apiGroups: [""] - {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} - resources: ["pods/status"] - verbs: ["patch", "update"] -{{- end }} diff --git a/resources/v1.21.5/charts/cni/templates/clusterrolebinding.yaml b/resources/v1.21.5/charts/cni/templates/clusterrolebinding.yaml deleted file mode 100644 index 570f15cfb..000000000 --- a/resources/v1.21.5/charts/cni/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-cni - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-cni -subjects: -- kind: ServiceAccount - name: istio-cni - namespace: {{ .Release.Namespace }} ---- -{{- if .Values.cni.repair.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-cni-repair-rolebinding - labels: - k8s-app: istio-cni-repair - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -subjects: -- kind: ServiceAccount - name: istio-cni - namespace: {{ .Release.Namespace}} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-cni-repair-role -{{- end }} ---- -{{- if .Values.cni.ambient.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-cni-ambient - labels: - k8s-app: istio-cni-repair - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -subjects: - - kind: ServiceAccount - name: istio-cni - namespace: {{ .Release.Namespace}} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-cni-ambient -{{- end }} \ No newline at end of file diff --git a/resources/v1.21.5/charts/cni/templates/configmap-cni.yaml b/resources/v1.21.5/charts/cni/templates/configmap-cni.yaml deleted file mode 100644 index cf4e020de..000000000 --- a/resources/v1.21.5/charts/cni/templates/configmap-cni.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- $defaultBinDir := - (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary - "/home/kubernetes/bin" - "/opt/cni/bin" -}} -kind: ConfigMap -apiVersion: v1 -metadata: - name: istio-cni-config - namespace: {{ .Release.Namespace }} - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -data: - # The CNI network configuration to add to the plugin chain on each node. The special - # values in this config will be automatically populated. - cni_network_config: |- - { - "cniVersion": "0.3.1", - "name": "istio-cni", - "type": "istio-cni", - "log_level": {{ quote .Values.cni.logLevel }}, - "log_uds_address": "__LOG_UDS_ADDRESS__", - {{if .Values.cni.ambient.enabled}}"ambient_enabled": true,{{end}} - "cni_event_address": "__CNI_EVENT_ADDRESS__", - "kubernetes": { - "kubeconfig": "__KUBECONFIG_FILEPATH__", - "cni_bin_dir": {{ .Values.cni.cniBinDir | default $defaultBinDir | quote }}, - "exclude_namespaces": [ {{ range $idx, $ns := .Values.cni.excludeNamespaces }}{{ if $idx }}, {{ end }}{{ quote $ns }}{{ end }} ] - } - } diff --git a/resources/v1.21.5/charts/cni/templates/daemonset.yaml b/resources/v1.21.5/charts/cni/templates/daemonset.yaml deleted file mode 100644 index 2449edee5..000000000 --- a/resources/v1.21.5/charts/cni/templates/daemonset.yaml +++ /dev/null @@ -1,228 +0,0 @@ -# This manifest installs the Istio install-cni container, as well -# as the Istio CNI plugin and config on -# each master and worker node in a Kubernetes cluster. -{{- $defaultBinDir := - (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary - "/home/kubernetes/bin" - "/opt/cni/bin" -}} -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: istio-cni-node - namespace: {{ .Release.Namespace }} - labels: - k8s-app: istio-cni-node - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -spec: - selector: - matchLabels: - k8s-app: istio-cni-node - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: {{ .Values.cni.rollingMaxUnavailable }} - template: - metadata: - labels: - k8s-app: istio-cni-node - sidecar.istio.io/inject: "false" - annotations: - sidecar.istio.io/inject: "false" - ambient.istio.io/redirection: disabled - # Add Prometheus Scrape annotations - prometheus.io/scrape: 'true' - prometheus.io/port: "15014" - prometheus.io/path: '/metrics' - # Custom annotations - {{- if .Values.cni.podAnnotations }} -{{ toYaml .Values.cni.podAnnotations | indent 8 }} - {{- end }} - spec: - {{if .Values.cni.ambient.enabled }}hostNetwork: true{{ end }} - nodeSelector: - kubernetes.io/os: linux - # Can be configured to allow for excluding instio-cni from being scheduled on specified nodes - {{- with .Values.cni.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - tolerations: - # Make sure istio-cni-node gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - priorityClassName: system-node-critical - serviceAccountName: istio-cni - # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force - # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. - terminationGracePeriodSeconds: 5 - containers: - # This container installs the Istio CNI binaries - # and CNI network config file on each node. - - name: install-cni -{{- if contains "/" .Values.cni.image }} - image: "{{ .Values.cni.image }}" -{{- else }} - image: "{{ .Values.cni.hub | default .Values.global.hub }}/{{ .Values.cni.image | default "install-cni" }}:{{ .Values.cni.tag | default .Values.global.tag }}{{with (.Values.cni.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if or .Values.cni.pullPolicy .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.cni.pullPolicy | default .Values.global.imagePullPolicy }} -{{- end }} - readinessProbe: - httpGet: - path: /readyz - port: 8000 - securityContext: - runAsGroup: 0 - runAsUser: 0 - runAsNonRoot: false -{{- if .Values.cni.ambient.enabled }} - capabilities: - drop: - - ALL - add: - - NET_ADMIN - # TODO this, `privileged`, etc need to be reworked - both sidecar (repair) and ambient require SYS_ADMIN - # and istio-cni is *always* privileged to some degree, regardless of the `privileged` flag - - SYS_ADMIN - - NET_RAW -{{- end }} - privileged: {{ .Values.cni.privileged }} -{{- if .Values.cni.seccompProfile }} - seccompProfile: -{{ toYaml .Values.cni.seccompProfile | trim | indent 14 }} -{{- end }} - command: ["install-cni"] - args: - {{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} - {{- end}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end}} - env: -{{- if .Values.cni.cniConfFileName }} - # Name of the CNI config file to create. - - name: CNI_CONF_NAME - value: "{{ .Values.cni.cniConfFileName }}" -{{- end }} - # The CNI network config to install on each node. - - name: CNI_NETWORK_CONFIG - valueFrom: - configMapKeyRef: - name: istio-cni-config - key: cni_network_config - - name: CNI_NET_DIR - value: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }} - # Deploy as a standalone CNI plugin or as chained? - - name: CHAINED_CNI_PLUGIN - value: "{{ .Values.cni.chained }}" - - name: REPAIR_ENABLED - value: "{{ .Values.cni.repair.enabled }}" -{{- if .Values.cni.ambient.enabled }} - - name: AMBIENT_DNS_CAPTURE - value: "{{ .Values.cni.ambient.dnsCapture }}" -{{- end }} - - name: REPAIR_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: REPAIR_LABEL_PODS - value: "{{.Values.cni.repair.labelPods}}" - # Set to true to enable pod deletion - - name: REPAIR_DELETE_PODS - value: "{{.Values.cni.repair.deletePods}}" - - name: REPAIR_REPAIR_PODS - value: "{{.Values.cni.repair.repairPods}}" - - name: REPAIR_RUN_AS_DAEMON - value: "true" - - name: REPAIR_SIDECAR_ANNOTATION - value: "sidecar.istio.io/status" - - name: REPAIR_INIT_CONTAINER_NAME - value: "{{ .Values.cni.repair.initContainerName }}" - - name: REPAIR_BROKEN_POD_LABEL_KEY - value: "{{.Values.cni.repair.brokenPodLabelKey}}" - - name: REPAIR_BROKEN_POD_LABEL_VALUE - value: "{{.Values.cni.repair.brokenPodLabelValue}}" - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: LOG_LEVEL - value: {{ .Values.cni.logLevel | quote }} - {{- if .Values.cni.ambient.enabled }} - - name: AMBIENT_ENABLED - value: "true" - {{- end }} - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - {{- if or .Values.cni.repair.repairPods .Values.cni.ambient.enabled }} - - mountPath: /host/proc - name: cni-host-procfs - readOnly: true - {{- end }} - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - - mountPath: /var/run/istio-cni - name: cni-socket-dir - {{- if .Values.cni.ambient.enabled }} - - mountPath: /host/var/run/netns - mountPropagation: HostToContainer - name: cni-netns-dir - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - {{ end }} - resources: -{{- if .Values.cni.resources }} -{{ toYaml .Values.cni.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - volumes: - # Used to install CNI. - - name: cni-bin-dir - hostPath: - path: {{ .Values.cni.cniBinDir | default $defaultBinDir }} - {{- if or .Values.cni.repair.repairPods .Values.cni.ambient.enabled }} - - name: cni-host-procfs - hostPath: - path: /proc - type: Directory - {{- end }} - {{- if .Values.cni.ambient.enabled }} - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate - {{- end }} - - name: cni-net-dir - hostPath: - path: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }} - # Used for UDS sockets for logging, ambient eventing - - name: cni-socket-dir - hostPath: - path: /var/run/istio-cni - - name: cni-netns-dir - hostPath: - path: {{ .Values.cni.cniNetnsDir | default "/var/run/netns" }} - type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, - # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. - # Once the CNI does mount this, it will get populated and we're good. diff --git a/resources/v1.21.5/charts/cni/templates/network-attachment-definition.yaml b/resources/v1.21.5/charts/cni/templates/network-attachment-definition.yaml deleted file mode 100644 index 1da070baa..000000000 --- a/resources/v1.21.5/charts/cni/templates/network-attachment-definition.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{- if eq .Values.cni.provider "multus" }} -apiVersion: k8s.cni.cncf.io/v1 -kind: NetworkAttachmentDefinition -metadata: - name: istio-cni - namespace: default - labels: - operator.istio.io/component: "Cni" -{{- end }} diff --git a/resources/v1.21.5/charts/cni/templates/resourcequota.yaml b/resources/v1.21.5/charts/cni/templates/resourcequota.yaml deleted file mode 100644 index 15946ae72..000000000 --- a/resources/v1.21.5/charts/cni/templates/resourcequota.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.cni.resourceQuotas.enabled }} -apiVersion: v1 -kind: ResourceQuota -metadata: - name: istio-cni-resource-quota - namespace: {{ .Release.Namespace }} -spec: - hard: - pods: {{ .Values.cni.resourceQuotas.pods | quote }} - scopeSelector: - matchExpressions: - - operator: In - scopeName: PriorityClass - values: - - system-node-critical -{{- end }} diff --git a/resources/v1.21.5/charts/cni/templates/serviceaccount.yaml b/resources/v1.21.5/charts/cni/templates/serviceaccount.yaml deleted file mode 100644 index 4645db63a..000000000 --- a/resources/v1.21.5/charts/cni/templates/serviceaccount.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: istio-cni - namespace: {{ .Release.Namespace }} - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" diff --git a/resources/v1.21.5/charts/cni/templates/zzz_profile.yaml b/resources/v1.21.5/charts/cni/templates/zzz_profile.yaml deleted file mode 100644 index 6588debf9..000000000 --- a/resources/v1.21.5/charts/cni/templates/zzz_profile.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} -{{- $profile := dict }} -{{- with .Values.profile }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" $.Values.profile) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.21.5/charts/cni/values.yaml b/resources/v1.21.5/charts/cni/values.yaml deleted file mode 100644 index 8f65adbea..000000000 --- a/resources/v1.21.5/charts/cni/values.yaml +++ /dev/null @@ -1,147 +0,0 @@ -defaults: - cni: - hub: "" - tag: "" - variant: "" - image: install-cni - pullPolicy: "" - - # Configuration log level of istio-cni binary - # by default istio-cni send all logs to UDS server - # if want to see them you need change global.logging.level with cni:debug - logLevel: debug - - # Configuration file to insert istio-cni plugin configuration - # by default this will be the first file found in the cni-conf-dir - # Example - # cniConfFileName: 10-calico.conflist - - # CNI bin and conf dir override settings - # defaults: - cniBinDir: "" # Auto-detected based on version; defaults to /opt/cni/bin. - cniConfDir: /etc/cni/net.d - cniConfFileName: "" - # This directory must exist on the node, if it does not, consult your container runtime - # documentation for the appropriate path. - cniNetnsDir: # Defaults to '/var/run/netns', in minikube/docker/others can be '/var/run/docker/netns'. - - - excludeNamespaces: - - istio-system - - kube-system - - # Allows user to set custom affinity for the DaemonSet - affinity: {} - - # Custom annotations on pod level, if you need them - podAnnotations: {} - - # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? - # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case - chained: true - - # Allow the istio-cni container to run in privileged mode, needed for some platforms (e.g. OpenShift) or features (repairPods) - # Note that even if this is false, the `istio-cni` container *requires* root privileges on the node to function, - # and setting this to false does not change that, nor will it run the container as non-root or make it "un-privileged". - privileged: true - - # Custom configuration happens based on the CNI provider. - # Possible values: "default", "multus" - provider: "default" - - # Configure ambient settings - ambient: - # If enabled, ambient redirection will be enabled - enabled: false - # Set ambient config dir path: defaults to /etc/ambient-config - configDir: "" - # If enabled, and ambient is enabled, DNS redirection will be enabled - dnsCapture: false - - - repair: - enabled: true - hub: "" - tag: "" - - # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. - # This defines the action the controller will take when a pod is detected as broken. - - # labelPods will label all pods with =. - # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). - # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. - labelPods: false - # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. - # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. - deletePods: false - # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. - # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. - # This requires no RBAC privilege, but does require `securityContext.privileged`. - repairPods: true - - initContainerName: "istio-validation" - - brokenPodLabelKey: "cni.istio.io/uninitialized" - brokenPodLabelValue: "true" - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - resources: - requests: - cpu: 100m - memory: 100Mi - - resourceQuotas: - enabled: false - pods: 5000 - - # The number of pods that can be unavailable during rolling update (see - # `updateStrategy.rollingUpdate.maxUnavailable` here: - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - # May be specified as a number of pods or as a percent of the total number - # of pods at the start of the update. - rollingMaxUnavailable: 1 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # For Helm compatibility. - ownerName: "" - - global: - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.io/istio - - # Default tag for Istio images. - tag: 1.21.5 - - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # change cni scope level to control logging out of istio-cni-node DaemonSet - logging: - level: default:info,cni:info - - logAsJson: false - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Default resources allocated - defaultResources: - requests: - cpu: 100m - memory: 100Mi diff --git a/resources/v1.21.5/charts/gateway/Chart.yaml b/resources/v1.21.5/charts/gateway/Chart.yaml deleted file mode 100644 index f17abf8ab..000000000 --- a/resources/v1.21.5/charts/gateway/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.21.5 -description: Helm chart for deploying Istio gateways -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- gateways -name: gateway -sources: -- https://github.com/istio/istio -type: application -version: 1.21.5 diff --git a/resources/v1.21.5/charts/gateway/README.md b/resources/v1.21.5/charts/gateway/README.md deleted file mode 100644 index 5c064d165..000000000 --- a/resources/v1.21.5/charts/gateway/README.md +++ /dev/null @@ -1,170 +0,0 @@ -# Istio Gateway Helm Chart - -This chart installs an Istio gateway deployment. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-ingressgateway`: - -```console -helm install istio-ingressgateway istio/gateway -``` - -## Uninstalling the Chart - -To uninstall/delete the `istio-ingressgateway` deployment: - -```console -helm delete istio-ingressgateway -``` - -## Configuration - -To view support configuration options and documentation, run: - -```console -helm show values istio/gateway -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### OpenShift - -When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: - -```console -helm install istio-ingressgateway istio/gateway --set profile=openshift -``` - -### `image: auto` Information - -The image used by the chart, `auto`, may be unintuitive. -This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). -This allows the same configurations and lifecycle to apply to gateways as sidecars. - -Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. -See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. - -### Examples - -#### Egress Gateway - -Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): - -```yaml -service: - # Egress gateways do not need an external LoadBalancer IP - type: ClusterIP -``` - -#### Multi-network/VM Gateway - -Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: - -```yaml -networkGateway: network-1 -``` - -### Migrating from other installation methods - -Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts -following the guidance below. -If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. - -WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. - -#### Legacy Gateway Helm charts - -Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. -These are replaced by this chart. -While not required, it is recommended all new users use this chart, and existing users migrate when possible. - -This chart has the following benefits and differences: -* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). -* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. -* Published to official Istio Helm repository. -* Single chart for all gateways (Ingress, Egress, East West). - -#### General concerns - -For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. - -If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: - -```yaml -app: istio-gateway -istio: gateway # the release name with leading istio- prefix stripped -``` - -If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels -`foo=bar,istio=ingressgateway`: - -```yaml -name: my-custom-gateway # Override the name to match existing resources -labels: - app: "" # Unset default app selector label - istio: ingressgateway # override default istio selector label - foo: bar # Add the existing custom selector label -``` - -#### Migrating an existing Helm release - -An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous -installation was done like: - -```console -helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system -``` - -It could be upgraded with - -```console -helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway -``` - -Note the name and labels are overridden to match the names of the existing installation. - -Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. -If you have AuthorizationPolicies that reference port these ports, you should update them during this process, -or customize the ports to match the old defaults. -See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. - -#### Other migrations - -If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. - -The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: - -```console -KINDS=(service deployment) -RELEASE=istio-ingressgateway -NAMESPACE=istio-system -for KIND in "${KINDS[@]}"; do - kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE - kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE - kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm -done -``` - -You may ignore errors about resources not being found. diff --git a/resources/v1.21.5/charts/gateway/files/profile-ambient.yaml b/resources/v1.21.5/charts/gateway/files/profile-ambient.yaml deleted file mode 100644 index 59dd9114e..000000000 --- a/resources/v1.21.5/charts/gateway/files/profile-ambient.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -variant: distroless -pilot: - variant: distroless - env: - # Setup more secure default that is off in 'default' only for backwards compatibility - VERIFY_CERTIFICATE_AT_CLIENT: "true" - ENABLE_AUTO_SNI: "true" - - PILOT_ENABLE_HBONE: "true" - CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" - PILOT_ENABLE_AMBIENT_CONTROLLERS: "true" -cni: - logLevel: info - privileged: true - ambient: - enabled: true - - # Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni - excludeNamespaces: - - kube-system diff --git a/resources/v1.21.5/charts/gateway/files/profile-compatibility-version-1.20.yaml b/resources/v1.21.5/charts/gateway/files/profile-compatibility-version-1.20.yaml deleted file mode 100644 index 9f0fd563b..000000000 --- a/resources/v1.21.5/charts/gateway/files/profile-compatibility-version-1.20.yaml +++ /dev/null @@ -1,6 +0,0 @@ -pilot: - env: - ENABLE_EXTERNAL_NAME_ALIAS: "false" - PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" - VERIFY_CERTIFICATE_AT_CLIENT: "false" - ENABLE_AUTO_SNI: "false" diff --git a/resources/v1.21.5/charts/gateway/files/profile-demo.yaml b/resources/v1.21.5/charts/gateway/files/profile-demo.yaml deleted file mode 100644 index 4ed37fed3..000000000 --- a/resources/v1.21.5/charts/gateway/files/profile-demo.yaml +++ /dev/null @@ -1,69 +0,0 @@ -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.istio-system.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.otel-collector.svc.cluster.local - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/resources/v1.21.5/charts/gateway/files/profile-openshift.yaml b/resources/v1.21.5/charts/gateway/files/profile-openshift.yaml deleted file mode 100644 index 100ca578c..000000000 --- a/resources/v1.21.5/charts/gateway/files/profile-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - excludeNamespaces: - - istio-system - - kube-system - logLevel: info - privileged: true - provider: "multus" -global: - platform: openshift -istio_cni: - enabled: true - chained: false -platform: openshift \ No newline at end of file diff --git a/resources/v1.21.5/charts/gateway/files/profile-preview.yaml b/resources/v1.21.5/charts/gateway/files/profile-preview.yaml deleted file mode 100644 index 390ed749f..000000000 --- a/resources/v1.21.5/charts/gateway/files/profile-preview.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.21.5/charts/gateway/templates/NOTES.txt b/resources/v1.21.5/charts/gateway/templates/NOTES.txt deleted file mode 100644 index 78451d33e..000000000 --- a/resources/v1.21.5/charts/gateway/templates/NOTES.txt +++ /dev/null @@ -1,9 +0,0 @@ -"{{ include "gateway.name" . }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} - $ helm get all {{ .Release.Name }} - -Next steps: - * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ - * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/resources/v1.21.5/charts/gateway/templates/_helpers.tpl b/resources/v1.21.5/charts/gateway/templates/_helpers.tpl deleted file mode 100644 index a777d43bc..000000000 --- a/resources/v1.21.5/charts/gateway/templates/_helpers.tpl +++ /dev/null @@ -1,61 +0,0 @@ -{{- define "gateway.name" -}} -{{- if eq .Release.Name "RELEASE-NAME" -}} - {{- .Values.name | default "istio-ingressgateway" -}} -{{- else -}} - {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} -{{- end -}} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "gateway.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{- define "gateway.labels" -}} -helm.sh/chart: {{ include "gateway.chart" . }} -{{ include "gateway.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -app.kubernetes.io/name: {{ include "gateway.name" . }} -{{- range $key, $val := .Values.labels }} -{{- if not (or (eq $key "app") (eq $key "istio")) }} -{{ $key | quote }}: {{ $val | quote }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "gateway.podLabels" -}} -{{ include "gateway.selectorLabels" . }} -{{- range $key, $val := .Values.labels }} -{{- if not (or (eq $key "app") (eq $key "istio")) }} -{{ $key | quote }}: {{ $val | quote }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "gateway.selectorLabels" -}} -{{- if hasKey .Values.labels "app" }} -{{- with .Values.labels.app }}app: {{.|quote}} -{{- end}} -{{- else }}app: {{ include "gateway.name" . }} -{{- end }} -{{- if hasKey .Values.labels "istio" }} -{{- with .Values.labels.istio }} -istio: {{.|quote}} -{{- end}} -{{- else }} -istio: {{ include "gateway.name" . | trimPrefix "istio-" }} -{{- end }} -{{- end }} - -{{- define "gateway.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} -{{- else }} -{{- .Values.serviceAccount.name | default "default" }} -{{- end }} -{{- end }} diff --git a/resources/v1.21.5/charts/gateway/templates/deployment.yaml b/resources/v1.21.5/charts/gateway/templates/deployment.yaml deleted file mode 100644 index 189751735..000000000 --- a/resources/v1.21.5/charts/gateway/templates/deployment.yaml +++ /dev/null @@ -1,123 +0,0 @@ -apiVersion: apps/v1 -kind: {{ .Values.kind | default "Deployment" }} -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - {{- with .Values.replicaCount }} - replicas: {{ . }} - {{- end }} - {{- end }} - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - sidecar.istio.io/inject: "true" - {{- with .Values.revision }} - istio.io/rev: {{ . | quote }} - {{- end }} - {{- include "gateway.podLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "gateway.serviceAccountName" . }} - securityContext: - {{- if .Values.securityContext }} - {{- toYaml .Values.securityContext | nindent 8 }} - {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - {{- with .Values.volumes }} - volumes: - {{ toYaml . | nindent 8 }} - {{- end }} - containers: - - name: istio-proxy - # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection - image: auto - {{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - securityContext: - {{- if .Values.containerSecurityContext }} - {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - {{- if not (eq .Values.platform "openshift") }} - runAsUser: 1337 - runAsGroup: 1337 - {{- end }} - runAsNonRoot: true - {{- else }} - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 0 - runAsGroup: 1337 - runAsNonRoot: false - allowPrivilegeEscalation: true - readOnlyRootFilesystem: true - {{- end }} - env: - {{- with .Values.networkGateway }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: "{{.}}" - {{- end }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.volumeMounts }} - volumeMounts: - {{ toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} - {{- with .Values.priorityClassName }} - priorityClassName: {{ . }} - {{- end }} diff --git a/resources/v1.21.5/charts/gateway/templates/hpa.yaml b/resources/v1.21.5/charts/gateway/templates/hpa.yaml deleted file mode 100644 index d95768ac9..000000000 --- a/resources/v1.21.5/charts/gateway/templates/hpa.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} -{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}} -apiVersion: autoscaling/v2 -{{- else }} -apiVersion: autoscaling/v2beta2 -{{- end }} -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4 }} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: {{ .Values.kind | default "Deployment" }} - name: {{ include "gateway.name" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - target: - averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - type: Utilization - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - target: - averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - type: Utilization - {{- end }} - {{- if .Values.autoscaling.autoscaleBehavior }} - behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} - {{- end }} -{{- end }} diff --git a/resources/v1.21.5/charts/gateway/templates/poddisruptionbudget.yaml b/resources/v1.21.5/charts/gateway/templates/poddisruptionbudget.yaml deleted file mode 100644 index 77f71e7fa..000000000 --- a/resources/v1.21.5/charts/gateway/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.podDisruptionBudget }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4}} -spec: - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - {{- with .Values.podDisruptionBudget }} - {{- toYaml . | nindent 2 }} - {{- end }} -{{- end }} diff --git a/resources/v1.21.5/charts/gateway/templates/role.yaml b/resources/v1.21.5/charts/gateway/templates/role.yaml deleted file mode 100644 index c8a25cb72..000000000 --- a/resources/v1.21.5/charts/gateway/templates/role.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} -{{- if .Values.rbac.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "gateway.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "gateway.serviceAccountName" . }} -{{- end }} diff --git a/resources/v1.21.5/charts/gateway/templates/service.yaml b/resources/v1.21.5/charts/gateway/templates/service.yaml deleted file mode 100644 index 9177d2a11..000000000 --- a/resources/v1.21.5/charts/gateway/templates/service.yaml +++ /dev/null @@ -1,64 +0,0 @@ -{{- if not (eq .Values.service.type "None") }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.networkGateway }} - topology.istio.io/network: "{{.}}" - {{- end }} - annotations: - {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} -spec: -{{- with .Values.service.loadBalancerIP }} - loadBalancerIP: "{{ . }}" -{{- end }} -{{- if eq .Values.service.type "LoadBalancer" }} - {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} - allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} - {{- end }} -{{- end }} -{{- if .Values.service.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} -{{- end }} -{{- if .Values.service.ipFamilies }} - ipFamilies: -{{- range .Values.service.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} -{{- with .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml . | indent 4 }} -{{- end }} -{{- with .Values.service.externalTrafficPolicy }} - externalTrafficPolicy: "{{ . }}" -{{- end }} - type: {{ .Values.service.type }} - ports: -{{- if .Values.networkGateway }} - - name: status-port - port: 15021 - targetPort: 15021 - - name: tls - port: 15443 - targetPort: 15443 - - name: tls-istiod - port: 15012 - targetPort: 15012 - - name: tls-webhook - port: 15017 - targetPort: 15017 -{{- else }} -{{ .Values.service.ports | toYaml | indent 4 }} -{{- end }} -{{- if .Values.service.externalIPs }} - externalIPs: {{- range .Values.service.externalIPs }} - - {{.}} - {{- end }} -{{- end }} - selector: - {{- include "gateway.selectorLabels" . | nindent 4 }} -{{- end }} diff --git a/resources/v1.21.5/charts/gateway/templates/serviceaccount.yaml b/resources/v1.21.5/charts/gateway/templates/serviceaccount.yaml deleted file mode 100644 index e5b2304d6..000000000 --- a/resources/v1.21.5/charts/gateway/templates/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/resources/v1.21.5/charts/gateway/templates/zzz_profile.yaml b/resources/v1.21.5/charts/gateway/templates/zzz_profile.yaml deleted file mode 100644 index 6588debf9..000000000 --- a/resources/v1.21.5/charts/gateway/templates/zzz_profile.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} -{{- $profile := dict }} -{{- with .Values.profile }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" $.Values.profile) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.21.5/charts/gateway/values.schema.json b/resources/v1.21.5/charts/gateway/values.schema.json deleted file mode 100644 index c97d84c1e..000000000 --- a/resources/v1.21.5/charts/gateway/values.schema.json +++ /dev/null @@ -1,301 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "type": "object", - "additionalProperties": false, - "$defs": { - "values": { - "type": "object", - "properties": { - "global": { - "type": "object" - }, - "affinity": { - "type": "object" - }, - "securityContext": { - "type": [ - "object", - "null" - ] - }, - "containerSecurityContext": { - "type": [ - "object", - "null" - ] - }, - "kind": { - "type": "string", - "enum": [ - "Deployment", - "DaemonSet" - ] - }, - "annotations": { - "additionalProperties": { - "type": [ - "string", - "integer" - ] - }, - "type": "object" - }, - "autoscaling": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "maxReplicas": { - "type": "integer" - }, - "minReplicas": { - "type": "integer" - }, - "targetCPUUtilizationPercentage": { - "type": "integer" - } - } - }, - "env": { - "type": "object" - }, - "labels": { - "type": "object" - }, - "name": { - "type": "string" - }, - "nodeSelector": { - "type": "object" - }, - "podAnnotations": { - "type": "object", - "properties": { - "inject.istio.io/templates": { - "type": "string" - }, - "prometheus.io/path": { - "type": "string" - }, - "prometheus.io/port": { - "type": "string" - }, - "prometheus.io/scrape": { - "type": "string" - } - } - }, - "replicaCount": { - "type": [ - "integer", - "null" - ] - }, - "resources": { - "type": "object", - "properties": { - "limits": { - "type": "object", - "properties": { - "cpu": { - "type": "string" - }, - "memory": { - "type": "string" - } - } - }, - "requests": { - "type": "object", - "properties": { - "cpu": { - "type": "string" - }, - "memory": { - "type": "string" - } - } - } - } - }, - "revision": { - "type": "string" - }, - "compatibilityVersion": { - "type": "string" - }, - "runAsRoot": { - "type": "boolean" - }, - "unprivilegedPort": { - "type": [ - "string", - "boolean" - ], - "enum": [ - true, - false, - "auto" - ] - }, - "service": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "externalTrafficPolicy": { - "type": "string" - }, - "loadBalancerIP": { - "type": "string" - }, - "loadBalancerSourceRanges": { - "type": "array" - }, - "ipFamilies": { - "items": { - "type": "string", - "enum": [ - "IPv4", - "IPv6" - ] - } - }, - "ipFamilyPolicy": { - "type": "string", - "enum": [ - "", - "SingleStack", - "PreferDualStack", - "RequireDualStack" - ] - }, - "ports": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "port": { - "type": "integer" - }, - "protocol": { - "type": "string" - }, - "targetPort": { - "type": "integer" - } - } - } - }, - "type": { - "type": "string" - } - } - }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "name": { - "type": "string" - }, - "create": { - "type": "boolean" - } - } - }, - "rbac": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "tolerations": { - "type": "array" - }, - "topologySpreadConstraints": { - "type": "array" - }, - "networkGateway": { - "type": "string" - }, - "imagePullPolicy": { - "type": "string", - "enum": [ - "", - "Always", - "IfNotPresent", - "Never" - ] - }, - "imagePullSecrets": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - } - } - } - }, - "podDisruptionBudget": { - "type": "object", - "properties": { - "minAvailable": { - "type": [ - "integer", - "string" - ] - }, - "maxUnavailable": { - "type": [ - "integer", - "string" - ] - }, - "unhealthyPodEvictionPolicy": { - "type": "string", - "enum": [ - "", - "IfHealthyBudget", - "AlwaysAllow" - ] - } - } - }, - "terminationGracePeriodSeconds": { - "type": "number" - }, - "volumes": { - "type": "array", - "items": { - "type": "object" - } - }, - "volumeMounts": { - "type": "array", - "items": { - "type": "object" - } - }, - "priorityClassName": { - "type": "string" - } - } - } - }, - "defaults": { - "$ref": "#/$defs/values" - }, - "$ref": "#/$defs/values" -} diff --git a/resources/v1.21.5/charts/gateway/values.yaml b/resources/v1.21.5/charts/gateway/values.yaml deleted file mode 100644 index 1432f4d7b..000000000 --- a/resources/v1.21.5/charts/gateway/values.yaml +++ /dev/null @@ -1,152 +0,0 @@ -defaults: - # Name allows overriding the release name. Generally this should not be set - name: "" - # revision declares which revision this gateway is a part of - revision: "" - - # Controls the spec.replicas setting for the Gateway deployment if set. - # Otherwise defaults to Kubernetes Deployment default (1). - replicaCount: - - kind: Deployment - - rbac: - # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed - # when using http://gateway-api.org/. - enabled: true - - serviceAccount: - # If set, a service account will be created. Otherwise, the default is used - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set, the release name is used - name: "" - - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - inject.istio.io/templates: "gateway" - sidecar.istio.io/inject: "true" - - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - containerSecurityContext: {} - - service: - # Type of service. Set to "None" to disable the service entirely - type: LoadBalancer - ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 - annotations: {} - loadBalancerIP: "" - loadBalancerSourceRanges: [] - externalTrafficPolicy: "" - externalIPs: [] - ipFamilyPolicy: "" - ipFamilies: [] - ## Whether to automatically allocate NodePorts (only for LoadBalancers). - # allocateLoadBalancerNodePorts: false - - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - autoscaling: - enabled: true - minReplicas: 1 - maxReplicas: 5 - targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: {} - autoscaleBehavior: {} - - # Pod environment variables - env: {} - - # Labels to apply to all resources - labels: {} - - # Annotations to apply to all resources - annotations: {} - - nodeSelector: {} - - tolerations: [] - - topologySpreadConstraints: [] - - affinity: {} - - # If specified, the gateway will act as a network gateway for the given network. - networkGateway: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent - imagePullPolicy: "" - - imagePullSecrets: [] - - # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. - # - # By default, the `podDisruptionBudget` is disabled (set to `{}`), - # which means that no PodDisruptionBudget resource will be created. - # - # To enable the PodDisruptionBudget, configure it by specifying the - # `minAvailable` or `maxUnavailable`. For example, to set the - # minimum number of available replicas to 1, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # - # Or, to allow a maximum of 1 unavailable replica, you can set: - # - # podDisruptionBudget: - # maxUnavailable: 1 - # - # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. - # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # unhealthyPodEvictionPolicy: AlwaysAllow - # - # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: - # - # podDisruptionBudget: {} - # - podDisruptionBudget: {} - - terminationGracePeriodSeconds: 30 - - # A list of `Volumes` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumes: [] - - # A list of `VolumeMounts` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumeMounts: [] - - # Configure this to a higher priority class in order to make sure your Istio gateway pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" diff --git a/resources/v1.21.5/charts/istiod/Chart.yaml b/resources/v1.21.5/charts/istiod/Chart.yaml deleted file mode 100644 index 9a783f4eb..000000000 --- a/resources/v1.21.5/charts/istiod/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -appVersion: 1.21.5 -description: Helm chart for istio control plane -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- istiod -- istio-discovery -name: istiod -sources: -- https://github.com/istio/istio -version: 1.21.5 diff --git a/resources/v1.21.5/charts/istiod/README.md b/resources/v1.21.5/charts/istiod/README.md deleted file mode 100644 index ddbfbc8fe..000000000 --- a/resources/v1.21.5/charts/istiod/README.md +++ /dev/null @@ -1,73 +0,0 @@ -# Istiod Helm Chart - -This chart installs an Istiod deployment. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). - -To install the chart with the release name `istiod`: - -```console -kubectl create namespace istio-system -helm install istiod istio/istiod --namespace istio-system -``` - -## Uninstalling the Chart - -To uninstall/delete the `istiod` deployment: - -```console -helm delete istiod --namespace istio-system -``` - -## Configuration - -To view support configuration options and documentation, run: - -```console -helm show values istio/istiod -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### Examples - -#### Configuring mesh configuration settings - -Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: - -```yaml -meshConfig: - accessLogFile: /dev/stdout -``` - -#### Revisions - -Control plane revisions allow deploying multiple versions of the control plane in the same cluster. -This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) - -```yaml -revision: my-revision-name -``` diff --git a/resources/v1.21.5/charts/istiod/files/gateway-injection-template.yaml b/resources/v1.21.5/charts/istiod/files/gateway-injection-template.yaml deleted file mode 100644 index 59b33c16d..000000000 --- a/resources/v1.21.5/charts/istiod/files/gateway-injection-template.yaml +++ /dev/null @@ -1,256 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if eq (len $containers) 1 }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{ end }} - } -spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 4 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - containers: - - name: istio-proxy - {{- if contains "/" .Values.global.proxy.image }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - securityContext: - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/resources/v1.21.5/charts/istiod/files/grpc-agent.yaml b/resources/v1.21.5/charts/istiod/files/grpc-agent.yaml deleted file mode 100644 index eb179b374..000000000 --- a/resources/v1.21.5/charts/istiod/files/grpc-agent.yaml +++ /dev/null @@ -1,316 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} - sidecar.istio.io/rewriteAppHTTPProbers: "false", - } -spec: - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15020 - protocol: TCP - name: mesh-metrics - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - - --url=http://localhost:15020/healthz/ready - env: - - name: ISTIO_META_GENERATOR - value: grpc - - name: OUTPUT_CERTS - value: /var/lib/istio/data - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - # grpc uses xds:/// to resolve – no need to resolve VIP - - name: ISTIO_META_DNS_CAPTURE - value: "false" - - name: DISABLE_ENVOY - value: "true" - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15020 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} -{{- range $index, $container := .Spec.Containers }} -{{ if not (eq $container.Name "istio-proxy") }} - - name: {{ $container.Name }} - env: - - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" - value: "true" - - name: "GRPC_XDS_BOOTSTRAP" - value: "/etc/istio/proxy/grpc-bootstrap.json" - volumeMounts: - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} -{{- end }} -{{- end }} - volumes: - - emptyDir: - name: workload-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-xds - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/resources/v1.21.5/charts/istiod/files/grpc-simple.yaml b/resources/v1.21.5/charts/istiod/files/grpc-simple.yaml deleted file mode 100644 index 9ba0c7a46..000000000 --- a/resources/v1.21.5/charts/istiod/files/grpc-simple.yaml +++ /dev/null @@ -1,65 +0,0 @@ -metadata: - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "false" -spec: - initContainers: - - name: grpc-bootstrap-init - image: busybox:1.28 - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - env: - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ISTIO_NAMESPACE - value: | - {{ .Values.global.istioNamespace }} - command: - - sh - - "-c" - - |- - NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" - SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" - echo ' - { - "xds_servers": [ - { - "server_uri": "'${SERVER_URI}'", - "channel_creds": [{"type": "insecure"}], - "server_features" : ["xds_v3"] - } - ], - "node": { - "id": "'${NODE_ID}'", - "metadata": { - "GENERATOR": "grpc" - } - } - }' > /var/lib/grpc/data/bootstrap.json - containers: - {{- range $index, $container := .Spec.Containers }} - - name: {{ $container.Name }} - env: - - name: GRPC_XDS_BOOTSTRAP - value: /var/lib/grpc/data/bootstrap.json - - name: GRPC_GO_LOG_VERBOSITY_LEVEL - value: "99" - - name: GRPC_GO_LOG_SEVERITY_LEVEL - value: info - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - {{- end }} - volumes: - - name: grpc-io-proxyless-bootstrap - emptyDir: {} diff --git a/resources/v1.21.5/charts/istiod/files/injection-template.yaml b/resources/v1.21.5/charts/istiod/files/injection-template.yaml deleted file mode 100644 index f88fec824..000000000 --- a/resources/v1.21.5/charts/istiod/files/injection-template.yaml +++ /dev/null @@ -1,548 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} -{{- if .Values.istio_cni.enabled }} - {{- if not .Values.istio_cni.chained }} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} -{{- end }} - } -spec: - {{- $holdProxy := and - (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) - (not $nativeSidecar) }} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if .Values.istio_cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - - "-u" - - {{ .ProxyUID | default "1337" | quote }} - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if .Values.istio_cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not .Values.istio_cni.enabled }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not .Values.istio_cni.enabled }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsUser: {{ .ProxyUID | default "1337" }} - runAsNonRoot: true - {{- end }} - {{ end -}} - {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} - {{ if not $nativeSidecar }} - containers: - {{ end }} - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{ if $nativeSidecar }}restartPolicy: Always{{end}} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- else if $nativeSidecar }} - {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} - lifecycle: - preStop: - exec: - command: - - pilot-agent - - request - - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - - POST - - drain - {{- end }} - env: - {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - {{ if .Values.global.proxy.startupProbe.enabled }} - startupProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: 0 - periodSeconds: 1 - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} - {{ end }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - add: - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - - NET_ADMIN - {{- end }} - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - runAsNonRoot: false - runAsUser: 0 - {{- else -}} - runAsNonRoot: true - runAsUser: {{ .ProxyUID | default "1337" }} - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - {{- if eq .Values.global.pilotCertProvider "kubernetes" }} - - mountPath: /var/run/secrets/istio/kubernetes - name: kube-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if eq .Values.global.pilotCertProvider "kubernetes" }} - - name: kube-ca-cert - configMap: - name: kube-root-ca.crt - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/resources/v1.21.5/charts/istiod/files/kube-gateway.yaml b/resources/v1.21.5/charts/istiod/files/kube-gateway.yaml deleted file mode 100644 index ec699fa43..000000000 --- a/resources/v1.21.5/charts/istiod/files/kube-gateway.yaml +++ /dev/null @@ -1,354 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - ) | nindent 4 }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": {{.Name}} - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - ) | nindent 8 }} - spec: - {{- if .KubeVersion122 }} - {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}} - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 8 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{- if .Values.global.proxy.resources }} - resources: - {{- toYaml .Values.global.proxy.resources | nindent 10 }} - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - securityContext: - {{- if .KubeVersion122 }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: true - {{- else }} - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 0 - runAsGroup: 1337 - runAsNonRoot: false - allowPrivilegeEscalation: true - readOnlyRootFilesystem: true - {{- end }} - ports: - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - env: - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: "[]" - - name: ISTIO_META_APP_CONTAINERS - value: "" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} - - name: ISTIO_META_NETWORK - value: {{.|quote}} - {{- end }} - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName|quote}} - - name: ISTIO_META_OWNER - value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- with (index .InfrastructureLabels "topology.istio.io/network") }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: {{.|quote}} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: {{.UID}} -spec: - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": {{.Name}} - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- diff --git a/resources/v1.21.5/charts/istiod/files/profile-ambient.yaml b/resources/v1.21.5/charts/istiod/files/profile-ambient.yaml deleted file mode 100644 index 59dd9114e..000000000 --- a/resources/v1.21.5/charts/istiod/files/profile-ambient.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -variant: distroless -pilot: - variant: distroless - env: - # Setup more secure default that is off in 'default' only for backwards compatibility - VERIFY_CERTIFICATE_AT_CLIENT: "true" - ENABLE_AUTO_SNI: "true" - - PILOT_ENABLE_HBONE: "true" - CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" - PILOT_ENABLE_AMBIENT_CONTROLLERS: "true" -cni: - logLevel: info - privileged: true - ambient: - enabled: true - - # Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni - excludeNamespaces: - - kube-system diff --git a/resources/v1.21.5/charts/istiod/files/profile-compatibility-version-1.20.yaml b/resources/v1.21.5/charts/istiod/files/profile-compatibility-version-1.20.yaml deleted file mode 100644 index 9f0fd563b..000000000 --- a/resources/v1.21.5/charts/istiod/files/profile-compatibility-version-1.20.yaml +++ /dev/null @@ -1,6 +0,0 @@ -pilot: - env: - ENABLE_EXTERNAL_NAME_ALIAS: "false" - PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" - VERIFY_CERTIFICATE_AT_CLIENT: "false" - ENABLE_AUTO_SNI: "false" diff --git a/resources/v1.21.5/charts/istiod/files/profile-demo.yaml b/resources/v1.21.5/charts/istiod/files/profile-demo.yaml deleted file mode 100644 index 4ed37fed3..000000000 --- a/resources/v1.21.5/charts/istiod/files/profile-demo.yaml +++ /dev/null @@ -1,69 +0,0 @@ -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.istio-system.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.otel-collector.svc.cluster.local - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/resources/v1.21.5/charts/istiod/files/profile-openshift.yaml b/resources/v1.21.5/charts/istiod/files/profile-openshift.yaml deleted file mode 100644 index 100ca578c..000000000 --- a/resources/v1.21.5/charts/istiod/files/profile-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - excludeNamespaces: - - istio-system - - kube-system - logLevel: info - privileged: true - provider: "multus" -global: - platform: openshift -istio_cni: - enabled: true - chained: false -platform: openshift \ No newline at end of file diff --git a/resources/v1.21.5/charts/istiod/files/profile-preview.yaml b/resources/v1.21.5/charts/istiod/files/profile-preview.yaml deleted file mode 100644 index 390ed749f..000000000 --- a/resources/v1.21.5/charts/istiod/files/profile-preview.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.21.5/charts/istiod/files/waypoint.yaml b/resources/v1.21.5/charts/istiod/files/waypoint.yaml deleted file mode 100644 index 531cdae67..000000000 --- a/resources/v1.21.5/charts/istiod/files/waypoint.yaml +++ /dev/null @@ -1,298 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - ) | nindent 4 }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-mesh-controller" - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": "{{.Name}}" - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "ambient.istio.io/redirection" "disabled" - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-mesh-controller" - ) | nindent 8}} - spec: - terminationGracePeriodSeconds: 2 - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - ports: - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - args: - - proxy - - waypoint - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - - {{.ServiceAccount}}.$(POD_NAMESPACE) - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - env: - - name: ISTIO_META_SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - {{- if .ProxyConfig.ProxyMetadata }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} - {{- if $network }} - - name: ISTIO_META_NETWORK - value: "{{ $network }}" - {{- end }} - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName}} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 100m - memory: 128Mi - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - privileged: false - runAsGroup: 1337 - runAsUser: 0 - capabilities: - drop: - - ALL - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: - medium: Memory - name: go-proxy-envoy - - emptyDir: {} - name: istio-data - - emptyDir: {} - name: go-proxy-data - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - configMap: - name: istio-ca-root-cert - name: istiod-ca-cert - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": "{{.Name}}" - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- diff --git a/resources/v1.21.5/charts/istiod/templates/NOTES.txt b/resources/v1.21.5/charts/istiod/templates/NOTES.txt deleted file mode 100644 index 27877a1b2..000000000 --- a/resources/v1.21.5/charts/istiod/templates/NOTES.txt +++ /dev/null @@ -1,69 +0,0 @@ -"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} - $ helm get all {{ .Release.Name }} - -Next steps: - * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ - * Try out our tasks to get started on common configurations: - * https://istio.io/latest/docs/tasks/traffic-management - * https://istio.io/latest/docs/tasks/security/ - * https://istio.io/latest/docs/tasks/policy-enforcement/ - * Review the list of actively supported releases, CVE publications and our hardening guide: - * https://istio.io/latest/docs/releases/supported-releases/ - * https://istio.io/latest/news/security/ - * https://istio.io/latest/docs/ops/best-practices/security/ - -For further documentation see https://istio.io website - -{{- - $deps := dict - "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" - "global.certificates" "meshConfig.certificates" - "global.localityLbSetting" "meshConfig.localityLbSetting" - "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" - "global.enableTracing" "meshConfig.enableTracing" - "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" - "global.proxy.accessLogFile" "meshConfig.accessLogFile" - "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" - "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" - "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" - "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" - "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" - "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" - "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" - "global.mtls.enabled" "the PeerAuthentication resource" - "global.mtls.auto" "meshConfig.enableAutoMtls" - "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" - "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" - "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" - "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" - "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" - "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" - "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" - "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" - "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" - "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" -}} -{{- range $dep, $replace := $deps }} -{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} -{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} -{{- if not (eq $res "")}} -WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. -{{- end }} -{{- end }} -{{- - $failDeps := dict - "telemetry.v2.prometheus.configOverride" - "telemetry.v2.stackdriver.configOverride" - "telemetry.v2.stackdriver.disableOutbound" - "telemetry.v2.stackdriver.outboundAccessLogging" -}} -{{- range $dep, $replace := $failDeps }} -{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} -{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} -{{- if not (eq $res "")}} -{{fail (print $dep " is removed")}} -{{- end }} -{{- end }} diff --git a/resources/v1.21.5/charts/istiod/templates/_helpers.tpl b/resources/v1.21.5/charts/istiod/templates/_helpers.tpl deleted file mode 100644 index 47b89a403..000000000 --- a/resources/v1.21.5/charts/istiod/templates/_helpers.tpl +++ /dev/null @@ -1,23 +0,0 @@ -{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} -{{ define "default-prometheus" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} -{{ define "default-sd-metrics" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. */}} -{{ define "default-sd-logs" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} \ No newline at end of file diff --git a/resources/v1.21.5/charts/istiod/templates/autoscale.yaml b/resources/v1.21.5/charts/istiod/templates/autoscale.yaml deleted file mode 100644 index 0068b13c1..000000000 --- a/resources/v1.21.5/charts/istiod/templates/autoscale.yaml +++ /dev/null @@ -1,76 +0,0 @@ -{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }} -{{- if not .Values.global.autoscalingv2API }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" -spec: - maxReplicas: {{ .Values.pilot.autoscaleMax }} - minReplicas: {{ .Values.pilot.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - metrics: - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }} - {{- if .Values.pilot.memory.targetAverageUtilization }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.pilot.memory.targetAverageUtilization }} - {{- end }} ---- -{{- else }} -{{- if (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion)}} -apiVersion: autoscaling/v2 -{{- else }} -apiVersion: autoscaling/v2beta2 -{{- end }} -kind: HorizontalPodAutoscaler -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" -spec: - maxReplicas: {{ .Values.pilot.autoscaleMax }} - minReplicas: {{ .Values.pilot.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }} - {{- if .Values.pilot.memory.targetAverageUtilization }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ .Values.pilot.memory.targetAverageUtilization }} - {{- end }} - {{- if .Values.pilot.autoscaleBehavior }} - behavior: {{ toYaml .Values.pilot.autoscaleBehavior | nindent 4 }} - {{- end }} ---- -{{- end }} -{{- end }} \ No newline at end of file diff --git a/resources/v1.21.5/charts/istiod/templates/clusterrole.yaml b/resources/v1.21.5/charts/istiod/templates/clusterrole.yaml deleted file mode 100644 index 097e5c0c2..000000000 --- a/resources/v1.21.5/charts/istiod/templates/clusterrole.yaml +++ /dev/null @@ -1,152 +0,0 @@ -{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update"] - # TODO: should be on just */status but wildcard is not supported - resources: ["*"] - - # Needed because status reporter sets the config map owner reference to the istiod pod - - apiGroups: [""] - verbs: ["update"] - resources: ["pods/finalizers"] -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} -{{- if or .Values.pilot.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: - - "kubernetes.io/legacy-unknown" -{{- range .Values.global.certSigners }} - - {{ . | quote }} -{{- end }} - verbs: ["approve"] -{{- end}} - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] # TODO: should be on just */status but wildcard is not supported - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: [ "get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: - - apiGroups: ["apps"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "deployments" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "serviceaccounts"] -{{- end }} diff --git a/resources/v1.21.5/charts/istiod/templates/clusterrolebinding.yaml b/resources/v1.21.5/charts/istiod/templates/clusterrolebinding.yaml deleted file mode 100644 index f6e425210..000000000 --- a/resources/v1.21.5/charts/istiod/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} ---- -{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: -- kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} \ No newline at end of file diff --git a/resources/v1.21.5/charts/istiod/templates/configmap-jwks.yaml b/resources/v1.21.5/charts/istiod/templates/configmap-jwks.yaml deleted file mode 100644 index b4c49dfa7..000000000 --- a/resources/v1.21.5/charts/istiod/templates/configmap-jwks.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.pilot.jwksResolverExtraRootCA }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" -data: - extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }} -{{- end }} diff --git a/resources/v1.21.5/charts/istiod/templates/configmap.yaml b/resources/v1.21.5/charts/istiod/templates/configmap.yaml deleted file mode 100644 index df0ce35c7..000000000 --- a/resources/v1.21.5/charts/istiod/templates/configmap.yaml +++ /dev/null @@ -1,112 +0,0 @@ -{{- define "mesh" }} - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The namespace to treat as the administrative root namespace for Istio configuration. - # When processing a leaf namespace Istio will search for declarations in that namespace first - # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace - # is processed as if it were declared in the leaf namespace. - rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} - - {{ $prom := include "default-prometheus" . | eq "true" }} - {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} - {{ $sdLogs := include "default-sd-logs" . | eq "true" }} - {{- if or $prom $sdMetrics $sdLogs }} - defaultProviders: - {{- if or $prom $sdMetrics }} - metrics: - {{ if $prom }}- prometheus{{ end }} - {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} - {{- end }} - {{- if and $sdMetrics $sdLogs }} - accessLogging: - - stackdriver - {{- end }} - {{- end }} - - defaultConfig: - {{- if .Values.global.meshID }} - meshId: "{{ .Values.global.meshID }}" - {{- end }} - {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} - image: - imageType: {{. | quote}} - {{- end }} - tracing: - {{- if eq .Values.global.proxy.tracer "lightstep" }} - lightstep: - # Address of the LightStep Satellite pool - address: {{ .Values.global.tracer.lightstep.address }} - # Access Token used to communicate with the Satellite pool - accessToken: {{ .Values.global.tracer.lightstep.accessToken }} - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - zipkin: - # Address of the Zipkin collector - address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} - {{- else if eq .Values.global.proxy.tracer "datadog" }} - datadog: - # Address of the Datadog Agent - address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} - {{- else if eq .Values.global.proxy.tracer "stackdriver" }} - stackdriver: - # enables trace output to stdout. - debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} - # The global default max number of attributes per span. - maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} - # The global default max number of annotation events per span. - maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} - # The global default max number of message events per span. - maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} - {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} - {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} -{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} - {{- else }} - {} - {{- end }} - {{- if .Values.global.remotePilotAddress }} - {{- if .Values.pilot.enabled }} - discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 - {{- else }} - discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 - {{- end }} - {{- else }} - discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 - {{- end }} -{{- end }} - -{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} -{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} -{{- $originalMesh := include "mesh" . | fromYaml }} -{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} - -{{- if .Values.pilot.configMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - {{- if .Values.global.meshNetworks }} - networks: -{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} - {{- else }} - networks: {} - {{- end }} - - mesh: |- -{{- if .Values.meshConfig }} -{{ $mesh | toYaml | indent 4 }} -{{- else }} -{{- include "mesh" . }} -{{- end }} ---- -{{- end }} diff --git a/resources/v1.21.5/charts/istiod/templates/deployment.yaml b/resources/v1.21.5/charts/istiod/templates/deployment.yaml deleted file mode 100644 index 9b1b6c2d2..000000000 --- a/resources/v1.21.5/charts/istiod/templates/deployment.yaml +++ /dev/null @@ -1,265 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - istio: pilot - release: {{ .Release.Name }} -{{- range $key, $val := .Values.pilot.deploymentLabels }} - {{ $key }}: "{{ $val }}" -{{- end }} -spec: -{{- if not .Values.pilot.autoscaleEnabled }} -{{- if .Values.pilot.replicaCount }} - replicas: {{ .Values.pilot.replicaCount }} -{{- end }} -{{- end }} - strategy: - rollingUpdate: - maxSurge: {{ .Values.pilot.rollingMaxSurge }} - maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }} - selector: - matchLabels: - {{- if ne .Values.revision "" }} - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - {{- else }} - istio: pilot - {{- end }} - template: - metadata: - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - sidecar.istio.io/inject: "false" - operator.istio.io/component: "Pilot" - {{- if ne .Values.revision "" }} - istio: istiod - {{- else }} - istio: pilot - {{- end }} - {{- range $key, $val := .Values.pilot.podLabels }} - {{ $key }}: "{{ $val }}" - {{- end }} - annotations: - {{- if .Values.meshConfig.enablePrometheusMerge }} - prometheus.io/port: "15014" - prometheus.io/scrape: "true" - {{- end }} - ambient.istio.io/redirection: disabled - sidecar.istio.io/inject: "false" - {{- if .Values.pilot.podAnnotations }} -{{ toYaml .Values.pilot.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if .Values.pilot.nodeSelector }} - nodeSelector: -{{ toYaml .Values.pilot.nodeSelector | indent 8 }} -{{- end }} -{{- with .Values.pilot.affinity }} - affinity: -{{- toYaml . | nindent 8 }} -{{- end }} -{{- with .Values.pilot.tolerations }} - tolerations: -{{- toYaml . | nindent 8 }} -{{- end }} -{{- with .Values.pilot.topologySpreadConstraints }} - topologySpreadConstraints: -{{- toYaml . | nindent 8 }} -{{- end }} - serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: discovery -{{- if contains "/" .Values.pilot.image }} - image: "{{ .Values.pilot.image }}" -{{- else }} - image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}{{with (.Values.pilot.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - args: - - "discovery" - - --monitoringAddr=:15014 -{{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} -{{- end}} -{{- if .Values.global.logAsJson }} - - --log_as_json -{{- end }} - - --domain - - {{ .Values.global.proxy.clusterDomain }} -{{- if .Values.global.oneNamespace }} - - "-a" - - {{ .Release.Namespace }} -{{- end }} -{{- if .Values.pilot.plugins }} - - --plugins={{ .Values.pilot.plugins }} -{{- end }} - - --keepaliveMaxServerConnectionAge - - "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}" -{{- if .Values.pilot.extraContainerArgs }} - {{- with .Values.pilot.extraContainerArgs }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- end }} - ports: - - containerPort: 8080 - protocol: TCP - - containerPort: 15010 - protocol: TCP - - containerPort: 15017 - protocol: TCP - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 - env: - - name: REVISION - value: "{{ .Values.revision | default `default` }}" - - name: JWT_POLICY - value: {{ .Values.global.jwtPolicy }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: KUBECONFIG - value: /var/run/secrets/remote/config - {{- if .Values.pilot.env }} - {{- range $key, $val := .Values.pilot.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} -{{- if .Values.pilot.traceSampling }} - - name: PILOT_TRACE_SAMPLING - value: "{{ .Values.pilot.traceSampling }}" -{{- end }} - - name: PILOT_ENABLE_ANALYSIS - value: "{{ .Values.global.istiod.enableAnalysis }}" - - name: CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PLATFORM - value: "{{ .Values.global.platform }}" - resources: -{{- if .Values.pilot.resources }} -{{ toYaml .Values.pilot.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.pilot.seccompProfile }} - seccompProfile: -{{ toYaml .Values.pilot.seccompProfile | trim | indent 14 }} -{{- end }} - volumeMounts: - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true - {{- end }} - - name: local-certs - mountPath: /var/run/secrets/istio-dns - - name: cacerts - mountPath: /etc/cacerts - readOnly: true - - name: istio-kubeconfig - mountPath: /var/run/secrets/remote - readOnly: true - {{- if .Values.pilot.jwksResolverExtraRootCA }} - - name: extracacerts - mountPath: /cacerts - {{- end }} - - name: istio-csr-dns-cert - mountPath: /var/run/secrets/istiod/tls - readOnly: true - - name: istio-csr-ca-configmap - mountPath: /var/run/secrets/istiod/ca - readOnly: true - {{- with .Values.pilot.volumeMounts }} - {{- toYaml . | nindent 10 }} - {{- end }} - volumes: - # Technically not needed on this pod - but it helps debugging/testing SDS - # Should be removed after everything works. - - emptyDir: - medium: Memory - name: local-certs - {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: {{ .Values.global.sds.token.aud }} - expirationSeconds: 43200 - path: istio-token - {{- end }} - # Optional: user-generated root - - name: cacerts - secret: - secretName: cacerts - optional: true - - name: istio-kubeconfig - secret: - secretName: istio-kubeconfig - optional: true - # Optional: istio-csr dns pilot certs - - name: istio-csr-dns-cert - secret: - secretName: istiod-tls - optional: true - - name: istio-csr-ca-configmap - configMap: - name: istio-ca-root-cert - defaultMode: 420 - optional: true - {{- if .Values.pilot.jwksResolverExtraRootCA }} - - name: extracacerts - configMap: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- end }} - {{- with .Values.pilot.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} - ---- diff --git a/resources/v1.21.5/charts/istiod/templates/istiod-injector-configmap.yaml b/resources/v1.21.5/charts/istiod/templates/istiod-injector-configmap.yaml deleted file mode 100644 index 61da47ebe..000000000 --- a/resources/v1.21.5/charts/istiod/templates/istiod-injector-configmap.yaml +++ /dev/null @@ -1,78 +0,0 @@ -{{- if not .Values.global.omitSidecarInjectorConfigMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} -data: -{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} - values: |- -{{ $vals := pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" -}} -{{ $gatewayVals := pick .Values.gateways "securityContext" -}} -{{ $vals = set $vals "gateways" $gatewayVals -}} -{{ $vals | toPrettyJson | indent 4 }} - - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching - # and istiod webhook functionality. - # - # New fields should not use Values - it is a 'primary' config object, users should be able - # to fine tune it or use it with kube-inject. - config: |- - # defaultTemplates defines the default template to use for pods that do not explicitly specify a template - {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} - defaultTemplates: -{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} - - {{ . }} -{{- end }} - {{- else }} - defaultTemplates: [sidecar] - {{- end }} - policy: {{ .Values.global.proxy.autoInject }} - alwaysInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} - neverInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} - injectedAnnotations: - {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} - "{{ $key }}": {{ $val | quote }} - {{- end }} - {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template - which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". - This should make it obvious that their installation is broken. - */}} - template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} - templates: -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} - sidecar: | -{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} - gateway: | -{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} - grpc-simple: | -{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} - grpc-agent: | -{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} - waypoint: | -{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} - kube-gateway: | -{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} -{{- end }} -{{- with .Values.sidecarInjectorWebhook.templates }} -{{ toYaml . | trim | indent 6 }} -{{- end }} - -{{- end }} diff --git a/resources/v1.21.5/charts/istiod/templates/mutatingwebhook.yaml b/resources/v1.21.5/charts/istiod/templates/mutatingwebhook.yaml deleted file mode 100644 index 9d7403d7c..000000000 --- a/resources/v1.21.5/charts/istiod/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,154 +0,0 @@ -{{- /* Core defines the common configuration used by all webhook segments */}} -{{/* Copy just what we need to avoid expensive deepCopy */}} -{{- $whv := dict - "revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1beta1", "v1"] -{{- end }} -{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} -{{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq .Release.Namespace "istio-system"}} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- else }} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -{{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} -webhooks: -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} - -{{- /* Case 1: namespace selector matches, and object doesn't disable */}} -{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - -{{- /* Webhooks for default revision */}} -{{- if (eq .Values.revision "") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} -{{- end }} diff --git a/resources/v1.21.5/charts/istiod/templates/poddisruptionbudget.yaml b/resources/v1.21.5/charts/istiod/templates/poddisruptionbudget.yaml deleted file mode 100644 index ce61de5a9..000000000 --- a/resources/v1.21.5/charts/istiod/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - istio: pilot -spec: - minAvailable: 1 - selector: - matchLabels: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - istio: pilot - {{- end }} ---- -{{- end }} diff --git a/resources/v1.21.5/charts/istiod/templates/reader-clusterrole.yaml b/resources/v1.21.5/charts/istiod/templates/reader-clusterrole.yaml deleted file mode 100644 index d3d53d6a1..000000000 --- a/resources/v1.21.5/charts/istiod/templates/reader-clusterrole.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["gateways"] - verbs: ["get", "watch", "list"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] -{{- if .Values.global.externalIstiod }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} diff --git a/resources/v1.21.5/charts/istiod/templates/reader-clusterrolebinding.yaml b/resources/v1.21.5/charts/istiod/templates/reader-clusterrolebinding.yaml deleted file mode 100644 index 4f9925c9d..000000000 --- a/resources/v1.21.5/charts/istiod/templates/reader-clusterrolebinding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} diff --git a/resources/v1.21.5/charts/istiod/templates/revision-tags.yaml b/resources/v1.21.5/charts/istiod/templates/revision-tags.yaml deleted file mode 100644 index 5884e18e3..000000000 --- a/resources/v1.21.5/charts/istiod/templates/revision-tags.yaml +++ /dev/null @@ -1,141 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -{{- $whv := dict - "revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] -{{- end }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} diff --git a/resources/v1.21.5/charts/istiod/templates/role.yaml b/resources/v1.21.5/charts/istiod/templates/role.yaml deleted file mode 100644 index 195bdde40..000000000 --- a/resources/v1.21.5/charts/istiod/templates/role.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] - -# For status controller, so it can delete the distribution report configmap -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["delete"] - -# For gateway deployment controller -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "update", "patch", "create"] diff --git a/resources/v1.21.5/charts/istiod/templates/rolebinding.yaml b/resources/v1.21.5/charts/istiod/templates/rolebinding.yaml deleted file mode 100644 index 0d700f008..000000000 --- a/resources/v1.21.5/charts/istiod/templates/rolebinding.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} diff --git a/resources/v1.21.5/charts/istiod/templates/service.yaml b/resources/v1.21.5/charts/istiod/templates/service.yaml deleted file mode 100644 index 208e83561..000000000 --- a/resources/v1.21.5/charts/istiod/templates/service.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - {{- if .Values.pilot.serviceAnnotations }} - annotations: -{{ toYaml .Values.pilot.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ .Release.Name }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if .Values.pilot.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.pilot.ipFamilyPolicy }} - {{- end }} - {{- if .Values.pilot.ipFamilies }} - ipFamilies: - {{- range .Values.pilot.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} ---- diff --git a/resources/v1.21.5/charts/istiod/templates/serviceaccount.yaml b/resources/v1.21.5/charts/istiod/templates/serviceaccount.yaml deleted file mode 100644 index ee6cbc326..000000000 --- a/resources/v1.21.5/charts/istiod/templates/serviceaccount.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} ---- diff --git a/resources/v1.21.5/charts/istiod/templates/validatingwebhookconfiguration.yaml b/resources/v1.21.5/charts/istiod/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index 1978d3923..000000000 --- a/resources/v1.21.5/charts/istiod/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,55 +0,0 @@ -{{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} ---- -{{- end }} diff --git a/resources/v1.21.5/charts/istiod/templates/zzz_profile.yaml b/resources/v1.21.5/charts/istiod/templates/zzz_profile.yaml deleted file mode 100644 index 6588debf9..000000000 --- a/resources/v1.21.5/charts/istiod/templates/zzz_profile.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} -{{- $profile := dict }} -{{- with .Values.profile }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" $.Values.profile) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.21.5/charts/istiod/values.yaml b/resources/v1.21.5/charts/istiod/values.yaml deleted file mode 100644 index a520c7a48..000000000 --- a/resources/v1.21.5/charts/istiod/values.yaml +++ /dev/null @@ -1,500 +0,0 @@ -defaults: - #.Values.pilot for discovery and mesh wide config - - ## Discovery Settings - pilot: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # This is used to set the source of configuration for - # the associated address in configSource, if nothing is specified - # the default MCP is assumed. - configSource: - subscribedResources: [] - - plugins: [] - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.io/istio - # Default tag for Istio images. - tag: 1.21.5 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - omitSidecarInjectorConfigMap: false - - # Whether to restrict the applications namespace the controller manages; - # If not set, controller watches all namespaces - oneNamespace: false - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # If set, newly injected sidecars will have core dumps enabled. - enableCoreDump: false - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "zipkin" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Configure a remote cluster data plane controlled by an external istiod. - # When set to true, istiod is not deployed locally and only a subset of the other - # discovery charts are enabled. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # Configure the policy for validating JWT. - # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". - jwtPolicy: "third-party-jwt" - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Set to true to connect two kubernetes clusters via their respective - # ingressgateway services when pods in each cluster cannot directly - # talk to one another. All clusters should be using Istio mTLS and must - # have a shared root CA for this model to work. - enabled: false - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - # whether to use autoscaling/v2 template for HPA settings - # for internal usage only, not to be configured by users. - autoscalingv2API: true - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # keep in sync with settings used when installing the Istio CNI chart - istio_cni: - enabled: false - chained: true - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} diff --git a/resources/v1.21.5/charts/ztunnel/Chart.yaml b/resources/v1.21.5/charts/ztunnel/Chart.yaml deleted file mode 100644 index 39c53c819..000000000 --- a/resources/v1.21.5/charts/ztunnel/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -appVersion: 1.21.5 -description: Helm chart for istio ztunnel components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-ztunnel -- istio -name: ztunnel -sources: -- https://github.com/istio/istio -version: 1.21.5 diff --git a/resources/v1.21.5/charts/ztunnel/README.md b/resources/v1.21.5/charts/ztunnel/README.md deleted file mode 100644 index ffe0b94fe..000000000 --- a/resources/v1.21.5/charts/ztunnel/README.md +++ /dev/null @@ -1,50 +0,0 @@ -# Istio Ztunnel Helm Chart - -This chart installs an Istio ztunnel. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart: - -```console -helm install ztunnel istio/ztunnel -``` - -## Uninstalling the Chart - -To uninstall/delete the chart: - -```console -helm delete ztunnel -``` - -## Configuration - -To view support configuration options and documentation, run: - -```console -helm show values istio/ztunnel -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/resources/v1.21.5/charts/ztunnel/files/profile-ambient.yaml b/resources/v1.21.5/charts/ztunnel/files/profile-ambient.yaml deleted file mode 100644 index 59dd9114e..000000000 --- a/resources/v1.21.5/charts/ztunnel/files/profile-ambient.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -variant: distroless -pilot: - variant: distroless - env: - # Setup more secure default that is off in 'default' only for backwards compatibility - VERIFY_CERTIFICATE_AT_CLIENT: "true" - ENABLE_AUTO_SNI: "true" - - PILOT_ENABLE_HBONE: "true" - CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" - PILOT_ENABLE_AMBIENT_CONTROLLERS: "true" -cni: - logLevel: info - privileged: true - ambient: - enabled: true - - # Default excludes istio-system; its actually fine to redirect there since we opt-out istiod, ztunnel, and istio-cni - excludeNamespaces: - - kube-system diff --git a/resources/v1.21.5/charts/ztunnel/files/profile-compatibility-version-1.20.yaml b/resources/v1.21.5/charts/ztunnel/files/profile-compatibility-version-1.20.yaml deleted file mode 100644 index 9f0fd563b..000000000 --- a/resources/v1.21.5/charts/ztunnel/files/profile-compatibility-version-1.20.yaml +++ /dev/null @@ -1,6 +0,0 @@ -pilot: - env: - ENABLE_EXTERNAL_NAME_ALIAS: "false" - PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" - VERIFY_CERTIFICATE_AT_CLIENT: "false" - ENABLE_AUTO_SNI: "false" diff --git a/resources/v1.21.5/charts/ztunnel/files/profile-demo.yaml b/resources/v1.21.5/charts/ztunnel/files/profile-demo.yaml deleted file mode 100644 index 4ed37fed3..000000000 --- a/resources/v1.21.5/charts/ztunnel/files/profile-demo.yaml +++ /dev/null @@ -1,69 +0,0 @@ -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.istio-system.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.otel-collector.svc.cluster.local - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/resources/v1.21.5/charts/ztunnel/files/profile-openshift.yaml b/resources/v1.21.5/charts/ztunnel/files/profile-openshift.yaml deleted file mode 100644 index 100ca578c..000000000 --- a/resources/v1.21.5/charts/ztunnel/files/profile-openshift.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - excludeNamespaces: - - istio-system - - kube-system - logLevel: info - privileged: true - provider: "multus" -global: - platform: openshift -istio_cni: - enabled: true - chained: false -platform: openshift \ No newline at end of file diff --git a/resources/v1.21.5/charts/ztunnel/files/profile-preview.yaml b/resources/v1.21.5/charts/ztunnel/files/profile-preview.yaml deleted file mode 100644 index 390ed749f..000000000 --- a/resources/v1.21.5/charts/ztunnel/files/profile-preview.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.21.5/charts/ztunnel/templates/NOTES.txt b/resources/v1.21.5/charts/ztunnel/templates/NOTES.txt deleted file mode 100644 index 93297520e..000000000 --- a/resources/v1.21.5/charts/ztunnel/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -ztunnel successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} - $ helm get all {{ .Release.Name }} diff --git a/resources/v1.21.5/charts/ztunnel/templates/daemonset.yaml b/resources/v1.21.5/charts/ztunnel/templates/daemonset.yaml deleted file mode 100644 index 11daa5abe..000000000 --- a/resources/v1.21.5/charts/ztunnel/templates/daemonset.yaml +++ /dev/null @@ -1,160 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: ztunnel - namespace: {{ .Release.Namespace }} - labels: - {{- .Values.labels | toYaml | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - updateStrategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - selector: - matchLabels: - app: ztunnel - template: - metadata: - labels: - sidecar.istio.io/inject: "false" - app: ztunnel -{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} - annotations: - ambient.istio.io/redirection: disabled - sidecar.istio.io/inject: "false" -{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} - spec: - nodeSelector: - kubernetes.io/os: linux - serviceAccountName: ztunnel - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - containers: - - name: istio-proxy -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" -{{- end }} - ports: - - containerPort: 15020 - name: ztunnel-stats - protocol: TCP - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 10 }} -{{- end }} -{{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} -{{- end }} - securityContext: - allowPrivilegeEscalation: false - privileged: false - capabilities: - drop: - - ALL - add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html - - NET_ADMIN # Required for TPROXY and setsockopt - - SYS_ADMIN # Required for `setns` - doing things in other netns - - NET_RAW # Required for RAW/PACKET sockets, TPROXY - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: false - runAsUser: 0 -{{- if .Values.seLinuxOptions }} - seLinuxOptions: -{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} -{{- end }} - readinessProbe: - httpGet: - port: 15021 - path: /healthz/ready - args: - - proxy - - ztunnel - env: - - name: CA_ADDRESS - {{- if .Values.caAddress }} - value: {{ .Values.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - - name: XDS_ADDRESS - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - - name: RUST_LOG - value: {{ .Values.logLevel | quote }} - - name: ISTIO_META_CLUSTER_ID - value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} - - name: INPOD_ENABLED - value: "true" - - name: ISTIO_META_DNS_PROXY_ADDR - value: "127.0.0.1:15053" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} - {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- with .Values.env }} - {{- range $key, $val := . }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 8 }} - {{- end }} - priorityClassName: system-node-critical - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - volumes: - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: istio-ca - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate # ideally this would be a socket, but ztunnel may not have started yet. - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} diff --git a/resources/v1.21.5/charts/ztunnel/templates/rbac.yaml b/resources/v1.21.5/charts/ztunnel/templates/rbac.yaml deleted file mode 100644 index 5a569b647..000000000 --- a/resources/v1.21.5/charts/ztunnel/templates/rbac.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount - {{- with .Values.imagePullSecrets }} -imagePullSecrets: - {{- range . }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: ztunnel - namespace: {{ .Release.Namespace }} - labels: - {{- .Values.labels | toYaml | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} ---- diff --git a/resources/v1.21.5/charts/ztunnel/templates/zzz_profile.yaml b/resources/v1.21.5/charts/ztunnel/templates/zzz_profile.yaml deleted file mode 100644 index 6588debf9..000000000 --- a/resources/v1.21.5/charts/ztunnel/templates/zzz_profile.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} -{{- $profile := dict }} -{{- with .Values.profile }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" $.Values.profile) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.21.5/charts/ztunnel/values.yaml b/resources/v1.21.5/charts/ztunnel/values.yaml deleted file mode 100644 index 0416f7374..000000000 --- a/resources/v1.21.5/charts/ztunnel/values.yaml +++ /dev/null @@ -1,85 +0,0 @@ -defaults: - # Hub to pull from. Image will be `Hub/Image:Tag-Variant` - hub: docker.io/istio - # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.21.5 - # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. - variant: "" - - # Image name to pull from. Image will be `Hub/Image:Tag-Variant` - # If Image contains a "/", it will replace the entire `image` in the pod. - image: ztunnel - - # Labels to apply to all top level resources - labels: {} - # Annotations to apply to all top level resources - annotations: {} - - # Additional volumeMounts to the ztunnel container - volumeMounts: [] - - # Additional volumes to the ztunnel pod - volumes: [] - - # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - - # Additional labels to apply on the pod level - podLabels: {} - - # Pod resource configuration - resources: - requests: - cpu: 500m - memory: 2048Mi - - # List of secret names to add to the service account as image pull secrets - imagePullSecrets: [] - - # A `key: value` mapping of environment variables to add to the pod - env: {} - - # Override for the pod imagePullPolicy - imagePullPolicy: "" - - # Settings for multicluster - multiCluster: - # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent - # with Istiod configuration. - clusterName: "" - - # meshConfig defines runtime configuration of components. - # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other - # components. - # TODO: https://github.com/istio/istio/issues/43248 - meshConfig: - defaultConfig: - proxyMetadata: {} - - # This value defines: - # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) - # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) - # Default K8S value is 30 seconds - terminationGracePeriodSeconds: 30 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - caAddress: "" - - # Used to locate istiod. - istioNamespace: istio-system - - # Configuration log level of ztunnel binary, default is info. - # Valid values are: trace, debug, info, warn, error - logLevel: info - - # Set to `type: RuntimeDefault` to use the default profile if available. - seLinuxOptions: {} - # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead - #seLinuxOptions: - # type: spc_t diff --git a/resources/v1.21.5/profiles/ambient.yaml b/resources/v1.21.5/profiles/ambient.yaml deleted file mode 100644 index ddaaa4415..000000000 --- a/resources/v1.21.5/profiles/ambient.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1alpha1 -kind: Istio -spec: - values: - profile: ambient diff --git a/resources/v1.21.5/profiles/default.yaml b/resources/v1.21.5/profiles/default.yaml deleted file mode 100644 index 1f44cc310..000000000 --- a/resources/v1.21.5/profiles/default.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: sailoperator.io/v1alpha1 -kind: Istio -spec: - # Most default values come from the helm chart's values.yaml - # Below are the things that differ - values: - defaultRevision: "" - global: - istioNamespace: istio-system - configValidation: true diff --git a/resources/v1.21.5/profiles/demo.yaml b/resources/v1.21.5/profiles/demo.yaml deleted file mode 100644 index fad37e4c2..000000000 --- a/resources/v1.21.5/profiles/demo.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1alpha1 -kind: Istio -spec: - values: - profile: demo diff --git a/resources/v1.21.5/profiles/empty.yaml b/resources/v1.21.5/profiles/empty.yaml deleted file mode 100644 index 01052de7f..000000000 --- a/resources/v1.21.5/profiles/empty.yaml +++ /dev/null @@ -1,5 +0,0 @@ -# The empty profile has everything disabled -# This is useful as a base for custom user configuration -apiVersion: sailoperator.io/v1alpha1 -kind: Istio -spec: {} diff --git a/resources/v1.21.5/profiles/external.yaml b/resources/v1.21.5/profiles/external.yaml deleted file mode 100644 index 467cef38e..000000000 --- a/resources/v1.21.5/profiles/external.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# Deprecated. Use the "remote" profile instead. -apiVersion: sailoperator.io/v1alpha1 -kind: Istio -spec: - values: - global: - externalIstiod: true - omitSidecarInjectorConfigMap: true - configCluster: false - pilot: - configMap: false - telemetry: - enabled: false diff --git a/resources/v1.21.5/profiles/openshift.yaml b/resources/v1.21.5/profiles/openshift.yaml deleted file mode 100644 index a75886e87..000000000 --- a/resources/v1.21.5/profiles/openshift.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1alpha1 -kind: Istio -spec: - values: - profile: openshift diff --git a/resources/v1.21.5/profiles/preview.yaml b/resources/v1.21.5/profiles/preview.yaml deleted file mode 100644 index 485687d6a..000000000 --- a/resources/v1.21.5/profiles/preview.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -apiVersion: sailoperator.io/v1alpha1 -kind: Istio -spec: - values: - profile: preview diff --git a/resources/v1.22.3/charts/base/Chart.yaml b/resources/v1.22.3/charts/base/Chart.yaml deleted file mode 100644 index bf0eebf6f..000000000 --- a/resources/v1.22.3/charts/base/Chart.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -appVersion: 1.22.3 -description: Helm chart for deploying Istio cluster resources and CRDs -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -name: base -sources: -- https://github.com/istio/istio -version: 1.22.3 diff --git a/resources/v1.22.3/charts/base/README.md b/resources/v1.22.3/charts/base/README.md deleted file mode 100644 index ae8f6d5b0..000000000 --- a/resources/v1.22.3/charts/base/README.md +++ /dev/null @@ -1,35 +0,0 @@ -# Istio base Helm Chart - -This chart installs resources shared by all Istio revisions. This includes Istio CRDs. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-base`: - -```console -kubectl create namespace istio-system -helm install istio-base istio/base -n istio-system -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/resources/v1.22.3/charts/base/crds/crd-all.gen.yaml b/resources/v1.22.3/charts/base/crds/crd-all.gen.yaml deleted file mode 100644 index 1625d85f9..000000000 --- a/resources/v1.22.3/charts/base/crds/crd-all.gen.yaml +++ /dev/null @@ -1,13051 +0,0 @@ -# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: wasmplugins.extensions.istio.io -spec: - group: extensions.istio.io - names: - categories: - - istio-io - - extensions-istio-io - kind: WasmPlugin - listKind: WasmPluginList - plural: wasmplugins - singular: wasmplugin - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Extend the functionality provided by the Istio proxy through - WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' - properties: - failStrategy: - description: |- - Specifies the failure behavior for the plugin due to fatal errors. - - Valid Options: FAIL_CLOSE, FAIL_OPEN - enum: - - FAIL_CLOSE - - FAIL_OPEN - type: string - imagePullPolicy: - description: |- - The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`. - - Valid Options: IfNotPresent, Always - enum: - - UNSPECIFIED_POLICY - - IfNotPresent - - Always - type: string - imagePullSecret: - description: Credentials to use for OCI image pulling. - maxLength: 253 - minLength: 1 - type: string - match: - description: Specifies the criteria to determine which traffic is - passed to WasmPlugin. - items: - properties: - mode: - description: |- - Criteria for selecting traffic by their direction. - - Valid Options: CLIENT, SERVER, CLIENT_AND_SERVER - enum: - - UNDEFINED - - CLIENT - - SERVER - - CLIENT_AND_SERVER - type: string - ports: - description: Criteria for selecting traffic by their destination - port. - items: - properties: - number: - maximum: 65535 - minimum: 1 - type: integer - required: - - number - type: object - type: array - x-kubernetes-list-map-keys: - - number - x-kubernetes-list-type: map - type: object - type: array - phase: - description: |- - Determines where in the filter chain this `WasmPlugin` is to be injected. - - Valid Options: AUTHN, AUTHZ, STATS - enum: - - UNSPECIFIED_PHASE - - AUTHN - - AUTHZ - - STATS - type: string - pluginConfig: - description: The configuration that will be passed on to the plugin. - type: object - x-kubernetes-preserve-unknown-fields: true - pluginName: - description: The plugin name to be used in the Envoy configuration - (used to be called `rootID`). - maxLength: 256 - minLength: 1 - type: string - priority: - description: Determines ordering of `WasmPlugins` in the same `phase`. - format: int32 - nullable: true - type: integer - selector: - description: Criteria used to select the specific set of pods/VMs - on which this plugin configuration should be applied. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - sha256: - description: SHA256 checksum that will be used to verify Wasm module - or OCI container. - pattern: (^$|^[a-f0-9]{64}$) - type: string - targetRef: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: array - type: - description: |- - Specifies the type of Wasm Extension to be used. - - Valid Options: HTTP, NETWORK - enum: - - UNSPECIFIED_PLUGIN_TYPE - - HTTP - - NETWORK - type: string - url: - description: URL of a Wasm module or OCI container. - minLength: 1 - type: string - x-kubernetes-validations: - - message: url must have schema one of [http, https, file, oci] - rule: 'isURL(self) ? (url(self).getScheme() in ['''', ''http'', - ''https'', ''oci'', ''file'']) : (isURL(''http://'' + self) && - url(''http://'' +self).getScheme() in ['''', ''http'', ''https'', - ''oci'', ''file''])' - verificationKey: - type: string - vmConfig: - description: Configuration for a Wasm VM. - properties: - env: - description: Specifies environment variables to be injected to - this VM. - items: - properties: - name: - description: Name of the environment variable. - maxLength: 256 - minLength: 1 - type: string - value: - description: Value for the environment variable. - maxLength: 2048 - type: string - valueFrom: - description: |- - Source for the environment variable's value. - - Valid Options: INLINE, HOST - enum: - - INLINE - - HOST - type: string - required: - - name - type: object - x-kubernetes-validations: - - message: value may only be set when valueFrom is INLINE - rule: '(has(self.valueFrom) ? self.valueFrom : '''') != ''HOST'' - || !has(self.value)' - maxItems: 256 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - required: - - url - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: destinationrules.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: DestinationRule - listKind: DestinationRuleList - plural: destinationrules - shortNames: - - dr - singular: destinationrule - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - description: One or more named sets that represent individual versions - of a service. - items: - properties: - labels: - additionalProperties: - type: string - description: Labels apply a filter over the endpoints of a service - in the service registry. - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - min_health_percent hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that - will be queued while waiting for a ready - connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent - streams allowed for a peer on one HTTP/2 - connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that - can be outstanding to all hosts in a cluster - at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - description: Maximum number of keepalive - probes to send without response before - deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - description: The minimum number of virtual - nodes to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the - traffic will fail over to when endpoints - in the 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of - Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally - originated failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled - as long as the associated load balancing pool - has at least min_health_percent hosts in healthy - mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the - destination service on which this policy is being - applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in - verifying a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use - in verifying a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds - the TLS certs for the client including the CA - certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature - and SAN for the server certificate corresponding - to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify - the subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - required: - - name - type: object - type: array - trafficPolicy: - description: Traffic policies to apply (load balancing policy, connection - pool sizes, outlier detection). - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes to - send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes to - use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic will - fail over to when endpoints in the 'from' region - becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing pool - for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long as - the associated load balancing pool has at least min_health_percent - hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - min_health_percent hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the destination - service on which this policy is being applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing certificate - authority certificates to use in verifying a presented server - certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing the - certificate revocation list (CRL) to use in verifying a - presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS certs - for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether the proxy - should skip verifying the CA signature and SAN for the server - certificate corresponding to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `DestinationRule` configuration should be applied. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - required: - - host - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - description: One or more named sets that represent individual versions - of a service. - items: - properties: - labels: - additionalProperties: - type: string - description: Labels apply a filter over the endpoints of a service - in the service registry. - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - min_health_percent hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that - will be queued while waiting for a ready - connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent - streams allowed for a peer on one HTTP/2 - connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that - can be outstanding to all hosts in a cluster - at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - description: Maximum number of keepalive - probes to send without response before - deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - description: The minimum number of virtual - nodes to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the - traffic will fail over to when endpoints - in the 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of - Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally - originated failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled - as long as the associated load balancing pool - has at least min_health_percent hosts in healthy - mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the - destination service on which this policy is being - applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in - verifying a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use - in verifying a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds - the TLS certs for the client including the CA - certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature - and SAN for the server certificate corresponding - to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify - the subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - required: - - name - type: object - type: array - trafficPolicy: - description: Traffic policies to apply (load balancing policy, connection - pool sizes, outlier detection). - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes to - send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes to - use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic will - fail over to when endpoints in the 'from' region - becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing pool - for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long as - the associated load balancing pool has at least min_health_percent - hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - min_health_percent hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the destination - service on which this policy is being applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing certificate - authority certificates to use in verifying a presented server - certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing the - certificate revocation list (CRL) to use in verifying a - presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS certs - for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether the proxy - should skip verifying the CA signature and SAN for the server - certificate corresponding to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `DestinationRule` configuration should be applied. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - required: - - host - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The name of a service from the service registry - jsonPath: .spec.host - name: Host - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting load balancing, outlier detection, - etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' - properties: - exportTo: - description: A list of namespaces to which this destination rule is - exported. - items: - type: string - type: array - host: - description: The name of a service from the service registry. - type: string - subsets: - description: One or more named sets that represent individual versions - of a service. - items: - properties: - labels: - additionalProperties: - type: string - description: Labels apply a filter over the endpoints of a service - in the service registry. - type: object - name: - description: Name of the subset. - type: string - trafficPolicy: - description: Traffic policies that apply to this subset. - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - min_health_percent hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that - will be queued while waiting for a ready - connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests - to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream - connection pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent - streams allowed for a peer on one HTTP/2 - connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per - connection to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that - can be outstanding to all hosts in a cluster - at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol - will be preserved while initiating connection - to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and - TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP - connections to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE - on the socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between - keep-alive probes. - type: string - probes: - description: Maximum number of keepalive - probes to send without response before - deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer - algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP - header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP - query parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev - hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend - hosts. - properties: - minimumRingSize: - description: The minimum number of virtual - nodes to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' - separated, e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities - to traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, - this is DestinationRule-level and will override - mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the - traffic will fail over to when endpoints - in the 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered - list of labels used to sort endpoints to - do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of - Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a - host is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally - originated failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep - analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled - as long as the associated load balancing pool - has at least min_health_percent hosts in healthy - mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish - local origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the - destination service on which this policy is being - applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections - to the upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in - verifying a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use - in verifying a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds - the TLS certs for the client including the CA - certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature - and SAN for the server certificate corresponding - to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server - during TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify - the subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream - connection is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream - connection is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - required: - - name - type: object - type: array - trafficPolicy: - description: Traffic policies to apply (load balancing policy, connection - pool sizes, outlier detection). - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes to - send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query parameter. - type: string - maglev: - description: The Maglev load balancer implements consistent - hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer implements - consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes to - use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to traffic - distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this is DestinationRule-level - and will override mesh wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, failover - or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic will - fail over to when endpoints in the 'from' region - becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list of labels - used to sort endpoints to do priority based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing pool - for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long as - the associated load balancing pool has at least min_health_percent - hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local origin - failures from external errors. - type: boolean - type: object - portLevelSettings: - description: Traffic policies specific to individual ports. - items: - properties: - connectionPool: - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will - be queued while waiting for a ready connection - pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to - a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can - be outstanding to all hosts in a cluster at a - given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will - be preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the - socket to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the - connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection - needs to be idle before keep-alive probes - start being sent. - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - required: - - consistentHash - - required: - - simple - - required: - - consistentHash - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - httpCookie: - description: Hash based on HTTP cookie. - properties: - name: - description: Name of the cookie. - type: string - path: - description: Path to set for the cookie. - type: string - ttl: - description: Lifetime of the cookie. - type: string - required: - - name - type: object - httpHeaderName: - description: Hash based on a specific HTTP header. - type: string - httpQueryParameterName: - description: Hash based on a specific HTTP query - parameter. - type: string - maglev: - description: The Maglev load balancer implements - consistent hashing to backend hosts. - properties: - tableSize: - description: The table size for Maglev hashing. - minimum: 0 - type: integer - type: object - minimumRingSize: - description: Deprecated. - minimum: 0 - type: integer - ringHash: - description: The ring/modulo hash load balancer - implements consistent hashing to backend hosts. - properties: - minimumRingSize: - description: The minimum number of virtual nodes - to use for the hash ring. - minimum: 0 - type: integer - type: object - useSourceIp: - description: Hash based on the source IP address. - type: boolean - type: object - localityLbSetting: - properties: - distribute: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating locality, '/' separated, - e.g. - type: string - to: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Map of upstream localities to - traffic distribution weights. - type: object - type: object - type: array - enabled: - description: enable locality load balancing, this - is DestinationRule-level and will override mesh - wide settings in entirety. - nullable: true - type: boolean - failover: - description: 'Optional: only one of distribute, - failover or failoverPriority can be set.' - items: - properties: - from: - description: Originating region. - type: string - to: - description: Destination region the traffic - will fail over to when endpoints in the - 'from' region becomes unhealthy. - type: string - type: object - type: array - failoverPriority: - description: failoverPriority is an ordered list - of labels used to sort endpoints to do priority - based load balancing. - items: - type: string - type: array - type: object - simple: - description: |2- - - - Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST - enum: - - UNSPECIFIED - - LEAST_CONN - - RANDOM - - PASSTHROUGH - - ROUND_ROBIN - - LEAST_REQUEST - type: string - warmupDurationSecs: - description: Represents the warmup duration of Service. - type: string - type: object - outlierDetection: - properties: - baseEjectionTime: - description: Minimum ejection duration. - type: string - consecutive5xxErrors: - description: Number of 5xx errors before a host is ejected - from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveErrors: - format: int32 - type: integer - consecutiveGatewayErrors: - description: Number of gateway errors before a host - is ejected from the connection pool. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - consecutiveLocalOriginFailures: - description: The number of consecutive locally originated - failures before ejection occurs. - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - interval: - description: Time interval between ejection sweep analysis. - type: string - maxEjectionPercent: - description: Maximum % of hosts in the load balancing - pool for the upstream service that can be ejected. - format: int32 - type: integer - minHealthPercent: - description: Outlier detection will be enabled as long - as the associated load balancing pool has at least - min_health_percent hosts in healthy mode. - format: int32 - type: integer - splitExternalLocalOriginErrors: - description: Determines whether to distinguish local - origin failures from external errors. - type: boolean - type: object - port: - description: Specifies the number of a port on the destination - service on which this policy is being applied. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: TLS related settings for connections to the - upstream service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing - certificate authority certificates to use in verifying - a presented server certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS - certs for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether - the proxy should skip verifying the CA signature and - SAN for the server certificate corresponding to the - host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during - TLS handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the - subject identity in the certificate. - items: - type: string - type: array - type: object - type: object - type: array - proxyProtocol: - description: The upstream PROXY protocol settings. - properties: - version: - description: |- - The PROXY protocol version to use. - - Valid Options: V1, V2 - enum: - - V1 - - V2 - type: string - type: object - tls: - description: TLS related settings for connections to the upstream - service. - properties: - caCertificates: - description: 'OPTIONAL: The path to the file containing certificate - authority certificates to use in verifying a presented server - certificate.' - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing the - certificate revocation list (CRL) to use in verifying a - presented server certificate.' - type: string - clientCertificate: - description: REQUIRED if mode is `MUTUAL`. - type: string - credentialName: - description: The name of the secret that holds the TLS certs - for the client including the CA certificates. - type: string - insecureSkipVerify: - description: '`insecureSkipVerify` specifies whether the proxy - should skip verifying the CA signature and SAN for the server - certificate corresponding to the host.' - nullable: true - type: boolean - mode: - description: |- - Indicates whether connections to this port should be secured using TLS. - - Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL - enum: - - DISABLE - - SIMPLE - - MUTUAL - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `MUTUAL`. - type: string - sni: - description: SNI string to present to the server during TLS - handshake. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate. - items: - type: string - type: array - type: object - tunnel: - description: Configuration of tunneling TCP over other transport - or application layers for the host configured in the DestinationRule. - properties: - protocol: - description: Specifies which protocol to use for tunneling - the downstream connection. - type: string - targetHost: - description: Specifies a host to which the downstream connection - is tunneled. - type: string - targetPort: - description: Specifies a port to which the downstream connection - is tunneled. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - targetHost - - targetPort - type: object - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `DestinationRule` configuration should be applied. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - required: - - host - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: envoyfilters.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: EnvoyFilter - listKind: EnvoyFilterList - plural: envoyfilters - singular: envoyfilter - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Customizing Envoy configuration generated by Istio. See - more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' - properties: - configPatches: - description: One or more patches with match conditions. - items: - properties: - applyTo: - description: |- - Specifies where in the Envoy configuration, the patch should be applied. - - Valid Options: LISTENER, FILTER_CHAIN, NETWORK_FILTER, HTTP_FILTER, ROUTE_CONFIGURATION, VIRTUAL_HOST, HTTP_ROUTE, CLUSTER, EXTENSION_CONFIG, BOOTSTRAP, LISTENER_FILTER - enum: - - INVALID - - LISTENER - - FILTER_CHAIN - - NETWORK_FILTER - - HTTP_FILTER - - ROUTE_CONFIGURATION - - VIRTUAL_HOST - - HTTP_ROUTE - - CLUSTER - - EXTENSION_CONFIG - - BOOTSTRAP - - LISTENER_FILTER - type: string - match: - description: Match on listener/route configuration/cluster. - oneOf: - - not: - anyOf: - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - - required: - - listener - - required: - - routeConfiguration - - required: - - cluster - properties: - cluster: - description: Match on envoy cluster attributes. - properties: - name: - description: The exact name of the cluster to match. - type: string - portNumber: - description: The service port for which this cluster - was generated. - maximum: 4294967295 - minimum: 0 - type: integer - service: - description: The fully qualified service name for this - cluster. - type: string - subset: - description: The subset associated with the service. - type: string - type: object - context: - description: |- - The specific config generation context to match on. - - Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY - enum: - - ANY - - SIDECAR_INBOUND - - SIDECAR_OUTBOUND - - GATEWAY - type: string - listener: - description: Match on envoy listener attributes. - properties: - filterChain: - description: Match a specific filter chain in a listener. - properties: - applicationProtocols: - description: Applies only to sidecars. - type: string - destinationPort: - description: The destination_port value used by - a filter chain's match condition. - maximum: 4294967295 - minimum: 0 - type: integer - filter: - description: The name of a specific filter to apply - the patch to. - properties: - name: - description: The filter name to match on. - type: string - subFilter: - description: The next level filter within this - filter to match upon. - properties: - name: - description: The filter name to match on. - type: string - type: object - type: object - name: - description: The name assigned to the filter chain. - type: string - sni: - description: The SNI value used by a filter chain's - match condition. - type: string - transportProtocol: - description: Applies only to `SIDECAR_INBOUND` context. - type: string - type: object - listenerFilter: - description: Match a specific listener filter. - type: string - name: - description: Match a specific listener by its name. - type: string - portName: - type: string - portNumber: - description: The service port/gateway port to which - traffic is being sent/received. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - proxy: - description: Match on properties associated with a proxy. - properties: - metadata: - additionalProperties: - type: string - description: Match on the node metadata supplied by - a proxy when connecting to Istio Pilot. - type: object - proxyVersion: - description: A regular expression in golang regex format - (RE2) that can be used to select proxies using a specific - version of istio proxy. - type: string - type: object - routeConfiguration: - description: Match on envoy HTTP route configuration attributes. - properties: - gateway: - description: The Istio gateway config's namespace/name - for which this route configuration was generated. - type: string - name: - description: Route configuration name to match on. - type: string - portName: - description: Applicable only for GATEWAY context. - type: string - portNumber: - description: The service port number or gateway server - port number for which this route configuration was - generated. - maximum: 4294967295 - minimum: 0 - type: integer - vhost: - description: Match a specific virtual host in a route - configuration and apply the patch to the virtual host. - properties: - name: - description: The VirtualHosts objects generated - by Istio are named as host:port, where the host - typically corresponds to the VirtualService's - host field or the hostname of a service in the - registry. - type: string - route: - description: Match a specific route within the virtual - host. - properties: - action: - description: |- - Match a route with specific action type. - - Valid Options: ANY, ROUTE, REDIRECT, DIRECT_RESPONSE - enum: - - ANY - - ROUTE - - REDIRECT - - DIRECT_RESPONSE - type: string - name: - description: The Route objects generated by - default are named as default. - type: string - type: object - type: object - type: object - type: object - patch: - description: The patch to apply along with the operation. - properties: - filterClass: - description: |- - Determines the filter insertion order. - - Valid Options: AUTHN, AUTHZ, STATS - enum: - - UNSPECIFIED - - AUTHN - - AUTHZ - - STATS - type: string - operation: - description: |- - Determines how the patch should be applied. - - Valid Options: MERGE, ADD, REMOVE, INSERT_BEFORE, INSERT_AFTER, INSERT_FIRST, REPLACE - enum: - - INVALID - - MERGE - - ADD - - REMOVE - - INSERT_BEFORE - - INSERT_AFTER - - INSERT_FIRST - - REPLACE - type: string - value: - description: The JSON config of the object being patched. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: array - priority: - description: Priority defines the order in which patch sets are applied - within a context. - format: int32 - type: integer - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: array - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this patch configuration should be applied. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: gateways.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Gateway - listKind: GatewayList - plural: gateways - shortNames: - - gw - singular: gateway - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs - on which this gateway configuration should be applied. - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - description: The ip or the Unix domain socket to which the listener - should be bound to. - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - description: The Port on which the proxy should listen for incoming - connections. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - required: - - number - - protocol - - name - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - - hosts - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs - on which this gateway configuration should be applied. - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - description: The ip or the Unix domain socket to which the listener - should be bound to. - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - description: The Port on which the proxy should listen for incoming - connections. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - required: - - number - - protocol - - name - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - - hosts - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of pods/VMs - on which this gateway configuration should be applied. - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - description: The ip or the Unix domain socket to which the listener - should be bound to. - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - description: The Port on which the proxy should listen for incoming - connections. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - required: - - number - - protocol - - name - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - - hosts - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: proxyconfigs.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ProxyConfig - listKind: ProxyConfigList - plural: proxyconfigs - singular: proxyconfig - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Provides configuration for individual workloads. See more - details at: https://istio.io/docs/reference/config/networking/proxy-config.html' - properties: - concurrency: - description: The number of worker threads to run. - format: int32 - nullable: true - type: integer - environmentVariables: - additionalProperties: - type: string - description: Additional environment variables for the proxy. - type: object - image: - description: Specifies the details of the proxy image. - properties: - imageType: - description: The image type of the image. - type: string - type: object - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: serviceentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: ServiceEntry - listKind: ServiceEntryList - plural: serviceentries - shortNames: - - se - singular: serviceentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - description: |- - Specify whether the service should be considered external to the mesh or part of the mesh. - - Valid Options: MESH_EXTERNAL, MESH_INTERNAL - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - description: The port number on the endpoint where the traffic - will be received. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - number - - name - type: object - type: array - resolution: - description: |- - Service resolution mode for the hosts. - - Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's - subject alternate name matches one of the specified values. - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - required: - - hosts - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - description: |- - Specify whether the service should be considered external to the mesh or part of the mesh. - - Valid Options: MESH_EXTERNAL, MESH_INTERNAL - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - description: The port number on the endpoint where the traffic - will be received. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - number - - name - type: object - type: array - resolution: - description: |- - Service resolution mode for the hosts. - - Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's - subject alternate name matches one of the specified values. - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - required: - - hosts - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The hosts associated with the ServiceEntry - jsonPath: .spec.hosts - name: Hosts - type: string - - description: Whether the service is external to the mesh or part of the mesh - (MESH_EXTERNAL or MESH_INTERNAL) - jsonPath: .spec.location - name: Location - type: string - - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) - jsonPath: .spec.resolution - name: Resolution - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting service registry. See more details - at: https://istio.io/docs/reference/config/networking/service-entry.html' - properties: - addresses: - description: The virtual IP addresses associated with the service. - items: - type: string - type: array - endpoints: - description: One or more endpoints associated with the service. - items: - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - type: array - exportTo: - description: A list of namespaces to which this service is exported. - items: - type: string - type: array - hosts: - description: The hosts associated with the ServiceEntry. - items: - type: string - type: array - location: - description: |- - Specify whether the service should be considered external to the mesh or part of the mesh. - - Valid Options: MESH_EXTERNAL, MESH_INTERNAL - enum: - - MESH_EXTERNAL - - MESH_INTERNAL - type: string - ports: - description: The ports associated with the external service. - items: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - description: The port number on the endpoint where the traffic - will be received. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - number - - name - type: object - type: array - resolution: - description: |- - Service resolution mode for the hosts. - - Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN - enum: - - NONE - - STATIC - - DNS - - DNS_ROUND_ROBIN - type: string - subjectAltNames: - description: If specified, the proxy will verify that the server certificate's - subject alternate name matches one of the specified values. - items: - type: string - type: array - workloadSelector: - description: Applicable only for MESH_INTERNAL services. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - required: - - hosts - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: sidecars.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Sidecar - listKind: SidecarList - plural: sidecars - singular: sidecar - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - description: Egress specifies the configuration of the sidecar for - processing outbound traffic from the attached workload instance - to other services in the mesh. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket - to which the listener should be bound to. - type: string - captureMode: - description: |- - When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener - in `namespace/dnsName` format. - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - required: - - hosts - type: object - type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy - will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool - connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed - for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to - a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a - destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to - enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - description: Maximum number of keepalive probes to send - without response before deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs to be - idle before keep-alive probes start being sent. - type: string - type: object - type: object - type: object - ingress: - description: Ingress specifies the configuration of the sidecar for - processing inbound traffic to the attached workload instance. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - description: |- - The captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - connectionPool: - description: Settings controlling the volume of connections - Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be - queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a - destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be - preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - type: object - type: object - type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which - traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: Set of TLS related options that will enable TLS - termination on the sidecar for requests originating from outside - the mesh. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - description: |2- - - - Valid Options: REGISTRY_ONLY, ALLOW_ANY - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `Sidecar` configuration should be applied. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - description: Egress specifies the configuration of the sidecar for - processing outbound traffic from the attached workload instance - to other services in the mesh. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket - to which the listener should be bound to. - type: string - captureMode: - description: |- - When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener - in `namespace/dnsName` format. - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - required: - - hosts - type: object - type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy - will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool - connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed - for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to - a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a - destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to - enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - description: Maximum number of keepalive probes to send - without response before deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs to be - idle before keep-alive probes start being sent. - type: string - type: object - type: object - type: object - ingress: - description: Ingress specifies the configuration of the sidecar for - processing inbound traffic to the attached workload instance. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - description: |- - The captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - connectionPool: - description: Settings controlling the volume of connections - Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be - queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a - destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be - preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - type: object - type: object - type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which - traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: Set of TLS related options that will enable TLS - termination on the sidecar for requests originating from outside - the mesh. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - description: |2- - - - Valid Options: REGISTRY_ONLY, ALLOW_ANY - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `Sidecar` configuration should be applied. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting network reachability of a sidecar. - See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' - properties: - egress: - description: Egress specifies the configuration of the sidecar for - processing outbound traffic from the attached workload instance - to other services in the mesh. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) or the Unix domain socket - to which the listener should be bound to. - type: string - captureMode: - description: |- - When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - hosts: - description: One or more service hosts exposed by the listener - in `namespace/dnsName` format. - items: - type: string - type: array - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - required: - - hosts - type: object - type: array - inboundConnectionPool: - description: Settings controlling the volume of connections Envoy - will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be queued - while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection pool - connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams allowed - for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection to - a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be preserved - while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections to a - destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket to - enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive probes. - type: string - probes: - description: Maximum number of keepalive probes to send - without response before deciding the connection is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs to be - idle before keep-alive probes start being sent. - type: string - type: object - type: object - type: object - ingress: - description: Ingress specifies the configuration of the sidecar for - processing inbound traffic to the attached workload instance. - items: - properties: - bind: - description: The IP(IPv4 or IPv6) to which the listener should - be bound. - type: string - captureMode: - description: |- - The captureMode option dictates how traffic to the listener is expected to be captured (or not). - - Valid Options: DEFAULT, IPTABLES, NONE - enum: - - DEFAULT - - IPTABLES - - NONE - type: string - connectionPool: - description: Settings controlling the volume of connections - Envoy will accept from the network. - properties: - http: - description: HTTP connection pool settings. - properties: - h2UpgradePolicy: - description: |- - Specify if http1.1 connection should be upgraded to http2 for the associated destination. - - Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE - enum: - - DEFAULT - - DO_NOT_UPGRADE - - UPGRADE - type: string - http1MaxPendingRequests: - description: Maximum number of requests that will be - queued while waiting for a ready connection pool connection. - format: int32 - type: integer - http2MaxRequests: - description: Maximum number of active requests to a - destination. - format: int32 - type: integer - idleTimeout: - description: The idle timeout for upstream connection - pool connections. - type: string - maxConcurrentStreams: - description: The maximum number of concurrent streams - allowed for a peer on one HTTP/2 connection. - format: int32 - type: integer - maxRequestsPerConnection: - description: Maximum number of requests per connection - to a backend. - format: int32 - type: integer - maxRetries: - description: Maximum number of retries that can be outstanding - to all hosts in a cluster at a given time. - format: int32 - type: integer - useClientProtocol: - description: If set to true, client protocol will be - preserved while initiating connection to backend. - type: boolean - type: object - tcp: - description: Settings common to both HTTP and TCP upstream - connections. - properties: - connectTimeout: - description: TCP connection timeout. - type: string - idleTimeout: - description: The idle timeout for TCP connections. - type: string - maxConnectionDuration: - description: The maximum duration of a connection. - type: string - maxConnections: - description: Maximum number of HTTP1 /TCP connections - to a destination host. - format: int32 - type: integer - tcpKeepalive: - description: If set then set SO_KEEPALIVE on the socket - to enable TCP Keepalives. - properties: - interval: - description: The time duration between keep-alive - probes. - type: string - probes: - description: Maximum number of keepalive probes - to send without response before deciding the connection - is dead. - maximum: 4294967295 - minimum: 0 - type: integer - time: - description: The time duration a connection needs - to be idle before keep-alive probes start being - sent. - type: string - type: object - type: object - type: object - defaultEndpoint: - description: The IP endpoint or Unix domain socket to which - traffic should be forwarded to. - type: string - port: - description: The port associated with the listener. - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - maximum: 4294967295 - minimum: 0 - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - tls: - description: Set of TLS related options that will enable TLS - termination on the sidecar for requests originating from outside - the mesh. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. - type: string - caCrl: - description: 'OPTIONAL: The path to the file containing - the certificate revocation list (CRL) to use in verifying - a presented client side certificate.' - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - description: For gateways running on Kubernetes, the name - of the secret that holds the TLS certs including the CA - certificates. - type: string - httpsRedirect: - description: If set to true, the load balancer will send - a 301 redirect for all http connections, asking the clients - to use HTTPS. - type: boolean - maxProtocolVersion: - description: |- - Optional: Maximum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: |- - Optional: Minimum TLS protocol version. - - Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be secured using TLS. - - Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - - OPTIONAL_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - description: A list of alternate names to verify the subject - identity in the certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: An optional list of hex-encoded SHA-256 hashes - of the authorized client certificates. - items: - type: string - type: array - verifyCertificateSpki: - description: An optional list of base64-encoded SHA-256 - hashes of the SPKIs of authorized client certificates. - items: - type: string - type: array - type: object - required: - - port - type: object - type: array - outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. - properties: - egressProxy: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mode: - description: |2- - - - Valid Options: REGISTRY_ONLY, ALLOW_ANY - enum: - - REGISTRY_ONLY - - ALLOW_ANY - type: string - type: object - workloadSelector: - description: Criteria used to select the specific set of pods/VMs - on which this `Sidecar` configuration should be applied. - properties: - labels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which the configuration should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: virtualservices.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - description: Indicates whether the caller is allowed to - send the actual request (not the preflight) using credentials. - nullable: true - type: boolean - allowHeaders: - description: List of HTTP headers that can be used when - requesting the resource. - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - description: A list of HTTP headers that the browsers are - allowed to access. - items: - type: string - type: array - maxAge: - description: Specifies how long the results of a preflight - request can be cached. - type: string - type: object - delegate: - description: Delegate is used to specify the particular VirtualService - which can be used to define delegate HTTPRoute. - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - status - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - description: Abort Http request attempts and return error - codes back to downstream service, giving the impression - that the upstream service is faulty. - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - description: Delay requests before forwarding, emulating - various failures such as network issues, overloaded upstream - service, etc. - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - authority: - description: 'HTTP Authority values are case-sensitive - and formatted as follows: - `exact: "value"` for exact - string match - `prefix: "value"` for prefix-based match - - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: The header keys must be lowercase and use - hyphen as the separator, e.g. - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - description: 'HTTP Method values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - description: 'URI Scheme values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to source (client) workloads with the given - labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - description: 'URI to match values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - description: Mirror HTTP traffic to a another destination in - addition to forwarding the requests to the intended destination. - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mirror_percent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - mirrors: - description: Specifies the destinations to mirror HTTP traffic - in addition to the original destination. - items: - properties: - destination: - description: Destination specifies the target of the mirror - operation. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - percentage: - description: Percentage of the traffic to be mirrored - by the `destination` field. - properties: - value: - format: double - type: number - type: object - required: - - destination - type: object - type: array - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - description: On a redirect, overwrite the Authority/Host - portion of the URL with this value. - type: string - derivePort: - description: |- - On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. - - Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - maximum: 4294967295 - minimum: 0 - type: integer - redirectCode: - description: On a redirect, Specifies the HTTP status code - to use in the redirect response. - maximum: 4294967295 - minimum: 0 - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - description: On a redirect, overwrite the Path portion of - the URL with this value. - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - description: rewrite the path (or the prefix) portion of - the URI with this value. - type: string - uriRegexRewrite: - description: rewrite the path portion of the URI with the - specified regex. - properties: - match: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - rewrite: - description: The string that should replace into matching - portions of original URI. - type: string - type: object - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - type: object - type: array - tls: - description: An ordered list of route rule for non-terminated TLS - & HTTPS traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - required: - - sniHosts - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - required: - - match - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - description: Indicates whether the caller is allowed to - send the actual request (not the preflight) using credentials. - nullable: true - type: boolean - allowHeaders: - description: List of HTTP headers that can be used when - requesting the resource. - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - description: A list of HTTP headers that the browsers are - allowed to access. - items: - type: string - type: array - maxAge: - description: Specifies how long the results of a preflight - request can be cached. - type: string - type: object - delegate: - description: Delegate is used to specify the particular VirtualService - which can be used to define delegate HTTPRoute. - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - status - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - description: Abort Http request attempts and return error - codes back to downstream service, giving the impression - that the upstream service is faulty. - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - description: Delay requests before forwarding, emulating - various failures such as network issues, overloaded upstream - service, etc. - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - authority: - description: 'HTTP Authority values are case-sensitive - and formatted as follows: - `exact: "value"` for exact - string match - `prefix: "value"` for prefix-based match - - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: The header keys must be lowercase and use - hyphen as the separator, e.g. - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - description: 'HTTP Method values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - description: 'URI Scheme values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to source (client) workloads with the given - labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - description: 'URI to match values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - description: Mirror HTTP traffic to a another destination in - addition to forwarding the requests to the intended destination. - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mirror_percent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - mirrors: - description: Specifies the destinations to mirror HTTP traffic - in addition to the original destination. - items: - properties: - destination: - description: Destination specifies the target of the mirror - operation. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - percentage: - description: Percentage of the traffic to be mirrored - by the `destination` field. - properties: - value: - format: double - type: number - type: object - required: - - destination - type: object - type: array - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - description: On a redirect, overwrite the Authority/Host - portion of the URL with this value. - type: string - derivePort: - description: |- - On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. - - Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - maximum: 4294967295 - minimum: 0 - type: integer - redirectCode: - description: On a redirect, Specifies the HTTP status code - to use in the redirect response. - maximum: 4294967295 - minimum: 0 - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - description: On a redirect, overwrite the Path portion of - the URL with this value. - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - description: rewrite the path (or the prefix) portion of - the URI with this value. - type: string - uriRegexRewrite: - description: rewrite the path portion of the URI with the - specified regex. - properties: - match: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - rewrite: - description: The string that should replace into matching - portions of original URI. - type: string - type: object - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - type: object - type: array - tls: - description: An ordered list of route rule for non-terminated TLS - & HTTPS traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - required: - - sniHosts - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - required: - - match - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - description: Indicates whether the caller is allowed to - send the actual request (not the preflight) using credentials. - nullable: true - type: boolean - allowHeaders: - description: List of HTTP headers that can be used when - requesting the resource. - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - description: A list of HTTP headers that the browsers are - allowed to access. - items: - type: string - type: array - maxAge: - description: Specifies how long the results of a preflight - request can be cached. - type: string - type: object - delegate: - description: Delegate is used to specify the particular VirtualService - which can be used to define delegate HTTPRoute. - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - directResponse: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - properties: - body: - description: Specifies the content of the response body. - oneOf: - - not: - anyOf: - - required: - - string - - required: - - bytes - - required: - - string - - required: - - bytes - properties: - bytes: - description: response body as base64 encoded bytes. - format: binary - type: string - string: - type: string - type: object - status: - description: Specifies the HTTP response status to be returned. - maximum: 4294967295 - minimum: 0 - type: integer - required: - - status - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - description: Abort Http request attempts and return error - codes back to downstream service, giving the impression - that the upstream service is faulty. - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - description: GRPC status code to use to abort the request. - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - description: Delay requests before forwarding, emulating - various failures such as network issues, overloaded upstream - service, etc. - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - authority: - description: 'HTTP Authority values are case-sensitive - and formatted as follows: - `exact: "value"` for exact - string match - `prefix: "value"` for prefix-based match - - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: The header keys must be lowercase and use - hyphen as the separator, e.g. - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - description: 'HTTP Method values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - description: 'URI Scheme values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to source (client) workloads with the given - labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - statPrefix: - description: The human readable prefix to use when emitting - statistics for this route. - type: string - uri: - description: 'URI to match values are case-sensitive and - formatted as follows: - `exact: "value"` for exact string - match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - description: Mirror HTTP traffic to a another destination in - addition to forwarding the requests to the intended destination. - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - mirror_percent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercent: - maximum: 4294967295 - minimum: 0 - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - mirrors: - description: Specifies the destinations to mirror HTTP traffic - in addition to the original destination. - items: - properties: - destination: - description: Destination specifies the target of the mirror - operation. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - percentage: - description: Percentage of the traffic to be mirrored - by the `destination` field. - properties: - value: - format: double - type: number - type: object - required: - - destination - type: object - type: array - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - description: On a redirect, overwrite the Authority/Host - portion of the URL with this value. - type: string - derivePort: - description: |- - On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. - - Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - maximum: 4294967295 - minimum: 0 - type: integer - redirectCode: - description: On a redirect, Specifies the HTTP status code - to use in the redirect response. - maximum: 4294967295 - minimum: 0 - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - description: On a redirect, overwrite the Path portion of - the URL with this value. - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - description: rewrite the path (or the prefix) portion of - the URI with this value. - type: string - uriRegexRewrite: - description: rewrite the path portion of the URI with the - specified regex. - properties: - match: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - rewrite: - description: The string that should replace into matching - portions of original URI. - type: string - type: object - type: object - route: - description: A HTTP rule can either return a direct_response, - redirect or forward (default) traffic. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - type: object - type: array - tls: - description: An ordered list of route rule for non-terminated TLS - & HTTPS traffic. - items: - properties: - match: - description: Match conditions to be satisfied for the rule to - be activated. - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - maximum: 4294967295 - minimum: 0 - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - description: One or more labels that constrain the applicability - of a rule to workloads with the given labels. - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - required: - - sniHosts - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - description: Destination uniquely identifies the instances - of a service to which the request/connection should - be forwarded to. - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - maximum: 4294967295 - minimum: 0 - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - required: - - host - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - required: - - destination - type: object - type: array - required: - - match - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadentries.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadEntry - listKind: WorkloadEntryList - plural: workloadentries - shortNames: - - we - singular: workloadentry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident in - the same L3 domain/network. - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload if a - sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident in - the same L3 domain/network. - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload if a - sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - description: Address associated with the network endpoint. - jsonPath: .spec.address - name: Address - type: string - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting VMs onboarded into the mesh. See - more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident in - the same L3 domain/network. - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload if a - sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: workloadgroups.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: WorkloadGroup - listKind: WorkloadGroupList - plural: workloadgroups - shortNames: - - wg - singular: workloadgroup - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: '`WorkloadGroup` enables specifying the properties of a single - workload for bootstrap and provides a template for `WorkloadEntry`, - similar to how `Deployment` specifies properties of workloads via `Pod` - templates.' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - type: integer - httpGet: - description: '`httpGet` is performed to a given endpoint and the - status/able to connect determines health.' - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - maximum: 4294967295 - minimum: 0 - type: integer - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - maximum: 4294967295 - minimum: 0 - type: integer - required: - - port - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - required: - - template - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Describes a collection of workload instances. See more details - at: https://istio.io/docs/reference/config/networking/workload-group.html' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - type: integer - httpGet: - description: '`httpGet` is performed to a given endpoint and the - status/able to connect determines health.' - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - maximum: 4294967295 - minimum: 0 - type: integer - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - maximum: 4294967295 - minimum: 0 - type: integer - required: - - port - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - required: - - template - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: '`WorkloadGroup` enables specifying the properties of a single - workload for bootstrap and provides a template for `WorkloadEntry`, - similar to how `Deployment` specifies properties of workloads via `Pod` - templates.' - properties: - metadata: - description: Metadata that will be used for all corresponding `WorkloadEntries`. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - probe: - description: '`ReadinessProbe` describes the configuration the user - must provide for healthchecking on their workload.' - oneOf: - - not: - anyOf: - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - - required: - - httpGet - - required: - - tcpSocket - - required: - - exec - properties: - exec: - description: Health is determined by how the command that is executed - exited. - properties: - command: - description: Command to run. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be - considered failed after having succeeded. - format: int32 - type: integer - httpGet: - description: '`httpGet` is performed to a given endpoint and the - status/able to connect determines health.' - properties: - host: - description: Host name to connect to, defaults to the pod - IP. - type: string - httpHeaders: - description: Headers the proxy will pass on to make the request. - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - description: Port on which the endpoint lives. - maximum: 4294967295 - minimum: 0 - type: integer - scheme: - type: string - required: - - port - type: object - initialDelaySeconds: - description: Number of seconds after the container has started - before readiness probes are initiated. - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be - considered successful after having failed. - format: int32 - type: integer - tcpSocket: - description: Health is determined by if the proxy is able to connect. - properties: - host: - type: string - port: - maximum: 4294967295 - minimum: 0 - type: integer - required: - - port - type: object - timeoutSeconds: - description: Number of seconds after which the probe times out. - format: int32 - type: integer - type: object - template: - description: Template to be used for the generation of `WorkloadEntry` - resources that belong to this `WorkloadGroup`. - properties: - address: - description: Address associated with the network endpoint without - the port. - type: string - labels: - additionalProperties: - type: string - description: One or more labels associated with the endpoint. - type: object - locality: - description: The locality associated with the endpoint. - type: string - network: - description: Network enables Istio to group endpoints resident - in the same L3 domain/network. - type: string - ports: - additionalProperties: - maximum: 4294967295 - minimum: 0 - type: integer - description: Set of ports associated with the endpoint. - type: object - serviceAccount: - description: The service account associated with the workload - if a sidecar is present in the workload. - type: string - weight: - description: The load balancing weight associated with the endpoint. - maximum: 4294967295 - minimum: 0 - type: integer - type: object - required: - - template - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: authorizationpolicies.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: AuthorizationPolicy - listKind: AuthorizationPolicyList - plural: authorizationpolicies - shortNames: - - ap - singular: authorizationpolicy - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The operation to take. - jsonPath: .spec.action - name: Action - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: |- - Optional. - - Valid Options: ALLOW, DENY, AUDIT, CUSTOM - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - type: string - type: array - namespaces: - description: Optional. - items: - type: string - type: array - notIpBlocks: - description: Optional. - items: - type: string - type: array - notNamespaces: - description: Optional. - items: - type: string - type: array - notPrincipals: - description: Optional. - items: - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - type: string - type: array - principals: - description: Optional. - items: - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - type: string - type: array - requestPrincipals: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - type: string - type: array - methods: - description: Optional. - items: - type: string - type: array - notHosts: - description: Optional. - items: - type: string - type: array - notMethods: - description: Optional. - items: - type: string - type: array - notPaths: - description: Optional. - items: - type: string - type: array - notPorts: - description: Optional. - items: - type: string - type: array - paths: - description: Optional. - items: - type: string - type: array - ports: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - type: string - notValues: - description: Optional. - items: - type: string - type: array - values: - description: Optional. - items: - type: string - type: array - required: - - key - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The operation to take. - jsonPath: .spec.action - name: Action - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration for access control on workloads. See more - details at: https://istio.io/docs/reference/config/security/authorization-policy.html' - oneOf: - - not: - anyOf: - - required: - - provider - - required: - - provider - properties: - action: - description: |- - Optional. - - Valid Options: ALLOW, DENY, AUDIT, CUSTOM - enum: - - ALLOW - - DENY - - AUDIT - - CUSTOM - type: string - provider: - description: Specifies detailed configuration of the CUSTOM action. - properties: - name: - description: Specifies the name of the extension provider. - type: string - type: object - rules: - description: Optional. - items: - properties: - from: - description: Optional. - items: - properties: - source: - description: Source specifies the source of a request. - properties: - ipBlocks: - description: Optional. - items: - type: string - type: array - namespaces: - description: Optional. - items: - type: string - type: array - notIpBlocks: - description: Optional. - items: - type: string - type: array - notNamespaces: - description: Optional. - items: - type: string - type: array - notPrincipals: - description: Optional. - items: - type: string - type: array - notRemoteIpBlocks: - description: Optional. - items: - type: string - type: array - notRequestPrincipals: - description: Optional. - items: - type: string - type: array - principals: - description: Optional. - items: - type: string - type: array - remoteIpBlocks: - description: Optional. - items: - type: string - type: array - requestPrincipals: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - to: - description: Optional. - items: - properties: - operation: - description: Operation specifies the operation of a request. - properties: - hosts: - description: Optional. - items: - type: string - type: array - methods: - description: Optional. - items: - type: string - type: array - notHosts: - description: Optional. - items: - type: string - type: array - notMethods: - description: Optional. - items: - type: string - type: array - notPaths: - description: Optional. - items: - type: string - type: array - notPorts: - description: Optional. - items: - type: string - type: array - paths: - description: Optional. - items: - type: string - type: array - ports: - description: Optional. - items: - type: string - type: array - type: object - type: object - type: array - when: - description: Optional. - items: - properties: - key: - description: The name of an Istio attribute. - type: string - notValues: - description: Optional. - items: - type: string - type: array - values: - description: Optional. - items: - type: string - type: array - required: - - key - type: object - type: array - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: peerauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: PeerAuthentication - listKind: PeerAuthenticationList - plural: peerauthentications - shortNames: - - pa - singular: peerauthentication - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Defines the mTLS mode used for peer authentication. - jsonPath: .spec.mtls.mode - name: Mode - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Peer authentication configuration for workloads. See more - details at: https://istio.io/docs/reference/config/security/peer_authentication.html' - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: |- - Defines the mTLS mode used for peer authentication. - - Valid Options: DISABLE, PERMISSIVE, STRICT - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: |- - Defines the mTLS mode used for peer authentication. - - Valid Options: DISABLE, PERMISSIVE, STRICT - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the PeerAuthentication - on. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: Defines the mTLS mode used for peer authentication. - jsonPath: .spec.mtls.mode - name: Mode - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Peer authentication configuration for workloads. See more - details at: https://istio.io/docs/reference/config/security/peer_authentication.html' - properties: - mtls: - description: Mutual TLS settings for workload. - properties: - mode: - description: |- - Defines the mTLS mode used for peer authentication. - - Valid Options: DISABLE, PERMISSIVE, STRICT - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - portLevelMtls: - additionalProperties: - properties: - mode: - description: |- - Defines the mTLS mode used for peer authentication. - - Valid Options: DISABLE, PERMISSIVE, STRICT - enum: - - UNSET - - DISABLE - - PERMISSIVE - - STRICT - type: string - type: object - description: Port specific mutual TLS settings. - type: object - selector: - description: The selector determines the workloads to apply the PeerAuthentication - on. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio - name: requestauthentications.security.istio.io -spec: - group: security.istio.io - names: - categories: - - istio-io - - security-istio-io - kind: RequestAuthentication - listKind: RequestAuthenticationList - plural: requestauthentications - shortNames: - - ra - singular: requestauthentication - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Request authentication configuration for workloads. See - more details at: https://istio.io/docs/reference/config/security/request_authentication.html' - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) - that are allowed to access. - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept - for the upstream request. - type: boolean - fromCookies: - description: List of cookie names from which JWT is expected. - items: - type: string - type: array - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - type: string - required: - - name - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - type: string - jwks_uri: - description: URL of the provider's public key set to validate - signature of the JWT. - type: string - jwksUri: - description: URL of the provider's public key set to validate - signature of the JWT. - type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy - the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object - type: array - outputPayloadToHeader: - description: This field specifies the header name to output - a successfully verified JWT payload to the backend. - type: string - timeout: - description: The maximum amount of time that the resolver, determined - by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, - will spend waiting for the JWKS to be fetched. - type: string - required: - - issuer - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Request authentication configuration for workloads. See - more details at: https://istio.io/docs/reference/config/security/request_authentication.html' - properties: - jwtRules: - description: Define the list of JWTs that can be validated at the - selected workloads' proxy. - items: - properties: - audiences: - description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) - that are allowed to access. - items: - type: string - type: array - forwardOriginalToken: - description: If set to true, the original token will be kept - for the upstream request. - type: boolean - fromCookies: - description: List of cookie names from which JWT is expected. - items: - type: string - type: array - fromHeaders: - description: List of header locations from which JWT is expected. - items: - properties: - name: - description: The HTTP header name. - type: string - prefix: - description: The prefix that should be stripped before - decoding the token. - type: string - required: - - name - type: object - type: array - fromParams: - description: List of query parameters from which JWT is expected. - items: - type: string - type: array - issuer: - description: Identifies the issuer that issued the JWT. - type: string - jwks: - description: JSON Web Key Set of public keys to validate signature - of the JWT. - type: string - jwks_uri: - description: URL of the provider's public key set to validate - signature of the JWT. - type: string - jwksUri: - description: URL of the provider's public key set to validate - signature of the JWT. - type: string - outputClaimToHeaders: - description: This field specifies a list of operations to copy - the claim to HTTP headers on a successfully verified token. - items: - properties: - claim: - description: The name of the claim to be copied from. - type: string - header: - description: The name of the header to be created. - type: string - type: object - type: array - outputPayloadToHeader: - description: This field specifies the header name to output - a successfully verified JWT payload to the backend. - type: string - timeout: - description: The maximum amount of time that the resolver, determined - by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, - will spend waiting for the JWKS to be fetched. - type: string - required: - - issuer - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: telemetry - release: istio - name: telemetries.telemetry.istio.io -spec: - group: telemetry.istio.io - names: - categories: - - istio-io - - telemetry-istio-io - kind: Telemetry - listKind: TelemetryList - plural: telemetries - shortNames: - - telemetry - singular: telemetry - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Telemetry configuration for workloads. See more details - at: https://istio.io/docs/reference/config/telemetry.html' - properties: - accessLogging: - description: Optional. - items: - properties: - disabled: - description: Controls logging. - nullable: true - type: boolean - filter: - description: Optional. - properties: - expression: - description: CEL expression for selecting when requests/connections - should be logged. - type: string - type: object - match: - description: Allows tailoring of logging behavior to specific - conditions. - properties: - mode: - description: |- - This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - type: object - type: array - metrics: - description: Optional. - items: - properties: - overrides: - description: Optional. - items: - properties: - disabled: - description: Optional. - nullable: true - type: boolean - match: - description: Match allows providing the scope of the override. - oneOf: - - not: - anyOf: - - required: - - metric - - required: - - customMetric - - required: - - metric - - required: - - customMetric - properties: - customMetric: - description: Allows free-form specification of a metric. - minLength: 1 - type: string - metric: - description: |- - One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). - - Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES - enum: - - ALL_METRICS - - REQUEST_COUNT - - REQUEST_DURATION - - REQUEST_SIZE - - RESPONSE_SIZE - - TCP_OPENED_CONNECTIONS - - TCP_CLOSED_CONNECTIONS - - TCP_SENT_BYTES - - TCP_RECEIVED_BYTES - - GRPC_REQUEST_MESSAGES - - GRPC_RESPONSE_MESSAGES - type: string - mode: - description: |- - Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - tagOverrides: - additionalProperties: - properties: - operation: - description: |- - Operation controls whether or not to update/add a tag, or to remove it. - - Valid Options: UPSERT, REMOVE - enum: - - UPSERT - - REMOVE - type: string - value: - description: Value is only considered if the operation - is `UPSERT`. - type: string - type: object - x-kubernetes-validations: - - message: value must be set when operation is UPSERT - rule: '((has(self.operation) ? self.operation : '''') - == ''UPSERT'') ? self.value != '''' : true' - - message: value must not be set when operation is REMOVE - rule: '((has(self.operation) ? self.operation : '''') - == ''REMOVE'') ? !has(self.value) : true' - description: Optional. - type: object - type: object - type: array - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - reportingInterval: - description: Optional. - type: string - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: array - tracing: - description: Optional. - items: - properties: - customTags: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - literal - - required: - - environment - - required: - - header - - required: - - literal - - required: - - environment - - required: - - header - properties: - environment: - description: Environment adds the value of an environment - variable to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the environment variable from - which to extract the tag value. - minLength: 1 - type: string - required: - - name - type: object - header: - description: RequestHeader adds the value of an header - from the request to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the header from which to extract - the tag value. - minLength: 1 - type: string - required: - - name - type: object - literal: - description: Literal adds the same, hard-coded value to - each span. - properties: - value: - description: The tag value to use. - minLength: 1 - type: string - required: - - value - type: object - type: object - description: Optional. - type: object - disableSpanReporting: - description: Controls span reporting. - nullable: true - type: boolean - match: - description: Allows tailoring of behavior to specific conditions. - properties: - mode: - description: |- - This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - randomSamplingPercentage: - description: Controls the rate at which traffic will be selected - for tracing if no prior sampling decision has been made. - format: double - maximum: 100 - minimum: 0 - nullable: true - type: number - useRequestIdForTraceSampling: - nullable: true - type: boolean - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Telemetry configuration for workloads. See more details - at: https://istio.io/docs/reference/config/telemetry.html' - properties: - accessLogging: - description: Optional. - items: - properties: - disabled: - description: Controls logging. - nullable: true - type: boolean - filter: - description: Optional. - properties: - expression: - description: CEL expression for selecting when requests/connections - should be logged. - type: string - type: object - match: - description: Allows tailoring of logging behavior to specific - conditions. - properties: - mode: - description: |- - This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - type: object - type: array - metrics: - description: Optional. - items: - properties: - overrides: - description: Optional. - items: - properties: - disabled: - description: Optional. - nullable: true - type: boolean - match: - description: Match allows providing the scope of the override. - oneOf: - - not: - anyOf: - - required: - - metric - - required: - - customMetric - - required: - - metric - - required: - - customMetric - properties: - customMetric: - description: Allows free-form specification of a metric. - minLength: 1 - type: string - metric: - description: |- - One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). - - Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES - enum: - - ALL_METRICS - - REQUEST_COUNT - - REQUEST_DURATION - - REQUEST_SIZE - - RESPONSE_SIZE - - TCP_OPENED_CONNECTIONS - - TCP_CLOSED_CONNECTIONS - - TCP_SENT_BYTES - - TCP_RECEIVED_BYTES - - GRPC_REQUEST_MESSAGES - - GRPC_RESPONSE_MESSAGES - type: string - mode: - description: |- - Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - tagOverrides: - additionalProperties: - properties: - operation: - description: |- - Operation controls whether or not to update/add a tag, or to remove it. - - Valid Options: UPSERT, REMOVE - enum: - - UPSERT - - REMOVE - type: string - value: - description: Value is only considered if the operation - is `UPSERT`. - type: string - type: object - x-kubernetes-validations: - - message: value must be set when operation is UPSERT - rule: '((has(self.operation) ? self.operation : '''') - == ''UPSERT'') ? self.value != '''' : true' - - message: value must not be set when operation is REMOVE - rule: '((has(self.operation) ? self.operation : '''') - == ''REMOVE'') ? !has(self.value) : true' - description: Optional. - type: object - type: object - type: array - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - reportingInterval: - description: Optional. - type: string - type: object - type: array - selector: - description: Optional. - properties: - matchLabels: - additionalProperties: - type: string - description: One or more labels that indicate a specific set of - pods/VMs on which a policy should be applied. - type: object - type: object - targetRef: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - targetRefs: - description: Optional. - items: - properties: - group: - description: group is the group of the target resource. - type: string - kind: - description: kind is kind of the target resource. - type: string - name: - description: name is the name of the target resource. - type: string - namespace: - description: namespace is the namespace of the referent. - type: string - type: object - type: array - tracing: - description: Optional. - items: - properties: - customTags: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - literal - - required: - - environment - - required: - - header - - required: - - literal - - required: - - environment - - required: - - header - properties: - environment: - description: Environment adds the value of an environment - variable to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the environment variable from - which to extract the tag value. - minLength: 1 - type: string - required: - - name - type: object - header: - description: RequestHeader adds the value of an header - from the request to each span. - properties: - defaultValue: - description: Optional. - type: string - name: - description: Name of the header from which to extract - the tag value. - minLength: 1 - type: string - required: - - name - type: object - literal: - description: Literal adds the same, hard-coded value to - each span. - properties: - value: - description: The tag value to use. - minLength: 1 - type: string - required: - - value - type: object - type: object - description: Optional. - type: object - disableSpanReporting: - description: Controls span reporting. - nullable: true - type: boolean - match: - description: Allows tailoring of behavior to specific conditions. - properties: - mode: - description: |- - This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. - - Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER - enum: - - CLIENT_AND_SERVER - - CLIENT - - SERVER - type: string - type: object - providers: - description: Optional. - items: - properties: - name: - description: Required. - minLength: 1 - type: string - required: - - name - type: object - type: array - randomSamplingPercentage: - description: Controls the rate at which traffic will be selected - for tracing if no prior sampling decision has been made. - format: double - maximum: 100 - minimum: 0 - nullable: true - type: number - useRequestIdForTraceSampling: - nullable: true - type: boolean - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} diff --git a/resources/v1.22.3/charts/base/files/profile-ambient.yaml b/resources/v1.22.3/charts/base/files/profile-ambient.yaml deleted file mode 100644 index 7b2c18c17..000000000 --- a/resources/v1.22.3/charts/base/files/profile-ambient.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" - CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" -cni: - ambient: - enabled: true - -# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel -variant: distroless diff --git a/resources/v1.22.3/charts/base/files/profile-compatibility-version-1.20.yaml b/resources/v1.22.3/charts/base/files/profile-compatibility-version-1.20.yaml deleted file mode 100644 index 480718f1c..000000000 --- a/resources/v1.22.3/charts/base/files/profile-compatibility-version-1.20.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.21 behavioral changes - ENABLE_EXTERNAL_NAME_ALIAS: "false" - PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" - VERIFY_CERTIFICATE_AT_CLIENT: "false" - ENABLE_AUTO_SNI: "false" - - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" - -meshConfig: - # 1.22 behavioral changes - defaultConfig: - proxyMetadata: - ISTIO_DELTA_XDS: "false" - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/v1.22.3/charts/base/files/profile-compatibility-version-1.21.yaml b/resources/v1.22.3/charts/base/files/profile-compatibility-version-1.21.yaml deleted file mode 100644 index 808d224ed..000000000 --- a/resources/v1.22.3/charts/base/files/profile-compatibility-version-1.21.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" -meshConfig: - # 1.22 behavioral changes - proxyMetadata: - ISTIO_DELTA_XDS: "false" - defaultConfig: - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/v1.22.3/charts/base/files/profile-demo.yaml b/resources/v1.22.3/charts/base/files/profile-demo.yaml deleted file mode 100644 index 83b9d6b66..000000000 --- a/resources/v1.22.3/charts/base/files/profile-demo.yaml +++ /dev/null @@ -1,73 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/resources/v1.22.3/charts/base/files/profile-openshift-ambient.yaml b/resources/v1.22.3/charts/base/files/profile-openshift-ambient.yaml deleted file mode 100644 index 0908fd145..000000000 --- a/resources/v1.22.3/charts/base/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - variant: distroless - env: - PILOT_ENABLE_AMBIENT: "true" - # Allow sidecars/ingress to send/receive HBONE. This is required for interop. - PILOT_ENABLE_SENDING_HBONE: "true" - PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true" - CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" -platform: openshift -variant: distroless -seLinuxOptions: - type: spc_t \ No newline at end of file diff --git a/resources/v1.22.3/charts/base/files/profile-openshift.yaml b/resources/v1.22.3/charts/base/files/profile-openshift.yaml deleted file mode 100644 index 18f61b88f..000000000 --- a/resources/v1.22.3/charts/base/files/profile-openshift.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -global: - platform: openshift -pilot: - cni: - enabled: true - provider: "multus" -platform: openshift diff --git a/resources/v1.22.3/charts/base/files/profile-preview.yaml b/resources/v1.22.3/charts/base/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2..000000000 --- a/resources/v1.22.3/charts/base/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.22.3/charts/base/files/profile-stable.yaml b/resources/v1.22.3/charts/base/files/profile-stable.yaml deleted file mode 100644 index 358282e69..000000000 --- a/resources/v1.22.3/charts/base/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/resources/v1.22.3/charts/base/templates/NOTES.txt b/resources/v1.22.3/charts/base/templates/NOTES.txt deleted file mode 100644 index f12616f57..000000000 --- a/resources/v1.22.3/charts/base/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -Istio base successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/resources/v1.22.3/charts/base/templates/crds.yaml b/resources/v1.22.3/charts/base/templates/crds.yaml deleted file mode 100644 index af9901c6e..000000000 --- a/resources/v1.22.3/charts/base/templates/crds.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{- if .Values.base.enableCRDTemplates }} -{{ .Files.Get "crds/crd-all.gen.yaml" }} -{{- end }} diff --git a/resources/v1.22.3/charts/base/templates/default.yaml b/resources/v1.22.3/charts/base/templates/default.yaml deleted file mode 100644 index e5b346591..000000000 --- a/resources/v1.22.3/charts/base/templates/default.yaml +++ /dev/null @@ -1,54 +0,0 @@ -{{- if not (eq .Values.defaultRevision "") }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istiod-default-validator - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision | quote }} -webhooks: - - name: validation.istio.io - clientConfig: - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - {{- if (eq .Values.defaultRevision "default") }} - name: istiod - {{- else }} - name: istiod-{{ .Values.defaultRevision }} - {{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] -{{- end }} diff --git a/resources/v1.22.3/charts/base/templates/endpoints.yaml b/resources/v1.22.3/charts/base/templates/endpoints.yaml deleted file mode 100644 index 36575202d..000000000 --- a/resources/v1.22.3/charts/base/templates/endpoints.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} -# if the remotePilotAddress is an IP addr -apiVersion: v1 -kind: Endpoints -metadata: - {{- if .Values.pilot.enabled }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} -subsets: -- addresses: - - ip: {{ .Values.global.remotePilotAddress }} - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 15017 - name: tcp-webhook - protocol: TCP ---- -{{- end }} diff --git a/resources/v1.22.3/charts/base/templates/reader-serviceaccount.yaml b/resources/v1.22.3/charts/base/templates/reader-serviceaccount.yaml deleted file mode 100644 index d9ce18c27..000000000 --- a/resources/v1.22.3/charts/base/templates/reader-serviceaccount.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# This service account aggregates reader permissions for the revisions in a given cluster -# Should be used for remote secret creation. -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} diff --git a/resources/v1.22.3/charts/base/templates/services.yaml b/resources/v1.22.3/charts/base/templates/services.yaml deleted file mode 100644 index fc1fa1a2f..000000000 --- a/resources/v1.22.3/charts/base/templates/services.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- if .Values.global.remotePilotAddress }} -apiVersion: v1 -kind: Service -metadata: - {{- if .Values.pilot.enabled }} - # when local istiod is enabled, we can't use istiod service name to reach the remote control plane - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote - {{- else }} - # when local istiod isn't enabled, we can use istiod service name to reach the remote control plane - name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} - {{- end }} - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 15012 - name: tcp-istiod - protocol: TCP - - port: 443 - targetPort: 15017 - name: tcp-webhook - protocol: TCP - {{- if not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress) }} - # if the remotePilotAddress is not an IP addr, we use ExternalName - type: ExternalName - externalName: {{ .Values.global.remotePilotAddress }} - {{- end }} -{{- if .Values.global.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} -{{- end }} -{{- if .Values.global.ipFamilies }} - ipFamilies: -{{- range .Values.global.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} ---- -{{- end }} diff --git a/resources/v1.22.3/charts/base/templates/validatingadmissionpolicy.yaml b/resources/v1.22.3/charts/base/templates/validatingadmissionpolicy.yaml deleted file mode 100644 index 2376d995a..000000000 --- a/resources/v1.22.3/charts/base/templates/validatingadmissionpolicy.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-default-policy.istio.io" - labels: - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.defaultRevision }} -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-default-policy-binding.istio.io" -spec: - policyName: "stable-channel-default-policy.istio.io" - validationActions: [Deny] -{{- end }} diff --git a/resources/v1.22.3/charts/base/templates/zzz_profile.yaml b/resources/v1.22.3/charts/base/templates/zzz_profile.yaml deleted file mode 100644 index 6359d435a..000000000 --- a/resources/v1.22.3/charts/base/templates/zzz_profile.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} -{{- $profile := dict }} -{{- with .Values.profile }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" $.Values.profile) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.22.3/charts/base/values.yaml b/resources/v1.22.3/charts/base/values.yaml deleted file mode 100644 index 88bca4329..000000000 --- a/resources/v1.22.3/charts/base/values.yaml +++ /dev/null @@ -1,40 +0,0 @@ -defaults: - global: - - # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - - # Used to locate istiod. - istioNamespace: istio-system - - externalIstiod: false - remotePilotAddress: "" - - # Platform where Istio is deployed. Possible values are: "openshift", "gcp". - # An empty value means it is a vanilla Kubernetes distribution, therefore no special - # treatment will be considered. - platform: "" - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - # This is intended only for use with external istiod. - ipFamilyPolicy: "" - ipFamilies: [] - - base: - # Used for helm2 to add the CRDs to templates. - enableCRDTemplates: false - - # Validation webhook configuration url - # For example: https://$remotePilotAddress:15017/validate - validationURL: "" - # Validation webhook caBundle value. Useful when running pilot with a well known cert - validationCABundle: "" - - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - defaultRevision: "default" - experimental: - stableValidationPolicy: false diff --git a/resources/v1.22.3/charts/cni/Chart.yaml b/resources/v1.22.3/charts/cni/Chart.yaml deleted file mode 100644 index 990f1e4e3..000000000 --- a/resources/v1.22.3/charts/cni/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -appVersion: 1.22.3 -description: Helm chart for istio-cni components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-cni -- istio -name: cni -sources: -- https://github.com/istio/istio -version: 1.22.3 diff --git a/resources/v1.22.3/charts/cni/README.md b/resources/v1.22.3/charts/cni/README.md deleted file mode 100644 index a8b78d5bd..000000000 --- a/resources/v1.22.3/charts/cni/README.md +++ /dev/null @@ -1,65 +0,0 @@ -# Istio CNI Helm Chart - -This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) -for more information. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-cni`: - -```console -helm install istio-cni istio/cni -n kube-system -``` - -Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) -`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow -'system-node-critical' outside of kube-system. - -## Configuration - -To view support configuration options and documentation, run: - -```console -helm show values istio/istio-cni -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### Ambient - -To enable ambient, you can use the ambient profile: `--set profile=ambient`. - -#### Calico - -For Calico, you must also modify the settings to allow source spoofing: - -- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` -- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) - -### GKE notes - -On GKE, 'kube-system' is required. - -If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` -it is auto-detected. diff --git a/resources/v1.22.3/charts/cni/files/profile-ambient.yaml b/resources/v1.22.3/charts/cni/files/profile-ambient.yaml deleted file mode 100644 index 7b2c18c17..000000000 --- a/resources/v1.22.3/charts/cni/files/profile-ambient.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" - CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" -cni: - ambient: - enabled: true - -# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel -variant: distroless diff --git a/resources/v1.22.3/charts/cni/files/profile-compatibility-version-1.20.yaml b/resources/v1.22.3/charts/cni/files/profile-compatibility-version-1.20.yaml deleted file mode 100644 index 480718f1c..000000000 --- a/resources/v1.22.3/charts/cni/files/profile-compatibility-version-1.20.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.21 behavioral changes - ENABLE_EXTERNAL_NAME_ALIAS: "false" - PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" - VERIFY_CERTIFICATE_AT_CLIENT: "false" - ENABLE_AUTO_SNI: "false" - - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" - -meshConfig: - # 1.22 behavioral changes - defaultConfig: - proxyMetadata: - ISTIO_DELTA_XDS: "false" - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/v1.22.3/charts/cni/files/profile-compatibility-version-1.21.yaml b/resources/v1.22.3/charts/cni/files/profile-compatibility-version-1.21.yaml deleted file mode 100644 index 808d224ed..000000000 --- a/resources/v1.22.3/charts/cni/files/profile-compatibility-version-1.21.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" -meshConfig: - # 1.22 behavioral changes - proxyMetadata: - ISTIO_DELTA_XDS: "false" - defaultConfig: - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/v1.22.3/charts/cni/files/profile-demo.yaml b/resources/v1.22.3/charts/cni/files/profile-demo.yaml deleted file mode 100644 index 83b9d6b66..000000000 --- a/resources/v1.22.3/charts/cni/files/profile-demo.yaml +++ /dev/null @@ -1,73 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/resources/v1.22.3/charts/cni/files/profile-openshift-ambient.yaml b/resources/v1.22.3/charts/cni/files/profile-openshift-ambient.yaml deleted file mode 100644 index 0908fd145..000000000 --- a/resources/v1.22.3/charts/cni/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - variant: distroless - env: - PILOT_ENABLE_AMBIENT: "true" - # Allow sidecars/ingress to send/receive HBONE. This is required for interop. - PILOT_ENABLE_SENDING_HBONE: "true" - PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true" - CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" -platform: openshift -variant: distroless -seLinuxOptions: - type: spc_t \ No newline at end of file diff --git a/resources/v1.22.3/charts/cni/files/profile-openshift.yaml b/resources/v1.22.3/charts/cni/files/profile-openshift.yaml deleted file mode 100644 index 18f61b88f..000000000 --- a/resources/v1.22.3/charts/cni/files/profile-openshift.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -global: - platform: openshift -pilot: - cni: - enabled: true - provider: "multus" -platform: openshift diff --git a/resources/v1.22.3/charts/cni/files/profile-preview.yaml b/resources/v1.22.3/charts/cni/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2..000000000 --- a/resources/v1.22.3/charts/cni/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.22.3/charts/cni/files/profile-stable.yaml b/resources/v1.22.3/charts/cni/files/profile-stable.yaml deleted file mode 100644 index 358282e69..000000000 --- a/resources/v1.22.3/charts/cni/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/resources/v1.22.3/charts/cni/templates/NOTES.txt b/resources/v1.22.3/charts/cni/templates/NOTES.txt deleted file mode 100644 index fb35525b9..000000000 --- a/resources/v1.22.3/charts/cni/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -"{{ .Release.Name }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/resources/v1.22.3/charts/cni/templates/clusterrole.yaml b/resources/v1.22.3/charts/cni/templates/clusterrole.yaml deleted file mode 100644 index fda1c15fc..000000000 --- a/resources/v1.22.3/charts/cni/templates/clusterrole.yaml +++ /dev/null @@ -1,74 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-cni - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -rules: -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: ["privileged"] - verbs: ["use"] -- apiGroups: [""] - resources: ["pods","nodes","namespaces"] - verbs: ["get", "list", "watch"] -{{- if (eq .Values.platform "openshift") }} -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: ["privileged"] - verbs: ["use"] -{{- end }} ---- -{{- if .Values.cni.repair.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-cni-repair-role - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "patch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["watch", "get", "list"] -{{- if .Values.cni.repair.repairPods }} -{{- /* No privileges needed*/}} -{{- else if .Values.cni.repair.deletePods }} - - apiGroups: [""] - resources: ["pods"] - verbs: ["delete"] -{{- else if .Values.cni.repair.labelPods }} - - apiGroups: [""] - {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} - resources: ["pods/status"] - verbs: ["patch", "update"] -{{- end }} -{{- end }} ---- -{{- if .Values.cni.ambient.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-cni-ambient - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -rules: -- apiGroups: [""] - {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} - resources: ["pods/status"] - verbs: ["patch", "update"] -{{- end }} diff --git a/resources/v1.22.3/charts/cni/templates/clusterrolebinding.yaml b/resources/v1.22.3/charts/cni/templates/clusterrolebinding.yaml deleted file mode 100644 index 570f15cfb..000000000 --- a/resources/v1.22.3/charts/cni/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-cni - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-cni -subjects: -- kind: ServiceAccount - name: istio-cni - namespace: {{ .Release.Namespace }} ---- -{{- if .Values.cni.repair.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-cni-repair-rolebinding - labels: - k8s-app: istio-cni-repair - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -subjects: -- kind: ServiceAccount - name: istio-cni - namespace: {{ .Release.Namespace}} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-cni-repair-role -{{- end }} ---- -{{- if .Values.cni.ambient.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-cni-ambient - labels: - k8s-app: istio-cni-repair - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -subjects: - - kind: ServiceAccount - name: istio-cni - namespace: {{ .Release.Namespace}} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-cni-ambient -{{- end }} \ No newline at end of file diff --git a/resources/v1.22.3/charts/cni/templates/configmap-cni.yaml b/resources/v1.22.3/charts/cni/templates/configmap-cni.yaml deleted file mode 100644 index cf4e020de..000000000 --- a/resources/v1.22.3/charts/cni/templates/configmap-cni.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- $defaultBinDir := - (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary - "/home/kubernetes/bin" - "/opt/cni/bin" -}} -kind: ConfigMap -apiVersion: v1 -metadata: - name: istio-cni-config - namespace: {{ .Release.Namespace }} - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -data: - # The CNI network configuration to add to the plugin chain on each node. The special - # values in this config will be automatically populated. - cni_network_config: |- - { - "cniVersion": "0.3.1", - "name": "istio-cni", - "type": "istio-cni", - "log_level": {{ quote .Values.cni.logLevel }}, - "log_uds_address": "__LOG_UDS_ADDRESS__", - {{if .Values.cni.ambient.enabled}}"ambient_enabled": true,{{end}} - "cni_event_address": "__CNI_EVENT_ADDRESS__", - "kubernetes": { - "kubeconfig": "__KUBECONFIG_FILEPATH__", - "cni_bin_dir": {{ .Values.cni.cniBinDir | default $defaultBinDir | quote }}, - "exclude_namespaces": [ {{ range $idx, $ns := .Values.cni.excludeNamespaces }}{{ if $idx }}, {{ end }}{{ quote $ns }}{{ end }} ] - } - } diff --git a/resources/v1.22.3/charts/cni/templates/daemonset.yaml b/resources/v1.22.3/charts/cni/templates/daemonset.yaml deleted file mode 100644 index 51a168457..000000000 --- a/resources/v1.22.3/charts/cni/templates/daemonset.yaml +++ /dev/null @@ -1,234 +0,0 @@ -# This manifest installs the Istio install-cni container, as well -# as the Istio CNI plugin and config on -# each master and worker node in a Kubernetes cluster. -{{- $defaultBinDir := - (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary - "/home/kubernetes/bin" - "/opt/cni/bin" -}} -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: istio-cni-node - namespace: {{ .Release.Namespace }} - labels: - k8s-app: istio-cni-node - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" -spec: - selector: - matchLabels: - k8s-app: istio-cni-node - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: {{ .Values.cni.rollingMaxUnavailable }} - template: - metadata: - labels: - k8s-app: istio-cni-node - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - annotations: - sidecar.istio.io/inject: "false" - # Add Prometheus Scrape annotations - prometheus.io/scrape: 'true' - prometheus.io/port: "15014" - prometheus.io/path: '/metrics' - # Custom annotations - {{- if .Values.cni.podAnnotations }} -{{ toYaml .Values.cni.podAnnotations | indent 8 }} - {{- end }} - spec: - {{if .Values.cni.ambient.enabled }}hostNetwork: true{{ end }} - nodeSelector: - kubernetes.io/os: linux - # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes - {{- with .Values.cni.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - tolerations: - # Make sure istio-cni-node gets scheduled on all nodes. - - effect: NoSchedule - operator: Exists - # Mark the pod as a critical add-on for rescheduling. - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - priorityClassName: system-node-critical - serviceAccountName: istio-cni - # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force - # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. - terminationGracePeriodSeconds: 5 - containers: - # This container installs the Istio CNI binaries - # and CNI network config file on each node. - - name: install-cni -{{- if contains "/" .Values.cni.image }} - image: "{{ .Values.cni.image }}" -{{- else }} - image: "{{ .Values.cni.hub | default .Values.global.hub }}/{{ .Values.cni.image | default "install-cni" }}:{{ .Values.cni.tag | default .Values.global.tag }}{{with (.Values.cni.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if or .Values.cni.pullPolicy .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.cni.pullPolicy | default .Values.global.imagePullPolicy }} -{{- end }} - readinessProbe: - httpGet: - path: /readyz - port: 8000 - securityContext: - privileged: true # always requires privilege to be useful (install node plugin, etc) - runAsGroup: 0 - runAsUser: 0 - runAsNonRoot: false - # Both ambient and sidecar repair mode require elevated node privileges to function. - # But we don't need _everything_ in `privileged`, so drop+readd capabilities based on feature. - # privileged is redundant with CAP_SYS_ADMIN - # since it's redundant, hardcode it to `true`, then manually drop ALL + readd granular - # capabilities we actually require - capabilities: - drop: - - ALL - add: - # CAP_NET_ADMIN is required to allow ipset and route table access - - NET_ADMIN - # CAP_NET_RAW is required to allow iptables mutation of the `nat` table - - NET_RAW - # CAP_SYS_ADMIN is required for both ambient and repair, in order to open - # network namespaces in `/proc` to obtain descriptors for entering pod netnamespaces. - # There does not appear to be a more granular capability for this. - - SYS_ADMIN -{{- if .Values.cni.seccompProfile }} - seccompProfile: -{{ toYaml .Values.cni.seccompProfile | trim | indent 14 }} -{{- end }} - command: ["install-cni"] - args: - {{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} - {{- end}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end}} - env: -{{- if .Values.cni.cniConfFileName }} - # Name of the CNI config file to create. - - name: CNI_CONF_NAME - value: "{{ .Values.cni.cniConfFileName }}" -{{- end }} - # The CNI network config to install on each node. - - name: CNI_NETWORK_CONFIG - valueFrom: - configMapKeyRef: - name: istio-cni-config - key: cni_network_config - - name: CNI_NET_DIR - value: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }} - # Deploy as a standalone CNI plugin or as chained? - - name: CHAINED_CNI_PLUGIN - value: "{{ .Values.cni.chained }}" - - name: REPAIR_ENABLED - value: "{{ .Values.cni.repair.enabled }}" -{{- if .Values.cni.ambient.enabled }} - - name: AMBIENT_DNS_CAPTURE - value: "{{ .Values.cni.ambient.dnsCapture }}" -{{- end }} - - name: REPAIR_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: REPAIR_LABEL_PODS - value: "{{.Values.cni.repair.labelPods}}" - # Set to true to enable pod deletion - - name: REPAIR_DELETE_PODS - value: "{{.Values.cni.repair.deletePods}}" - - name: REPAIR_REPAIR_PODS - value: "{{.Values.cni.repair.repairPods}}" - - name: REPAIR_RUN_AS_DAEMON - value: "true" - - name: REPAIR_SIDECAR_ANNOTATION - value: "sidecar.istio.io/status" - - name: REPAIR_INIT_CONTAINER_NAME - value: "{{ .Values.cni.repair.initContainerName }}" - - name: REPAIR_BROKEN_POD_LABEL_KEY - value: "{{.Values.cni.repair.brokenPodLabelKey}}" - - name: REPAIR_BROKEN_POD_LABEL_VALUE - value: "{{.Values.cni.repair.brokenPodLabelValue}}" - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: LOG_LEVEL - value: {{ .Values.cni.logLevel | quote }} - {{- if .Values.cni.ambient.enabled }} - - name: AMBIENT_ENABLED - value: "true" - {{- end }} - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - volumeMounts: - - mountPath: /host/opt/cni/bin - name: cni-bin-dir - {{- if or .Values.cni.repair.repairPods .Values.cni.ambient.enabled }} - - mountPath: /host/proc - name: cni-host-procfs - readOnly: true - {{- end }} - - mountPath: /host/etc/cni/net.d - name: cni-net-dir - - mountPath: /var/run/istio-cni - name: cni-socket-dir - {{- if .Values.cni.ambient.enabled }} - - mountPath: /host/var/run/netns - mountPropagation: HostToContainer - name: cni-netns-dir - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - {{ end }} - resources: -{{- if .Values.cni.resources }} -{{ toYaml .Values.cni.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - volumes: - # Used to install CNI. - - name: cni-bin-dir - hostPath: - path: {{ .Values.cni.cniBinDir | default $defaultBinDir }} - {{- if or .Values.cni.repair.repairPods .Values.cni.ambient.enabled }} - - name: cni-host-procfs - hostPath: - path: /proc - type: Directory - {{- end }} - {{- if .Values.cni.ambient.enabled }} - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate - {{- end }} - - name: cni-net-dir - hostPath: - path: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }} - # Used for UDS sockets for logging, ambient eventing - - name: cni-socket-dir - hostPath: - path: /var/run/istio-cni - - name: cni-netns-dir - hostPath: - path: {{ .Values.cni.cniNetnsDir | default "/var/run/netns" }} - type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, - # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. - # Once the CNI does mount this, it will get populated and we're good. diff --git a/resources/v1.22.3/charts/cni/templates/network-attachment-definition.yaml b/resources/v1.22.3/charts/cni/templates/network-attachment-definition.yaml deleted file mode 100644 index 1da070baa..000000000 --- a/resources/v1.22.3/charts/cni/templates/network-attachment-definition.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{- if eq .Values.cni.provider "multus" }} -apiVersion: k8s.cni.cncf.io/v1 -kind: NetworkAttachmentDefinition -metadata: - name: istio-cni - namespace: default - labels: - operator.istio.io/component: "Cni" -{{- end }} diff --git a/resources/v1.22.3/charts/cni/templates/resourcequota.yaml b/resources/v1.22.3/charts/cni/templates/resourcequota.yaml deleted file mode 100644 index 15946ae72..000000000 --- a/resources/v1.22.3/charts/cni/templates/resourcequota.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.cni.resourceQuotas.enabled }} -apiVersion: v1 -kind: ResourceQuota -metadata: - name: istio-cni-resource-quota - namespace: {{ .Release.Namespace }} -spec: - hard: - pods: {{ .Values.cni.resourceQuotas.pods | quote }} - scopeSelector: - matchExpressions: - - operator: In - scopeName: PriorityClass - values: - - system-node-critical -{{- end }} diff --git a/resources/v1.22.3/charts/cni/templates/serviceaccount.yaml b/resources/v1.22.3/charts/cni/templates/serviceaccount.yaml deleted file mode 100644 index 4645db63a..000000000 --- a/resources/v1.22.3/charts/cni/templates/serviceaccount.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -{{- if .Values.global.imagePullSecrets }} -imagePullSecrets: -{{- range .Values.global.imagePullSecrets }} - - name: {{ . }} -{{- end }} -{{- end }} -metadata: - name: istio-cni - namespace: {{ .Release.Namespace }} - labels: - app: istio-cni - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Cni" diff --git a/resources/v1.22.3/charts/cni/templates/zzz_profile.yaml b/resources/v1.22.3/charts/cni/templates/zzz_profile.yaml deleted file mode 100644 index 6359d435a..000000000 --- a/resources/v1.22.3/charts/cni/templates/zzz_profile.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} -{{- $profile := dict }} -{{- with .Values.profile }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" $.Values.profile) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.22.3/charts/cni/values.yaml b/resources/v1.22.3/charts/cni/values.yaml deleted file mode 100644 index f40a5f801..000000000 --- a/resources/v1.22.3/charts/cni/values.yaml +++ /dev/null @@ -1,141 +0,0 @@ -defaults: - cni: - hub: "" - tag: "" - variant: "" - image: install-cni - pullPolicy: "" - - # Configuration log level of istio-cni binary - # by default istio-cni send all logs to UDS server - # if want to see them you need change global.logging.level with cni:debug - logLevel: debug - - # Configuration file to insert istio-cni plugin configuration - # by default this will be the first file found in the cni-conf-dir - # Example - # cniConfFileName: 10-calico.conflist - - # CNI bin and conf dir override settings - # defaults: - cniBinDir: "" # Auto-detected based on version; defaults to /opt/cni/bin. - cniConfDir: /etc/cni/net.d - cniConfFileName: "" - # This directory must exist on the node, if it does not, consult your container runtime - # documentation for the appropriate path. - cniNetnsDir: # Defaults to '/var/run/netns', in minikube/docker/others can be '/var/run/docker/netns'. - - - excludeNamespaces: - - kube-system - - # Allows user to set custom affinity for the DaemonSet - affinity: {} - - # Custom annotations on pod level, if you need them - podAnnotations: {} - - # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? - # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case - chained: true - - # Custom configuration happens based on the CNI provider. - # Possible values: "default", "multus" - provider: "default" - - # Configure ambient settings - ambient: - # If enabled, ambient redirection will be enabled - enabled: false - # Set ambient config dir path: defaults to /etc/ambient-config - configDir: "" - # If enabled, and ambient is enabled, DNS redirection will be enabled - dnsCapture: false - - - repair: - enabled: true - hub: "" - tag: "" - - # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. - # This defines the action the controller will take when a pod is detected as broken. - - # labelPods will label all pods with =. - # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). - # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. - labelPods: false - # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. - # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. - deletePods: false - # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. - # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. - # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. - repairPods: true - - initContainerName: "istio-validation" - - brokenPodLabelKey: "cni.istio.io/uninitialized" - brokenPodLabelValue: "true" - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - resources: - requests: - cpu: 100m - memory: 100Mi - - resourceQuotas: - enabled: false - pods: 5000 - - # The number of pods that can be unavailable during rolling update (see - # `updateStrategy.rollingUpdate.maxUnavailable` here: - # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). - # May be specified as a number of pods or as a percent of the total number - # of pods at the start of the update. - rollingMaxUnavailable: 1 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # For Helm compatibility. - ownerName: "" - - global: - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.io/istio - - # Default tag for Istio images. - tag: 1.22.3 - - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # change cni scope level to control logging out of istio-cni-node DaemonSet - logging: - level: default:info,cni:info - - logAsJson: false - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Default resources allocated - defaultResources: - requests: - cpu: 100m - memory: 100Mi diff --git a/resources/v1.22.3/charts/gateway/Chart.yaml b/resources/v1.22.3/charts/gateway/Chart.yaml deleted file mode 100644 index 626ba6957..000000000 --- a/resources/v1.22.3/charts/gateway/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v2 -appVersion: 1.22.3 -description: Helm chart for deploying Istio gateways -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- gateways -name: gateway -sources: -- https://github.com/istio/istio -type: application -version: 1.22.3 diff --git a/resources/v1.22.3/charts/gateway/README.md b/resources/v1.22.3/charts/gateway/README.md deleted file mode 100644 index 5c064d165..000000000 --- a/resources/v1.22.3/charts/gateway/README.md +++ /dev/null @@ -1,170 +0,0 @@ -# Istio Gateway Helm Chart - -This chart installs an Istio gateway deployment. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart with the release name `istio-ingressgateway`: - -```console -helm install istio-ingressgateway istio/gateway -``` - -## Uninstalling the Chart - -To uninstall/delete the `istio-ingressgateway` deployment: - -```console -helm delete istio-ingressgateway -``` - -## Configuration - -To view support configuration options and documentation, run: - -```console -helm show values istio/gateway -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### OpenShift - -When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: - -```console -helm install istio-ingressgateway istio/gateway --set profile=openshift -``` - -### `image: auto` Information - -The image used by the chart, `auto`, may be unintuitive. -This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). -This allows the same configurations and lifecycle to apply to gateways as sidecars. - -Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. -See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. - -### Examples - -#### Egress Gateway - -Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): - -```yaml -service: - # Egress gateways do not need an external LoadBalancer IP - type: ClusterIP -``` - -#### Multi-network/VM Gateway - -Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: - -```yaml -networkGateway: network-1 -``` - -### Migrating from other installation methods - -Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts -following the guidance below. -If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. - -WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. - -#### Legacy Gateway Helm charts - -Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. -These are replaced by this chart. -While not required, it is recommended all new users use this chart, and existing users migrate when possible. - -This chart has the following benefits and differences: -* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). -* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. -* Published to official Istio Helm repository. -* Single chart for all gateways (Ingress, Egress, East West). - -#### General concerns - -For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. - -If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: - -```yaml -app: istio-gateway -istio: gateway # the release name with leading istio- prefix stripped -``` - -If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels -`foo=bar,istio=ingressgateway`: - -```yaml -name: my-custom-gateway # Override the name to match existing resources -labels: - app: "" # Unset default app selector label - istio: ingressgateway # override default istio selector label - foo: bar # Add the existing custom selector label -``` - -#### Migrating an existing Helm release - -An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous -installation was done like: - -```console -helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system -``` - -It could be upgraded with - -```console -helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway -``` - -Note the name and labels are overridden to match the names of the existing installation. - -Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. -If you have AuthorizationPolicies that reference port these ports, you should update them during this process, -or customize the ports to match the old defaults. -See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. - -#### Other migrations - -If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. - -The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: - -```console -KINDS=(service deployment) -RELEASE=istio-ingressgateway -NAMESPACE=istio-system -for KIND in "${KINDS[@]}"; do - kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE - kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE - kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm -done -``` - -You may ignore errors about resources not being found. diff --git a/resources/v1.22.3/charts/gateway/files/profile-ambient.yaml b/resources/v1.22.3/charts/gateway/files/profile-ambient.yaml deleted file mode 100644 index 7b2c18c17..000000000 --- a/resources/v1.22.3/charts/gateway/files/profile-ambient.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" - CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" -cni: - ambient: - enabled: true - -# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel -variant: distroless diff --git a/resources/v1.22.3/charts/gateway/files/profile-compatibility-version-1.20.yaml b/resources/v1.22.3/charts/gateway/files/profile-compatibility-version-1.20.yaml deleted file mode 100644 index 480718f1c..000000000 --- a/resources/v1.22.3/charts/gateway/files/profile-compatibility-version-1.20.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.21 behavioral changes - ENABLE_EXTERNAL_NAME_ALIAS: "false" - PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" - VERIFY_CERTIFICATE_AT_CLIENT: "false" - ENABLE_AUTO_SNI: "false" - - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" - -meshConfig: - # 1.22 behavioral changes - defaultConfig: - proxyMetadata: - ISTIO_DELTA_XDS: "false" - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/v1.22.3/charts/gateway/files/profile-compatibility-version-1.21.yaml b/resources/v1.22.3/charts/gateway/files/profile-compatibility-version-1.21.yaml deleted file mode 100644 index 808d224ed..000000000 --- a/resources/v1.22.3/charts/gateway/files/profile-compatibility-version-1.21.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" -meshConfig: - # 1.22 behavioral changes - proxyMetadata: - ISTIO_DELTA_XDS: "false" - defaultConfig: - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/v1.22.3/charts/gateway/files/profile-demo.yaml b/resources/v1.22.3/charts/gateway/files/profile-demo.yaml deleted file mode 100644 index 83b9d6b66..000000000 --- a/resources/v1.22.3/charts/gateway/files/profile-demo.yaml +++ /dev/null @@ -1,73 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/resources/v1.22.3/charts/gateway/files/profile-openshift-ambient.yaml b/resources/v1.22.3/charts/gateway/files/profile-openshift-ambient.yaml deleted file mode 100644 index 0908fd145..000000000 --- a/resources/v1.22.3/charts/gateway/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - variant: distroless - env: - PILOT_ENABLE_AMBIENT: "true" - # Allow sidecars/ingress to send/receive HBONE. This is required for interop. - PILOT_ENABLE_SENDING_HBONE: "true" - PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true" - CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" -platform: openshift -variant: distroless -seLinuxOptions: - type: spc_t \ No newline at end of file diff --git a/resources/v1.22.3/charts/gateway/files/profile-openshift.yaml b/resources/v1.22.3/charts/gateway/files/profile-openshift.yaml deleted file mode 100644 index 18f61b88f..000000000 --- a/resources/v1.22.3/charts/gateway/files/profile-openshift.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -global: - platform: openshift -pilot: - cni: - enabled: true - provider: "multus" -platform: openshift diff --git a/resources/v1.22.3/charts/gateway/files/profile-preview.yaml b/resources/v1.22.3/charts/gateway/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2..000000000 --- a/resources/v1.22.3/charts/gateway/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.22.3/charts/gateway/files/profile-stable.yaml b/resources/v1.22.3/charts/gateway/files/profile-stable.yaml deleted file mode 100644 index 358282e69..000000000 --- a/resources/v1.22.3/charts/gateway/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/resources/v1.22.3/charts/gateway/templates/NOTES.txt b/resources/v1.22.3/charts/gateway/templates/NOTES.txt deleted file mode 100644 index fd0142911..000000000 --- a/resources/v1.22.3/charts/gateway/templates/NOTES.txt +++ /dev/null @@ -1,9 +0,0 @@ -"{{ include "gateway.name" . }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} - -Next steps: - * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ - * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/resources/v1.22.3/charts/gateway/templates/_helpers.tpl b/resources/v1.22.3/charts/gateway/templates/_helpers.tpl deleted file mode 100644 index a777d43bc..000000000 --- a/resources/v1.22.3/charts/gateway/templates/_helpers.tpl +++ /dev/null @@ -1,61 +0,0 @@ -{{- define "gateway.name" -}} -{{- if eq .Release.Name "RELEASE-NAME" -}} - {{- .Values.name | default "istio-ingressgateway" -}} -{{- else -}} - {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} -{{- end -}} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "gateway.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{- define "gateway.labels" -}} -helm.sh/chart: {{ include "gateway.chart" . }} -{{ include "gateway.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -app.kubernetes.io/name: {{ include "gateway.name" . }} -{{- range $key, $val := .Values.labels }} -{{- if not (or (eq $key "app") (eq $key "istio")) }} -{{ $key | quote }}: {{ $val | quote }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "gateway.podLabels" -}} -{{ include "gateway.selectorLabels" . }} -{{- range $key, $val := .Values.labels }} -{{- if not (or (eq $key "app") (eq $key "istio")) }} -{{ $key | quote }}: {{ $val | quote }} -{{- end }} -{{- end }} -{{- end }} - -{{- define "gateway.selectorLabels" -}} -{{- if hasKey .Values.labels "app" }} -{{- with .Values.labels.app }}app: {{.|quote}} -{{- end}} -{{- else }}app: {{ include "gateway.name" . }} -{{- end }} -{{- if hasKey .Values.labels "istio" }} -{{- with .Values.labels.istio }} -istio: {{.|quote}} -{{- end}} -{{- else }} -istio: {{ include "gateway.name" . | trimPrefix "istio-" }} -{{- end }} -{{- end }} - -{{- define "gateway.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} -{{- else }} -{{- .Values.serviceAccount.name | default "default" }} -{{- end }} -{{- end }} diff --git a/resources/v1.22.3/charts/gateway/templates/deployment.yaml b/resources/v1.22.3/charts/gateway/templates/deployment.yaml deleted file mode 100644 index c8dc4848c..000000000 --- a/resources/v1.22.3/charts/gateway/templates/deployment.yaml +++ /dev/null @@ -1,111 +0,0 @@ -apiVersion: apps/v1 -kind: {{ .Values.kind | default "Deployment" }} -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - {{- with .Values.replicaCount }} - replicas: {{ . }} - {{- end }} - {{- end }} - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - sidecar.istio.io/inject: "true" - {{- with .Values.revision }} - istio.io/rev: {{ . | quote }} - {{- end }} - {{- include "gateway.podLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "gateway.serviceAccountName" . }} - securityContext: - {{- if .Values.securityContext }} - {{- toYaml .Values.securityContext | nindent 8 }} - {{- else }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - {{- with .Values.volumes }} - volumes: - {{ toYaml . | nindent 8 }} - {{- end }} - containers: - - name: istio-proxy - # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection - image: auto - {{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - securityContext: - {{- if .Values.containerSecurityContext }} - {{- toYaml .Values.containerSecurityContext | nindent 12 }} - {{- else }} - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - {{- if not (eq .Values.platform "openshift") }} - runAsUser: 1337 - runAsGroup: 1337 - {{- end }} - runAsNonRoot: true - {{- end }} - env: - {{- with .Values.networkGateway }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: "{{.}}" - {{- end }} - {{- range $key, $val := .Values.env }} - - name: {{ $key }} - value: {{ $val | quote }} - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.volumeMounts }} - volumeMounts: - {{ toYaml . | nindent 12 }} - {{- end }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} - {{- with .Values.priorityClassName }} - priorityClassName: {{ . }} - {{- end }} diff --git a/resources/v1.22.3/charts/gateway/templates/hpa.yaml b/resources/v1.22.3/charts/gateway/templates/hpa.yaml deleted file mode 100644 index 1b0f9366b..000000000 --- a/resources/v1.22.3/charts/gateway/templates/hpa.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4 }} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: {{ .Values.kind | default "Deployment" }} - name: {{ include "gateway.name" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - target: - averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - type: Utilization - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - target: - averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - type: Utilization - {{- end }} - {{- if .Values.autoscaling.autoscaleBehavior }} - behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} - {{- end }} -{{- end }} diff --git a/resources/v1.22.3/charts/gateway/templates/poddisruptionbudget.yaml b/resources/v1.22.3/charts/gateway/templates/poddisruptionbudget.yaml deleted file mode 100644 index 77f71e7fa..000000000 --- a/resources/v1.22.3/charts/gateway/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.podDisruptionBudget }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4}} -spec: - selector: - matchLabels: - {{- include "gateway.selectorLabels" . | nindent 6 }} - {{- with .Values.podDisruptionBudget }} - {{- toYaml . | nindent 2 }} - {{- end }} -{{- end }} diff --git a/resources/v1.22.3/charts/gateway/templates/role.yaml b/resources/v1.22.3/charts/gateway/templates/role.yaml deleted file mode 100644 index c8a25cb72..000000000 --- a/resources/v1.22.3/charts/gateway/templates/role.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} -{{- if .Values.rbac.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "gateway.serviceAccountName" . }} -subjects: -- kind: ServiceAccount - name: {{ include "gateway.serviceAccountName" . }} -{{- end }} diff --git a/resources/v1.22.3/charts/gateway/templates/service.yaml b/resources/v1.22.3/charts/gateway/templates/service.yaml deleted file mode 100644 index 9177d2a11..000000000 --- a/resources/v1.22.3/charts/gateway/templates/service.yaml +++ /dev/null @@ -1,64 +0,0 @@ -{{- if not (eq .Values.service.type "None") }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "gateway.name" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.networkGateway }} - topology.istio.io/network: "{{.}}" - {{- end }} - annotations: - {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} -spec: -{{- with .Values.service.loadBalancerIP }} - loadBalancerIP: "{{ . }}" -{{- end }} -{{- if eq .Values.service.type "LoadBalancer" }} - {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} - allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} - {{- end }} -{{- end }} -{{- if .Values.service.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} -{{- end }} -{{- if .Values.service.ipFamilies }} - ipFamilies: -{{- range .Values.service.ipFamilies }} - - {{ . }} -{{- end }} -{{- end }} -{{- with .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml . | indent 4 }} -{{- end }} -{{- with .Values.service.externalTrafficPolicy }} - externalTrafficPolicy: "{{ . }}" -{{- end }} - type: {{ .Values.service.type }} - ports: -{{- if .Values.networkGateway }} - - name: status-port - port: 15021 - targetPort: 15021 - - name: tls - port: 15443 - targetPort: 15443 - - name: tls-istiod - port: 15012 - targetPort: 15012 - - name: tls-webhook - port: 15017 - targetPort: 15017 -{{- else }} -{{ .Values.service.ports | toYaml | indent 4 }} -{{- end }} -{{- if .Values.service.externalIPs }} - externalIPs: {{- range .Values.service.externalIPs }} - - {{.}} - {{- end }} -{{- end }} - selector: - {{- include "gateway.selectorLabels" . | nindent 4 }} -{{- end }} diff --git a/resources/v1.22.3/charts/gateway/templates/serviceaccount.yaml b/resources/v1.22.3/charts/gateway/templates/serviceaccount.yaml deleted file mode 100644 index e5b2304d6..000000000 --- a/resources/v1.22.3/charts/gateway/templates/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "gateway.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "gateway.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/resources/v1.22.3/charts/gateway/templates/zzz_profile.yaml b/resources/v1.22.3/charts/gateway/templates/zzz_profile.yaml deleted file mode 100644 index 6359d435a..000000000 --- a/resources/v1.22.3/charts/gateway/templates/zzz_profile.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} -{{- $profile := dict }} -{{- with .Values.profile }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" $.Values.profile) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.22.3/charts/gateway/values.schema.json b/resources/v1.22.3/charts/gateway/values.schema.json deleted file mode 100644 index c97d84c1e..000000000 --- a/resources/v1.22.3/charts/gateway/values.schema.json +++ /dev/null @@ -1,301 +0,0 @@ -{ - "$schema": "http://json-schema.org/schema#", - "type": "object", - "additionalProperties": false, - "$defs": { - "values": { - "type": "object", - "properties": { - "global": { - "type": "object" - }, - "affinity": { - "type": "object" - }, - "securityContext": { - "type": [ - "object", - "null" - ] - }, - "containerSecurityContext": { - "type": [ - "object", - "null" - ] - }, - "kind": { - "type": "string", - "enum": [ - "Deployment", - "DaemonSet" - ] - }, - "annotations": { - "additionalProperties": { - "type": [ - "string", - "integer" - ] - }, - "type": "object" - }, - "autoscaling": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "maxReplicas": { - "type": "integer" - }, - "minReplicas": { - "type": "integer" - }, - "targetCPUUtilizationPercentage": { - "type": "integer" - } - } - }, - "env": { - "type": "object" - }, - "labels": { - "type": "object" - }, - "name": { - "type": "string" - }, - "nodeSelector": { - "type": "object" - }, - "podAnnotations": { - "type": "object", - "properties": { - "inject.istio.io/templates": { - "type": "string" - }, - "prometheus.io/path": { - "type": "string" - }, - "prometheus.io/port": { - "type": "string" - }, - "prometheus.io/scrape": { - "type": "string" - } - } - }, - "replicaCount": { - "type": [ - "integer", - "null" - ] - }, - "resources": { - "type": "object", - "properties": { - "limits": { - "type": "object", - "properties": { - "cpu": { - "type": "string" - }, - "memory": { - "type": "string" - } - } - }, - "requests": { - "type": "object", - "properties": { - "cpu": { - "type": "string" - }, - "memory": { - "type": "string" - } - } - } - } - }, - "revision": { - "type": "string" - }, - "compatibilityVersion": { - "type": "string" - }, - "runAsRoot": { - "type": "boolean" - }, - "unprivilegedPort": { - "type": [ - "string", - "boolean" - ], - "enum": [ - true, - false, - "auto" - ] - }, - "service": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "externalTrafficPolicy": { - "type": "string" - }, - "loadBalancerIP": { - "type": "string" - }, - "loadBalancerSourceRanges": { - "type": "array" - }, - "ipFamilies": { - "items": { - "type": "string", - "enum": [ - "IPv4", - "IPv6" - ] - } - }, - "ipFamilyPolicy": { - "type": "string", - "enum": [ - "", - "SingleStack", - "PreferDualStack", - "RequireDualStack" - ] - }, - "ports": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "port": { - "type": "integer" - }, - "protocol": { - "type": "string" - }, - "targetPort": { - "type": "integer" - } - } - } - }, - "type": { - "type": "string" - } - } - }, - "serviceAccount": { - "type": "object", - "properties": { - "annotations": { - "type": "object" - }, - "name": { - "type": "string" - }, - "create": { - "type": "boolean" - } - } - }, - "rbac": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - } - } - }, - "tolerations": { - "type": "array" - }, - "topologySpreadConstraints": { - "type": "array" - }, - "networkGateway": { - "type": "string" - }, - "imagePullPolicy": { - "type": "string", - "enum": [ - "", - "Always", - "IfNotPresent", - "Never" - ] - }, - "imagePullSecrets": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string" - } - } - } - }, - "podDisruptionBudget": { - "type": "object", - "properties": { - "minAvailable": { - "type": [ - "integer", - "string" - ] - }, - "maxUnavailable": { - "type": [ - "integer", - "string" - ] - }, - "unhealthyPodEvictionPolicy": { - "type": "string", - "enum": [ - "", - "IfHealthyBudget", - "AlwaysAllow" - ] - } - } - }, - "terminationGracePeriodSeconds": { - "type": "number" - }, - "volumes": { - "type": "array", - "items": { - "type": "object" - } - }, - "volumeMounts": { - "type": "array", - "items": { - "type": "object" - } - }, - "priorityClassName": { - "type": "string" - } - } - } - }, - "defaults": { - "$ref": "#/$defs/values" - }, - "$ref": "#/$defs/values" -} diff --git a/resources/v1.22.3/charts/gateway/values.yaml b/resources/v1.22.3/charts/gateway/values.yaml deleted file mode 100644 index 1432f4d7b..000000000 --- a/resources/v1.22.3/charts/gateway/values.yaml +++ /dev/null @@ -1,152 +0,0 @@ -defaults: - # Name allows overriding the release name. Generally this should not be set - name: "" - # revision declares which revision this gateway is a part of - revision: "" - - # Controls the spec.replicas setting for the Gateway deployment if set. - # Otherwise defaults to Kubernetes Deployment default (1). - replicaCount: - - kind: Deployment - - rbac: - # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed - # when using http://gateway-api.org/. - enabled: true - - serviceAccount: - # If set, a service account will be created. Otherwise, the default is used - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set, the release name is used - name: "" - - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - prometheus.io/path: "/stats/prometheus" - inject.istio.io/templates: "gateway" - sidecar.istio.io/inject: "true" - - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} - containerSecurityContext: {} - - service: - # Type of service. Set to "None" to disable the service entirely - type: LoadBalancer - ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 - annotations: {} - loadBalancerIP: "" - loadBalancerSourceRanges: [] - externalTrafficPolicy: "" - externalIPs: [] - ipFamilyPolicy: "" - ipFamilies: [] - ## Whether to automatically allocate NodePorts (only for LoadBalancers). - # allocateLoadBalancerNodePorts: false - - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - autoscaling: - enabled: true - minReplicas: 1 - maxReplicas: 5 - targetCPUUtilizationPercentage: 80 - targetMemoryUtilizationPercentage: {} - autoscaleBehavior: {} - - # Pod environment variables - env: {} - - # Labels to apply to all resources - labels: {} - - # Annotations to apply to all resources - annotations: {} - - nodeSelector: {} - - tolerations: [] - - topologySpreadConstraints: [] - - affinity: {} - - # If specified, the gateway will act as a network gateway for the given network. - networkGateway: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent - imagePullPolicy: "" - - imagePullSecrets: [] - - # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. - # - # By default, the `podDisruptionBudget` is disabled (set to `{}`), - # which means that no PodDisruptionBudget resource will be created. - # - # To enable the PodDisruptionBudget, configure it by specifying the - # `minAvailable` or `maxUnavailable`. For example, to set the - # minimum number of available replicas to 1, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # - # Or, to allow a maximum of 1 unavailable replica, you can set: - # - # podDisruptionBudget: - # maxUnavailable: 1 - # - # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. - # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: - # - # podDisruptionBudget: - # minAvailable: 1 - # unhealthyPodEvictionPolicy: AlwaysAllow - # - # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: - # - # podDisruptionBudget: {} - # - podDisruptionBudget: {} - - terminationGracePeriodSeconds: 30 - - # A list of `Volumes` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumes: [] - - # A list of `VolumeMounts` added into the Gateway Pods. See - # https://kubernetes.io/docs/concepts/storage/volumes/. - volumeMounts: [] - - # Configure this to a higher priority class in order to make sure your Istio gateway pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" diff --git a/resources/v1.22.3/charts/istiod/Chart.yaml b/resources/v1.22.3/charts/istiod/Chart.yaml deleted file mode 100644 index 3cf7bd630..000000000 --- a/resources/v1.22.3/charts/istiod/Chart.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -appVersion: 1.22.3 -description: Helm chart for istio control plane -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio -- istiod -- istio-discovery -name: istiod -sources: -- https://github.com/istio/istio -version: 1.22.3 diff --git a/resources/v1.22.3/charts/istiod/README.md b/resources/v1.22.3/charts/istiod/README.md deleted file mode 100644 index ddbfbc8fe..000000000 --- a/resources/v1.22.3/charts/istiod/README.md +++ /dev/null @@ -1,73 +0,0 @@ -# Istiod Helm Chart - -This chart installs an Istiod deployment. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). - -To install the chart with the release name `istiod`: - -```console -kubectl create namespace istio-system -helm install istiod istio/istiod --namespace istio-system -``` - -## Uninstalling the Chart - -To uninstall/delete the `istiod` deployment: - -```console -helm delete istiod --namespace istio-system -``` - -## Configuration - -To view support configuration options and documentation, run: - -```console -helm show values istio/istiod -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. - -### Examples - -#### Configuring mesh configuration settings - -Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: - -```yaml -meshConfig: - accessLogFile: /dev/stdout -``` - -#### Revisions - -Control plane revisions allow deploying multiple versions of the control plane in the same cluster. -This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) - -```yaml -revision: my-revision-name -``` diff --git a/resources/v1.22.3/charts/istiod/files/gateway-injection-template.yaml b/resources/v1.22.3/charts/istiod/files/gateway-injection-template.yaml deleted file mode 100644 index 90a6841ea..000000000 --- a/resources/v1.22.3/charts/istiod/files/gateway-injection-template.yaml +++ /dev/null @@ -1,250 +0,0 @@ -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if eq (len $containers) 1 }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{ end }} - } -spec: - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 4 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - containers: - - name: istio-proxy - {{- if contains "/" .Values.global.proxy.image }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- end }} - securityContext: - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/resources/v1.22.3/charts/istiod/files/grpc-agent.yaml b/resources/v1.22.3/charts/istiod/files/grpc-agent.yaml deleted file mode 100644 index 7290fcdca..000000000 --- a/resources/v1.22.3/charts/istiod/files/grpc-agent.yaml +++ /dev/null @@ -1,310 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} - sidecar.istio.io/rewriteAppHTTPProbers: "false", - } -spec: - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - ports: - - containerPort: 15020 - protocol: TCP - name: mesh-metrics - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - - --url=http://localhost:15020/healthz/ready - env: - - name: ISTIO_META_GENERATOR - value: grpc - - name: OUTPUT_CERTS - value: /var/lib/istio/data - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - # grpc uses xds:/// to resolve – no need to resolve VIP - - name: ISTIO_META_DNS_CAPTURE - value: "false" - - name: DISABLE_ENVOY - value: "true" - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15020 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} -{{- range $index, $container := .Spec.Containers }} -{{ if not (eq $container.Name "istio-proxy") }} - - name: {{ $container.Name }} - env: - - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" - value: "true" - - name: "GRPC_XDS_BOOTSTRAP" - value: "/etc/istio/proxy/grpc-bootstrap.json" - volumeMounts: - - mountPath: /var/lib/istio/data - name: istio-data - # UDS channel between istioagent and gRPC client for XDS/SDS - - mountPath: /etc/istio/proxy - name: istio-xds - {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} -{{- end }} -{{- end }} - volumes: - - emptyDir: - name: workload-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-xds - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/resources/v1.22.3/charts/istiod/files/grpc-simple.yaml b/resources/v1.22.3/charts/istiod/files/grpc-simple.yaml deleted file mode 100644 index 9ba0c7a46..000000000 --- a/resources/v1.22.3/charts/istiod/files/grpc-simple.yaml +++ /dev/null @@ -1,65 +0,0 @@ -metadata: - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "false" -spec: - initContainers: - - name: grpc-bootstrap-init - image: busybox:1.28 - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - env: - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: ISTIO_NAMESPACE - value: | - {{ .Values.global.istioNamespace }} - command: - - sh - - "-c" - - |- - NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" - SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" - echo ' - { - "xds_servers": [ - { - "server_uri": "'${SERVER_URI}'", - "channel_creds": [{"type": "insecure"}], - "server_features" : ["xds_v3"] - } - ], - "node": { - "id": "'${NODE_ID}'", - "metadata": { - "GENERATOR": "grpc" - } - } - }' > /var/lib/grpc/data/bootstrap.json - containers: - {{- range $index, $container := .Spec.Containers }} - - name: {{ $container.Name }} - env: - - name: GRPC_XDS_BOOTSTRAP - value: /var/lib/grpc/data/bootstrap.json - - name: GRPC_GO_LOG_VERBOSITY_LEVEL - value: "99" - - name: GRPC_GO_LOG_SEVERITY_LEVEL - value: info - volumeMounts: - - mountPath: /var/lib/grpc/data/ - name: grpc-io-proxyless-bootstrap - {{- end }} - volumes: - - name: grpc-io-proxyless-bootstrap - emptyDir: {} diff --git a/resources/v1.22.3/charts/istiod/files/injection-template.yaml b/resources/v1.22.3/charts/istiod/files/injection-template.yaml deleted file mode 100644 index 248b7ad2f..000000000 --- a/resources/v1.22.3/charts/istiod/files/injection-template.yaml +++ /dev/null @@ -1,542 +0,0 @@ -{{- define "resources" }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} - requests: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" - {{ end }} - {{- end }} - {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} - limits: - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} - cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" - {{ end }} - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} - memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" - {{ end }} - {{- end }} - {{- else }} - {{- if .Values.global.proxy.resources }} - {{ toYaml .Values.global.proxy.resources | indent 6 }} - {{- end }} - {{- end }} -{{- end }} -{{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }} -{{- $containers := list }} -{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} -metadata: - labels: - security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} - {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} - networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} - {{- end }} - service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} - service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} - annotations: { - istio.io/rev: {{ .Revision | default "default" | quote }}, - {{- if ge (len $containers) 1 }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} - kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", - {{- end }} - {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} - kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", - {{- end }} - {{- end }} -{{- if or .Values.pilot.cni.enabled .Values.istio_cni.enabled }} - {{- if or (eq .Values.pilot.cni.provider "multus") (eq .Values.istio_cni.provider "multus") (not .Values.istio_cni.chained)}} - k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', - {{- end }} - sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} - {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} - traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} - traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} - traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", - {{- end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} - {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} -{{- end }} - } -spec: - {{- $holdProxy := and - (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) - (not $nativeSidecar) }} - initContainers: - {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} - - name: istio-validation - {{ else -}} - - name: istio-init - {{ end -}} - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - args: - - istio-iptables - - "-p" - - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} - - "-z" - - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - - "-u" - - {{ .ProxyUID | default "1337" | quote }} - - "-m" - - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - - "-i" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" - - "-x" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" - - "-b" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" - - "-d" - {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} - - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" - {{- else }} - - "15090,15021" - {{- end }} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} - - "-q" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" - {{ end -}} - {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} - - "-o" - - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} - - "-k" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" - {{ end -}} - {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} - - "-c" - - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" - {{ end -}} - - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" - {{ if .Values.global.logAsJson -}} - - "--log_as_json" - {{ end -}} - {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} - - "--run-validation" - - "--skip-rule-apply" - {{ end -}} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{- if .ProxyConfig.ProxyMetadata }} - env: - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - privileged: {{ .Values.global.proxy.privileged }} - capabilities: - {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} - add: - - NET_ADMIN - - NET_RAW - {{- end }} - drop: - - ALL - {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{- else }} - readOnlyRootFilesystem: true - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsUser: {{ .ProxyUID | default "1337" }} - runAsNonRoot: true - {{- end }} - {{ end -}} - {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} - {{ if not $nativeSidecar }} - containers: - {{ end }} - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{ if $nativeSidecar }}restartPolicy: Always{{end}} - ports: - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} - - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} - - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} - {{- else if $holdProxy }} - lifecycle: - postStart: - exec: - command: - - pilot-agent - - wait - {{- else if $nativeSidecar }} - {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} - lifecycle: - preStop: - exec: - command: - - pilot-agent - - request - - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} - - POST - - drain - {{- end }} - env: - {{- if eq .InboundTrafficPolicyMode "localhost" }} - - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION - value: "true" - {{- end }} - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {{- $first := true }} - {{- range $index1, $c := .Spec.Containers }} - {{- range $index2, $p := $c.Ports }} - {{- if (structToJSON $p) }} - {{if not $first}},{{end}}{{ structToJSON $p }} - {{- $first = false }} - {{- end }} - {{- end}} - {{- end}} - ] - - name: ISTIO_META_APP_CONTAINERS - value: "{{ $containers | join "," }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - {{- if .CompliancePolicy }} - - name: COMPLIANCE_POLICY - value: "{{ .CompliancePolicy }}" - {{- end }} - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" - {{- if .Values.global.network }} - - name: ISTIO_META_NETWORK - value: "{{ .Values.global.network }}" - {{- end }} - {{- if .DeploymentMeta.Name }} - - name: ISTIO_META_WORKLOAD_NAME - value: "{{ .DeploymentMeta.Name }}" - {{ end }} - {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} - - name: ISTIO_META_OWNER - value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} - {{- end}} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: ISTIO_BOOTSTRAP_OVERRIDE - value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" - {{- end }} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - {{ if .Values.global.proxy.startupProbe.enabled }} - startupProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: 0 - periodSeconds: 1 - timeoutSeconds: 3 - failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} - {{ end }} - readinessProbe: - httpGet: - path: /healthz/ready - port: 15021 - initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} - periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} - timeoutSeconds: 3 - failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} - {{ end -}} - securityContext: - {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} - allowPrivilegeEscalation: true - capabilities: - add: - - NET_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: false - runAsUser: 0 - {{- else }} - allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} - capabilities: - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - add: - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} - - NET_ADMIN - {{- end }} - {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} - - NET_BIND_SERVICE - {{- end }} - {{- end }} - drop: - - ALL - privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} - runAsNonRoot: false - runAsUser: 0 - {{- else -}} - runAsNonRoot: true - runAsUser: {{ .ProxyUID | default "1337" }} - {{- end }} - {{- end }} - resources: - {{ template "resources" . }} - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - {{- if eq .Values.global.pilotCertProvider "kubernetes" }} - - mountPath: /var/run/secrets/istio/kubernetes - name: kube-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - mountPath: /etc/istio/custom-bootstrap - name: custom-bootstrap-volume - {{- end }} - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - mountPath: /etc/certs/ - name: istio-certs - readOnly: true - {{- end }} - - name: istio-podinfo - mountPath: /etc/istio/pod - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} - name: lightstep-certs - readOnly: true - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} - {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 6 }} - {{ end }} - {{- end }} - volumes: - - emptyDir: - name: workload-socket - - emptyDir: - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else }} - - emptyDir: - name: workload-certs - {{- end }} - {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} - - name: custom-bootstrap-volume - configMap: - name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if eq .Values.global.pilotCertProvider "kubernetes" }} - - name: kube-ca-cert - configMap: - name: kube-root-ca.crt - {{- end }} - {{- if .Values.global.mountMtlsCerts }} - # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - - name: istio-certs - secret: - optional: true - {{ if eq .Spec.ServiceAccountName "" }} - secretName: istio.default - {{ else -}} - secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} - {{ end -}} - {{- end }} - {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} - {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} - - name: "{{ $index }}" - {{ toYaml $value | indent 4 }} - {{ end }} - {{ end }} - {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} - - name: lightstep-certs - secret: - optional: true - secretName: lightstep.cacert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} diff --git a/resources/v1.22.3/charts/istiod/files/kube-gateway.yaml b/resources/v1.22.3/charts/istiod/files/kube-gateway.yaml deleted file mode 100644 index c121cb652..000000000 --- a/resources/v1.22.3/charts/istiod/files/kube-gateway.yaml +++ /dev/null @@ -1,356 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": {{.Name}} - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - ) | nindent 8 }} - spec: - {{- if ge .KubeVersion 122 }} - {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}} - securityContext: - {{- if .Values.gateways.securityContext }} - {{- toYaml .Values.gateways.securityContext | nindent 8 }} - {{- else }} - sysctls: - - name: net.ipv4.ip_unprivileged_port_start - value: "0" - {{- end }} - {{- end }} - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{- if .Values.global.proxy.resources }} - resources: - {{- toYaml .Values.global.proxy.resources | nindent 10 }} - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - securityContext: - {{- if ge .KubeVersion 122 }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 - capabilities: - drop: - - ALL - allowPrivilegeEscalation: false - privileged: false - readOnlyRootFilesystem: true - runAsUser: {{ .ProxyUID | default "1337" }} - runAsGroup: {{ .ProxyGID | default "1337" }} - runAsNonRoot: true - {{- else }} - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 0 - runAsGroup: 1337 - runAsNonRoot: false - allowPrivilegeEscalation: true - readOnlyRootFilesystem: true - {{- end }} - ports: - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.sts.servicePort }} - - --stsPort={{ .Values.global.sts.servicePort }} - {{- end }} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - {{- if .Values.global.proxy.lifecycle }} - lifecycle: - {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} - {{- end }} - env: - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - - name: ISTIO_META_POD_PORTS - value: "[]" - - name: ISTIO_META_APP_CONTAINERS - value: "" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ISTIO_META_INTERCEPTION_MODE - value: "{{ .ProxyConfig.InterceptionMode.String }}" - {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} - - name: ISTIO_META_NETWORK - value: {{.|quote}} - {{- end }} - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName|quote}} - - name: ISTIO_META_OWNER - value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: TRUST_DOMAIN - value: "{{ . }}" - {{- end }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- with (index .InfrastructureLabels "topology.istio.io/network") }} - - name: ISTIO_META_REQUESTED_NETWORK_VIEW - value: {{.|quote}} - {{- end }} - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - name: credential-socket - mountPath: /var/run/secrets/credential-uds - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - mountPath: /var/run/secrets/workload-spiffe-credentials - readOnly: true - {{- else }} - - name: workload-certs - mountPath: /var/run/secrets/workload-spiffe-credentials - {{- end }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - {{- end }} - - mountPath: /var/lib/istio/data - name: istio-data - # SDS channel between istioagent and Envoy - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - name: istio-podinfo - mountPath: /etc/istio/pod - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} - - name: gke-workload-certificate - csi: - driver: workloadcertificates.security.cloud.google.com - {{- else}} - - emptyDir: {} - name: workload-certs - {{- end }} - # SDS channel between istioagent and Envoy - - emptyDir: - medium: Memory - name: istio-envoy - - name: istio-data - emptyDir: {} - - name: istio-podinfo - downwardAPI: - items: - - path: "labels" - fieldRef: - fieldPath: metadata.labels - - path: "annotations" - fieldRef: - fieldPath: metadata.annotations - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: {{ .Values.global.sds.token.aud }} - {{- if eq .Values.global.pilotCertProvider "istiod" }} - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - {{- end }} - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: {{.Name}} - uid: {{.UID}} -spec: - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": {{.Name}} - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- diff --git a/resources/v1.22.3/charts/istiod/files/profile-ambient.yaml b/resources/v1.22.3/charts/istiod/files/profile-ambient.yaml deleted file mode 100644 index 7b2c18c17..000000000 --- a/resources/v1.22.3/charts/istiod/files/profile-ambient.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" - CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" -cni: - ambient: - enabled: true - -# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel -variant: distroless diff --git a/resources/v1.22.3/charts/istiod/files/profile-compatibility-version-1.20.yaml b/resources/v1.22.3/charts/istiod/files/profile-compatibility-version-1.20.yaml deleted file mode 100644 index 480718f1c..000000000 --- a/resources/v1.22.3/charts/istiod/files/profile-compatibility-version-1.20.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.21 behavioral changes - ENABLE_EXTERNAL_NAME_ALIAS: "false" - PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" - VERIFY_CERTIFICATE_AT_CLIENT: "false" - ENABLE_AUTO_SNI: "false" - - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" - -meshConfig: - # 1.22 behavioral changes - defaultConfig: - proxyMetadata: - ISTIO_DELTA_XDS: "false" - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/v1.22.3/charts/istiod/files/profile-compatibility-version-1.21.yaml b/resources/v1.22.3/charts/istiod/files/profile-compatibility-version-1.21.yaml deleted file mode 100644 index 808d224ed..000000000 --- a/resources/v1.22.3/charts/istiod/files/profile-compatibility-version-1.21.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" -meshConfig: - # 1.22 behavioral changes - proxyMetadata: - ISTIO_DELTA_XDS: "false" - defaultConfig: - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/v1.22.3/charts/istiod/files/profile-demo.yaml b/resources/v1.22.3/charts/istiod/files/profile-demo.yaml deleted file mode 100644 index 83b9d6b66..000000000 --- a/resources/v1.22.3/charts/istiod/files/profile-demo.yaml +++ /dev/null @@ -1,73 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/resources/v1.22.3/charts/istiod/files/profile-openshift-ambient.yaml b/resources/v1.22.3/charts/istiod/files/profile-openshift-ambient.yaml deleted file mode 100644 index 0908fd145..000000000 --- a/resources/v1.22.3/charts/istiod/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - variant: distroless - env: - PILOT_ENABLE_AMBIENT: "true" - # Allow sidecars/ingress to send/receive HBONE. This is required for interop. - PILOT_ENABLE_SENDING_HBONE: "true" - PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true" - CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" -platform: openshift -variant: distroless -seLinuxOptions: - type: spc_t \ No newline at end of file diff --git a/resources/v1.22.3/charts/istiod/files/profile-openshift.yaml b/resources/v1.22.3/charts/istiod/files/profile-openshift.yaml deleted file mode 100644 index 18f61b88f..000000000 --- a/resources/v1.22.3/charts/istiod/files/profile-openshift.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -global: - platform: openshift -pilot: - cni: - enabled: true - provider: "multus" -platform: openshift diff --git a/resources/v1.22.3/charts/istiod/files/profile-preview.yaml b/resources/v1.22.3/charts/istiod/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2..000000000 --- a/resources/v1.22.3/charts/istiod/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.22.3/charts/istiod/files/profile-stable.yaml b/resources/v1.22.3/charts/istiod/files/profile-stable.yaml deleted file mode 100644 index 358282e69..000000000 --- a/resources/v1.22.3/charts/istiod/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/resources/v1.22.3/charts/istiod/files/waypoint.yaml b/resources/v1.22.3/charts/istiod/files/waypoint.yaml deleted file mode 100644 index 8613330c3..000000000 --- a/resources/v1.22.3/charts/istiod/files/waypoint.yaml +++ /dev/null @@ -1,307 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{.ServiceAccount | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - ) | nindent 4 }} - {{- if ge .KubeVersion 128 }} - # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" - {{- end }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - annotations: - {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-mesh-controller" - ) | nindent 4 }} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - selector: - matchLabels: - "{{.GatewayNameLabel}}": "{{.Name}}" - template: - metadata: - annotations: - {{- toJsonMap - (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") - (strdict "istio.io/rev" (.Revision | default "default")) - (strdict - "prometheus.io/path" "/stats/prometheus" - "prometheus.io/port" "15020" - "prometheus.io/scrape" "true" - ) | nindent 8 }} - labels: - {{- toJsonMap - (strdict - "sidecar.istio.io/inject" "false" - "istio.io/dataplane-mode" "none" - "service.istio.io/canonical-name" .DeploymentName - "service.istio.io/canonical-revision" "latest" - ) - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - "gateway.istio.io/managed" "istio.io-mesh-controller" - ) | nindent 8}} - spec: - terminationGracePeriodSeconds: 2 - serviceAccountName: {{.ServiceAccount | quote}} - containers: - - name: istio-proxy - ports: - - containerPort: 15021 - name: status-port - protocol: TCP - - containerPort: 15090 - protocol: TCP - name: http-envoy-prom - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - args: - - proxy - - waypoint - - --domain - - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} - - --serviceCluster - - {{.ServiceAccount}}.$(POD_NAMESPACE) - - --proxyLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} - - --proxyComponentLogLevel - - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} - - --log_output_level - - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} - {{- if .Values.global.logAsJson }} - - --log_as_json - {{- end }} - env: - - name: ISTIO_META_SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: CA_ADDR - {{- if .Values.global.caAddress }} - value: {{ .Values.global.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 - {{- end }} - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PROXY_CONFIG - value: | - {{ protoToJSON .ProxyConfig }} - {{- if .ProxyConfig.ProxyMetadata }} - {{- range $key, $value := .ProxyConfig.ProxyMetadata }} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: ISTIO_META_CLUSTER_ID - value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" - {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} - {{- if $network }} - - name: ISTIO_META_NETWORK - value: "{{ $network }}" - {{- end }} - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_WORKLOAD_NAME - value: {{.DeploymentName}} - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} - {{- if .Values.global.meshID }} - - name: ISTIO_META_MESH_ID - value: "{{ .Values.global.meshID }}" - {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} - - name: ISTIO_META_MESH_ID - value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" - {{- end }} - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 100m - memory: 128Mi - startupProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 1 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 4 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - privileged: false - runAsGroup: 1337 - runAsUser: 1337 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL - volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: - medium: Memory - name: go-proxy-envoy - - emptyDir: {} - name: istio-data - - emptyDir: {} - name: go-proxy-data - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - configMap: - name: istio-ca-root-cert - name: istiod-ca-cert - {{- if .Values.global.imagePullSecrets }} - imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} - labels: - {{- toJsonMap - .InfrastructureLabels - (strdict - "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name - ) | nindent 4 }} - name: {{.DeploymentName | quote}} - namespace: {{.Namespace | quote}} - ownerReferences: - - apiVersion: gateway.networking.k8s.io/v1beta1 - kind: Gateway - name: "{{.Name}}" - uid: "{{.UID}}" -spec: - ports: - {{- range $key, $val := .Ports }} - - name: {{ $val.Name | quote }} - port: {{ $val.Port }} - protocol: TCP - appProtocol: {{ $val.AppProtocol }} - {{- end }} - selector: - "{{.GatewayNameLabel}}": "{{.Name}}" - {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} - loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} - {{- end }} - type: {{ .ServiceType | quote }} ---- diff --git a/resources/v1.22.3/charts/istiod/templates/NOTES.txt b/resources/v1.22.3/charts/istiod/templates/NOTES.txt deleted file mode 100644 index 0771b919d..000000000 --- a/resources/v1.22.3/charts/istiod/templates/NOTES.txt +++ /dev/null @@ -1,74 +0,0 @@ -"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} - -Next steps: -{{- if (eq .Values.profile "ambient") }} - * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/ - * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/ -{{- else }} - * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ - * Try out our tasks to get started on common configurations: - * https://istio.io/latest/docs/tasks/traffic-management - * https://istio.io/latest/docs/tasks/security/ - * https://istio.io/latest/docs/tasks/policy-enforcement/ -{{- end }} - * Review the list of actively supported releases, CVE publications and our hardening guide: - * https://istio.io/latest/docs/releases/supported-releases/ - * https://istio.io/latest/news/security/ - * https://istio.io/latest/docs/ops/best-practices/security/ - -For further documentation see https://istio.io website - -{{- - $deps := dict - "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" - "global.certificates" "meshConfig.certificates" - "global.localityLbSetting" "meshConfig.localityLbSetting" - "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" - "global.enableTracing" "meshConfig.enableTracing" - "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" - "global.proxy.accessLogFile" "meshConfig.accessLogFile" - "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" - "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" - "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" - "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" - "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" - "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" - "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" - "global.mtls.enabled" "the PeerAuthentication resource" - "global.mtls.auto" "meshConfig.enableAutoMtls" - "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" - "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" - "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" - "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" - "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" - "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" - "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" - "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" - "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" - "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" -}} -{{- range $dep, $replace := $deps }} -{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} -{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} -{{- if not (eq $res "")}} -WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. -{{- end }} -{{- end }} -{{- - $failDeps := dict - "telemetry.v2.prometheus.configOverride" - "telemetry.v2.stackdriver.configOverride" - "telemetry.v2.stackdriver.disableOutbound" - "telemetry.v2.stackdriver.outboundAccessLogging" -}} -{{- range $dep, $replace := $failDeps }} -{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} -{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} -{{- if not (eq $res "")}} -{{fail (print $dep " is removed")}} -{{- end }} -{{- end }} diff --git a/resources/v1.22.3/charts/istiod/templates/_helpers.tpl b/resources/v1.22.3/charts/istiod/templates/_helpers.tpl deleted file mode 100644 index 47b89a403..000000000 --- a/resources/v1.22.3/charts/istiod/templates/_helpers.tpl +++ /dev/null @@ -1,23 +0,0 @@ -{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} -{{ define "default-prometheus" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} -{{ define "default-sd-metrics" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} - -{{/* SD has metrics and logging split. */}} -{{ define "default-sd-logs" }} -{{- and - (not .Values.meshConfig.defaultProviders) - .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled -}} -{{- end }} \ No newline at end of file diff --git a/resources/v1.22.3/charts/istiod/templates/autoscale.yaml b/resources/v1.22.3/charts/istiod/templates/autoscale.yaml deleted file mode 100644 index 91311d08d..000000000 --- a/resources/v1.22.3/charts/istiod/templates/autoscale.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }} -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" -spec: - maxReplicas: {{ .Values.pilot.autoscaleMax }} - minReplicas: {{ .Values.pilot.autoscaleMin }} - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }} - {{- if .Values.pilot.memory.targetAverageUtilization }} - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: {{ .Values.pilot.memory.targetAverageUtilization }} - {{- end }} - {{- if .Values.pilot.autoscaleBehavior }} - behavior: {{ toYaml .Values.pilot.autoscaleBehavior | nindent 4 }} - {{- end }} ---- -{{- end }} diff --git a/resources/v1.22.3/charts/istiod/templates/clusterrole.yaml b/resources/v1.22.3/charts/istiod/templates/clusterrole.yaml deleted file mode 100644 index a68c11451..000000000 --- a/resources/v1.22.3/charts/istiod/templates/clusterrole.yaml +++ /dev/null @@ -1,157 +0,0 @@ -{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: - # sidecar injection controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - # configuration validation webhook controller - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] - - # istio configuration - # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) - # please proceed with caution - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["get", "watch", "list"] - resources: ["*"] -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] - verbs: ["update"] - # TODO: should be on just */status but wildcard is not supported - resources: ["*"] - - # Needed because status reporter sets the config map owner reference to the istiod pod - - apiGroups: [""] - verbs: ["update"] - resources: ["pods/finalizers"] -{{- end }} - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "workloadentries/status" ] - - # auto-detect installed CRD definitions - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - # discovery and routing - - apiGroups: [""] - resources: ["pods", "nodes", "services", "namespaces", "endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - -{{- if .Values.pilot.taint.enabled }} - - apiGroups: [""] - resources: ["nodes"] - verbs: ["patch"] -{{- end }} - - # ingress controller -{{- if .Values.global.istiod.enableAnalysis }} - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] -{{- end}} - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses", "ingressclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.k8s.io"] - resources: ["ingresses/status"] - verbs: ["*"] - - # required for CA's namespace controller - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - # Istiod and bootstrap. -{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} -{{- if or .Values.pilot.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} - - apiGroups: ["certificates.k8s.io"] - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: ["update", "create", "get", "delete", "watch"] - - apiGroups: ["certificates.k8s.io"] - resources: - - "signers" - resourceNames: -{{- range .Values.global.certSigners }} - - {{ . | quote }} -{{- end }} - verbs: ["approve"] -{{- end}} - - # Used by Istiod to verify the JWT tokens - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - # Used by Istiod to verify gateway SDS - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] - - # Use for Kubernetes Service APIs - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] - verbs: ["get", "watch", "list"] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["*"] # TODO: should be on just */status but wildcard is not supported - verbs: ["update", "patch"] - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["gatewayclasses"] - verbs: ["create", "update", "patch", "delete"] - - # Needed for multicluster secret reading, possibly ingress certs in the future - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "watch", "list"] - - # Used for MCS serviceexport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: [ "get", "watch", "list", "create", "delete"] - - # Used for MCS serviceimport management - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "watch", "list"] ---- -{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: - - apiGroups: ["apps"] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "deployments" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "services" ] - - apiGroups: [""] - verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] - resources: [ "serviceaccounts"] -{{- end }} diff --git a/resources/v1.22.3/charts/istiod/templates/clusterrolebinding.yaml b/resources/v1.22.3/charts/istiod/templates/clusterrolebinding.yaml deleted file mode 100644 index f6e425210..000000000 --- a/resources/v1.22.3/charts/istiod/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} ---- -{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: -- kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} -{{- end }} \ No newline at end of file diff --git a/resources/v1.22.3/charts/istiod/templates/configmap-jwks.yaml b/resources/v1.22.3/charts/istiod/templates/configmap-jwks.yaml deleted file mode 100644 index b4c49dfa7..000000000 --- a/resources/v1.22.3/charts/istiod/templates/configmap-jwks.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.pilot.jwksResolverExtraRootCA }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" -data: - extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }} -{{- end }} diff --git a/resources/v1.22.3/charts/istiod/templates/configmap.yaml b/resources/v1.22.3/charts/istiod/templates/configmap.yaml deleted file mode 100644 index b7f11e23c..000000000 --- a/resources/v1.22.3/charts/istiod/templates/configmap.yaml +++ /dev/null @@ -1,112 +0,0 @@ -{{- define "mesh" }} - # The trust domain corresponds to the trust root of a system. - # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain - trustDomain: "cluster.local" - - # The namespace to treat as the administrative root namespace for Istio configuration. - # When processing a leaf namespace Istio will search for declarations in that namespace first - # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace - # is processed as if it were declared in the leaf namespace. - rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} - - {{ $prom := include "default-prometheus" . | eq "true" }} - {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} - {{ $sdLogs := include "default-sd-logs" . | eq "true" }} - {{- if or $prom $sdMetrics $sdLogs }} - defaultProviders: - {{- if or $prom $sdMetrics }} - metrics: - {{ if $prom }}- prometheus{{ end }} - {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} - {{- end }} - {{- if and $sdMetrics $sdLogs }} - accessLogging: - - stackdriver - {{- end }} - {{- end }} - - defaultConfig: - {{- if .Values.global.meshID }} - meshId: "{{ .Values.global.meshID }}" - {{- end }} - {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} - image: - imageType: {{. | quote}} - {{- end }} - {{- if not (eq .Values.global.proxy.tracer "none") }} - tracing: - {{- if eq .Values.global.proxy.tracer "lightstep" }} - lightstep: - # Address of the LightStep Satellite pool - address: {{ .Values.global.tracer.lightstep.address }} - # Access Token used to communicate with the Satellite pool - accessToken: {{ .Values.global.tracer.lightstep.accessToken }} - {{- else if eq .Values.global.proxy.tracer "zipkin" }} - zipkin: - # Address of the Zipkin collector - address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} - {{- else if eq .Values.global.proxy.tracer "datadog" }} - datadog: - # Address of the Datadog Agent - address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} - {{- else if eq .Values.global.proxy.tracer "stackdriver" }} - stackdriver: - # enables trace output to stdout. - debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} - # The global default max number of attributes per span. - maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} - # The global default max number of annotation events per span. - maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} - # The global default max number of message events per span. - maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} - {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} - {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} -{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} - {{- end }} - {{- end }} - {{- if .Values.global.remotePilotAddress }} - {{- if .Values.pilot.enabled }} - discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 - {{- else }} - discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 - {{- end }} - {{- else }} - discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 - {{- end }} -{{- end }} - -{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} -{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} -{{- $originalMesh := include "mesh" . | fromYaml }} -{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} - -{{- if .Values.pilot.configMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} -data: - - # Configuration file for the mesh networks to be used by the Split Horizon EDS. - meshNetworks: |- - {{- if .Values.global.meshNetworks }} - networks: -{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} - {{- else }} - networks: {} - {{- end }} - - mesh: |- -{{- if .Values.meshConfig }} -{{ $mesh | toYaml | indent 4 }} -{{- else }} -{{- include "mesh" . }} -{{- end }} ---- -{{- end }} diff --git a/resources/v1.22.3/charts/istiod/templates/deployment.yaml b/resources/v1.22.3/charts/istiod/templates/deployment.yaml deleted file mode 100644 index eabe69d1c..000000000 --- a/resources/v1.22.3/charts/istiod/templates/deployment.yaml +++ /dev/null @@ -1,257 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - istio: pilot - release: {{ .Release.Name }} -{{- range $key, $val := .Values.pilot.deploymentLabels }} - {{ $key }}: "{{ $val }}" -{{- end }} -spec: -{{- if not .Values.pilot.autoscaleEnabled }} -{{- if .Values.pilot.replicaCount }} - replicas: {{ .Values.pilot.replicaCount }} -{{- end }} -{{- end }} - strategy: - rollingUpdate: - maxSurge: {{ .Values.pilot.rollingMaxSurge }} - maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }} - selector: - matchLabels: - {{- if ne .Values.revision "" }} - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - {{- else }} - istio: pilot - {{- end }} - template: - metadata: - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - sidecar.istio.io/inject: "false" - operator.istio.io/component: "Pilot" - {{- if ne .Values.revision "" }} - istio: istiod - {{- else }} - istio: pilot - {{- end }} - {{- range $key, $val := .Values.pilot.podLabels }} - {{ $key }}: "{{ $val }}" - {{- end }} - istio.io/dataplane-mode: none - annotations: - {{- if .Values.meshConfig.enablePrometheusMerge }} - prometheus.io/port: "15014" - prometheus.io/scrape: "true" - {{- end }} - sidecar.istio.io/inject: "false" - {{- if .Values.pilot.podAnnotations }} -{{ toYaml .Values.pilot.podAnnotations | indent 8 }} - {{- end }} - spec: -{{- if .Values.pilot.nodeSelector }} - nodeSelector: -{{ toYaml .Values.pilot.nodeSelector | indent 8 }} -{{- end }} -{{- with .Values.pilot.affinity }} - affinity: -{{- toYaml . | nindent 8 }} -{{- end }} - tolerations: - - key: cni.istio.io/not-ready - operator: "Exists" -{{- with .Values.pilot.tolerations }} -{{- toYaml . | nindent 8 }} -{{- end }} -{{- with .Values.pilot.topologySpreadConstraints }} - topologySpreadConstraints: -{{- toYaml . | nindent 8 }} -{{- end }} - serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- if .Values.global.priorityClassName }} - priorityClassName: "{{ .Values.global.priorityClassName }}" -{{- end }} - containers: - - name: discovery -{{- if contains "/" .Values.pilot.image }} - image: "{{ .Values.pilot.image }}" -{{- else }} - image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}{{with (.Values.pilot.variant | default .Values.global.variant)}}-{{.}}{{end}}" -{{- end }} -{{- if .Values.global.imagePullPolicy }} - imagePullPolicy: {{ .Values.global.imagePullPolicy }} -{{- end }} - args: - - "discovery" - - --monitoringAddr=:15014 -{{- if .Values.global.logging.level }} - - --log_output_level={{ .Values.global.logging.level }} -{{- end}} -{{- if .Values.global.logAsJson }} - - --log_as_json -{{- end }} - - --domain - - {{ .Values.global.proxy.clusterDomain }} -{{- if .Values.pilot.taint.namespace }} - - --cniNamespace={{ .Values.pilot.taint.namespace }} -{{- end }} - - --keepaliveMaxServerConnectionAge - - "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}" -{{- if .Values.pilot.extraContainerArgs }} - {{- with .Values.pilot.extraContainerArgs }} - {{- toYaml . | nindent 10 }} - {{- end }} -{{- end }} - ports: - - containerPort: 8080 - protocol: TCP - - containerPort: 15010 - protocol: TCP - - containerPort: 15017 - protocol: TCP - readinessProbe: - httpGet: - path: /ready - port: 8080 - initialDelaySeconds: 1 - periodSeconds: 3 - timeoutSeconds: 5 - env: - - name: REVISION - value: "{{ .Values.revision | default `default` }}" - - name: PILOT_CERT_PROVIDER - value: {{ .Values.global.pilotCertProvider }} - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: KUBECONFIG - value: /var/run/secrets/remote/config - {{- if .Values.pilot.env }} - {{- range $key, $val := .Values.pilot.env }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} -{{- if .Values.pilot.traceSampling }} - - name: PILOT_TRACE_SAMPLING - value: "{{ .Values.pilot.traceSampling }}" -{{- end }} - - name: PILOT_ENABLE_ANALYSIS - value: "{{ .Values.global.istiod.enableAnalysis }}" - - name: CLUSTER_ID - value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" - - name: GOMEMLIMIT - valueFrom: - resourceFieldRef: - resource: limits.memory - - name: GOMAXPROCS - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: PLATFORM - value: "{{ .Values.global.platform }}" - resources: -{{- if .Values.pilot.resources }} -{{ toYaml .Values.pilot.resources | trim | indent 12 }} -{{- else }} -{{ toYaml .Values.global.defaultResources | trim | indent 12 }} -{{- end }} - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - ALL -{{- if .Values.pilot.seccompProfile }} - seccompProfile: -{{ toYaml .Values.pilot.seccompProfile | trim | indent 14 }} -{{- end }} - volumeMounts: - - name: istio-token - mountPath: /var/run/secrets/tokens - readOnly: true - - name: local-certs - mountPath: /var/run/secrets/istio-dns - - name: cacerts - mountPath: /etc/cacerts - readOnly: true - - name: istio-kubeconfig - mountPath: /var/run/secrets/remote - readOnly: true - {{- if .Values.pilot.jwksResolverExtraRootCA }} - - name: extracacerts - mountPath: /cacerts - {{- end }} - - name: istio-csr-dns-cert - mountPath: /var/run/secrets/istiod/tls - readOnly: true - - name: istio-csr-ca-configmap - mountPath: /var/run/secrets/istiod/ca - readOnly: true - {{- with .Values.pilot.volumeMounts }} - {{- toYaml . | nindent 10 }} - {{- end }} - volumes: - # Technically not needed on this pod - but it helps debugging/testing SDS - # Should be removed after everything works. - - emptyDir: - medium: Memory - name: local-certs - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: {{ .Values.global.sds.token.aud }} - expirationSeconds: 43200 - path: istio-token - # Optional: user-generated root - - name: cacerts - secret: - secretName: cacerts - optional: true - - name: istio-kubeconfig - secret: - secretName: istio-kubeconfig - optional: true - # Optional: istio-csr dns pilot certs - - name: istio-csr-dns-cert - secret: - secretName: istiod-tls - optional: true - - name: istio-csr-ca-configmap - configMap: - name: istio-ca-root-cert - defaultMode: 420 - optional: true - {{- if .Values.pilot.jwksResolverExtraRootCA }} - - name: extracacerts - configMap: - name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - {{- end }} - {{- with .Values.pilot.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} - ---- diff --git a/resources/v1.22.3/charts/istiod/templates/istiod-injector-configmap.yaml b/resources/v1.22.3/charts/istiod/templates/istiod-injector-configmap.yaml deleted file mode 100644 index 24416c488..000000000 --- a/resources/v1.22.3/charts/istiod/templates/istiod-injector-configmap.yaml +++ /dev/null @@ -1,80 +0,0 @@ -{{- if not .Values.global.omitSidecarInjectorConfigMap }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} -data: -{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} - values: |- -{{ $vals := pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" -}} -{{ $pilotVals := pick .Values.pilot "cni" -}} -{{ $vals = set $vals "pilot" $pilotVals -}} -{{ $gatewayVals := pick .Values.gateways "securityContext" -}} -{{ $vals = set $vals "gateways" $gatewayVals -}} -{{ $vals | toPrettyJson | indent 4 }} - - # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching - # and istiod webhook functionality. - # - # New fields should not use Values - it is a 'primary' config object, users should be able - # to fine tune it or use it with kube-inject. - config: |- - # defaultTemplates defines the default template to use for pods that do not explicitly specify a template - {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} - defaultTemplates: -{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} - - {{ . }} -{{- end }} - {{- else }} - defaultTemplates: [sidecar] - {{- end }} - policy: {{ .Values.global.proxy.autoInject }} - alwaysInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} - neverInjectSelector: -{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} - injectedAnnotations: - {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} - "{{ $key }}": {{ $val | quote }} - {{- end }} - {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template - which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". - This should make it obvious that their installation is broken. - */}} - template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} - templates: -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} - sidecar: | -{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} - gateway: | -{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} - grpc-simple: | -{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} - grpc-agent: | -{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} - waypoint: | -{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} -{{- end }} -{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} - kube-gateway: | -{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} -{{- end }} -{{- with .Values.sidecarInjectorWebhook.templates }} -{{ toYaml . | trim | indent 6 }} -{{- end }} - -{{- end }} diff --git a/resources/v1.22.3/charts/istiod/templates/mutatingwebhook.yaml b/resources/v1.22.3/charts/istiod/templates/mutatingwebhook.yaml deleted file mode 100644 index 542164ffc..000000000 --- a/resources/v1.22.3/charts/istiod/templates/mutatingwebhook.yaml +++ /dev/null @@ -1,158 +0,0 @@ -{{- /* Core defines the common configuration used by all webhook segments */}} -{{/* Copy just what we need to avoid expensive deepCopy */}} -{{- $whv := dict - "revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "caBundle" .Values.istiodRemote.injectionCABundle - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - {{- if .caBundle }} - caBundle: "{{ .caBundle }}" - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - reinvocationPolicy: "{{ .reinvocationPolicy }}" - admissionReviewVersions: ["v1beta1", "v1"] -{{- end }} -{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} -{{- if not .Values.global.operatorManageWebhooks }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq .Release.Namespace "istio-system"}} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} -{{- else }} - name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -{{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ .Release.Name }} -webhooks: -{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} - -{{- /* Case 1: namespace selector matches, and object doesn't disable */}} -{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - - -{{- /* Webhooks for default revision */}} -{{- if (eq .Values.revision "") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} -{{- end }} diff --git a/resources/v1.22.3/charts/istiod/templates/poddisruptionbudget.yaml b/resources/v1.22.3/charts/istiod/templates/poddisruptionbudget.yaml deleted file mode 100644 index ce61de5a9..000000000 --- a/resources/v1.22.3/charts/istiod/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if .Values.global.defaultPodDisruptionBudget.enabled }} -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - labels: - app: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - release: {{ .Release.Name }} - istio: pilot -spec: - minAvailable: 1 - selector: - matchLabels: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - istio: pilot - {{- end }} ---- -{{- end }} diff --git a/resources/v1.22.3/charts/istiod/templates/reader-clusterrole.yaml b/resources/v1.22.3/charts/istiod/templates/reader-clusterrole.yaml deleted file mode 100644 index 68f8105bd..000000000 --- a/resources/v1.22.3/charts/istiod/templates/reader-clusterrole.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} -rules: - - apiGroups: - - "config.istio.io" - - "security.istio.io" - - "networking.istio.io" - - "authentication.istio.io" - - "rbac.istio.io" - - "telemetry.istio.io" - - "extensions.istio.io" - resources: ["*"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["networking.istio.io"] - verbs: [ "get", "watch", "list" ] - resources: [ "workloadentries" ] - - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] - resources: ["gateways"] - verbs: ["get", "watch", "list"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "list", "watch"] - - apiGroups: ["discovery.k8s.io"] - resources: ["endpointslices"] - verbs: ["get", "list", "watch"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceexports"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["{{ $mcsAPIGroup }}"] - resources: ["serviceimports"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps"] - resources: ["replicasets"] - verbs: ["get", "list", "watch"] - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] -{{- if .Values.global.externalIstiod }} - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["create", "get", "list", "watch", "update"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["validatingwebhookconfigurations"] - verbs: ["get", "list", "watch", "update"] -{{- end}} diff --git a/resources/v1.22.3/charts/istiod/templates/reader-clusterrolebinding.yaml b/resources/v1.22.3/charts/istiod/templates/reader-clusterrolebinding.yaml deleted file mode 100644 index 4f9925c9d..000000000 --- a/resources/v1.22.3/charts/istiod/templates/reader-clusterrolebinding.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} - labels: - app: istio-reader - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: istio-reader-service-account - namespace: {{ .Values.global.istioNamespace }} diff --git a/resources/v1.22.3/charts/istiod/templates/revision-tags.yaml b/resources/v1.22.3/charts/istiod/templates/revision-tags.yaml deleted file mode 100644 index 5884e18e3..000000000 --- a/resources/v1.22.3/charts/istiod/templates/revision-tags.yaml +++ /dev/null @@ -1,141 +0,0 @@ -# Adapted from istio-discovery/templates/mutatingwebhook.yaml -# Removed paths for legacy and default selectors since a revision tag -# is inherently created from a specific revision -{{- $whv := dict - "revision" .Values.revision - "injectionPath" .Values.istiodRemote.injectionPath - "injectionURL" .Values.istiodRemote.injectionURL - "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy - "namespace" .Release.Namespace }} -{{- define "core" }} -{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign -a unique prefix to each. */}} -- name: {{.Prefix}}sidecar-injector.istio.io - clientConfig: - {{- if .injectionURL }} - url: "{{ .injectionURL }}" - {{- else }} - service: - name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} - namespace: {{ .namespace }} - path: "{{ .injectionPath }}" - port: 443 - {{- end }} - sideEffects: None - rules: - - operations: [ "CREATE" ] - apiGroups: [""] - apiVersions: ["v1"] - resources: ["pods"] - failurePolicy: Fail - admissionReviewVersions: ["v1beta1", "v1"] -{{- end }} -{{- range $tagName := $.Values.revisionTags }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: -{{- if eq $.Release.Namespace "istio-system"}} - name: istio-revision-tag-{{ $tagName }} -{{- else }} - name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} -{{- end }} - labels: - istio.io/tag: {{ $tagName }} - istio.io/rev: {{ $.Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: sidecar-injector - release: {{ $.Release.Name }} -webhooks: -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio.io/rev - operator: DoesNotExist - - key: istio-injection - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - - key: istio.io/rev - operator: In - values: - - "{{ $tagName }}" - -{{- /* When the tag is "default" we want to create webhooks for the default revision */}} -{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} -{{- if (eq $tagName "default") }} - -{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: In - values: - - enabled - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: NotIn - values: - - "false" - -{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: In - values: - - "true" - - key: istio.io/rev - operator: DoesNotExist - -{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} -{{- /* Special case 3: no labels at all */}} -{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} - namespaceSelector: - matchExpressions: - - key: istio-injection - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist - - key: "kubernetes.io/metadata.name" - operator: "NotIn" - values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] - objectSelector: - matchExpressions: - - key: sidecar.istio.io/inject - operator: DoesNotExist - - key: istio.io/rev - operator: DoesNotExist -{{- end }} - -{{- end }} ---- -{{- end }} diff --git a/resources/v1.22.3/charts/istiod/templates/role.yaml b/resources/v1.22.3/charts/istiod/templates/role.yaml deleted file mode 100644 index 195bdde40..000000000 --- a/resources/v1.22.3/charts/istiod/templates/role.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -rules: -# permissions to verify the webhook is ready and rejecting -# invalid config. We use --server-dry-run so no config is persisted. -- apiGroups: ["networking.istio.io"] - verbs: ["create"] - resources: ["gateways"] - -# For storing CA secret -- apiGroups: [""] - resources: ["secrets"] - # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config - verbs: ["create", "get", "watch", "list", "update", "delete"] - -# For status controller, so it can delete the distribution report configmap -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["delete"] - -# For gateway deployment controller -- apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "update", "patch", "create"] diff --git a/resources/v1.22.3/charts/istiod/templates/rolebinding.yaml b/resources/v1.22.3/charts/istiod/templates/rolebinding.yaml deleted file mode 100644 index 0d700f008..000000000 --- a/resources/v1.22.3/charts/istiod/templates/rolebinding.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} -subjects: - - kind: ServiceAccount - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} diff --git a/resources/v1.22.3/charts/istiod/templates/service.yaml b/resources/v1.22.3/charts/istiod/templates/service.yaml deleted file mode 100644 index 208e83561..000000000 --- a/resources/v1.22.3/charts/istiod/templates/service.yaml +++ /dev/null @@ -1,50 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Release.Namespace }} - {{- if .Values.pilot.serviceAnnotations }} - annotations: -{{ toYaml .Values.pilot.serviceAnnotations | indent 4 }} - {{- end }} - labels: - istio.io/rev: {{ .Values.revision | default "default" | quote }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} - operator.istio.io/component: "Pilot" - app: istiod - istio: pilot - release: {{ .Release.Name }} -spec: - ports: - - port: 15010 - name: grpc-xds # plaintext - protocol: TCP - - port: 15012 - name: https-dns # mTLS with k8s-signed cert - protocol: TCP - - port: 443 - name: https-webhook # validation and injection - targetPort: 15017 - protocol: TCP - - port: 15014 - name: http-monitoring # prometheus stats - protocol: TCP - selector: - app: istiod - {{- if ne .Values.revision "" }} - istio.io/rev: {{ .Values.revision | quote }} - {{- else }} - # Label used by the 'default' service. For versioned deployments we match with app and version. - # This avoids default deployment picking the canary - istio: pilot - {{- end }} - {{- if .Values.pilot.ipFamilyPolicy }} - ipFamilyPolicy: {{ .Values.pilot.ipFamilyPolicy }} - {{- end }} - {{- if .Values.pilot.ipFamilies }} - ipFamilies: - {{- range .Values.pilot.ipFamilies }} - - {{ . }} - {{- end }} - {{- end }} ---- diff --git a/resources/v1.22.3/charts/istiod/templates/serviceaccount.yaml b/resources/v1.22.3/charts/istiod/templates/serviceaccount.yaml deleted file mode 100644 index b7a35c7c8..000000000 --- a/resources/v1.22.3/charts/istiod/templates/serviceaccount.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount - {{- if .Values.global.imagePullSecrets }} -imagePullSecrets: - {{- range .Values.global.imagePullSecrets }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - {{- if .Values.pilot.serviceAccountAnnotations -}} - annotations: -{{- toYaml .Values.pilot.serviceAccountAnnotations | indent 4 }} - {{- end }} ---- diff --git a/resources/v1.22.3/charts/istiod/templates/validatingadmissionpolicy.yaml b/resources/v1.22.3/charts/istiod/templates/validatingadmissionpolicy.yaml deleted file mode 100644 index a5cc41876..000000000 --- a/resources/v1.22.3/charts/istiod/templates/validatingadmissionpolicy.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{- if .Values.experimental.stableValidationPolicy }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicy -metadata: - name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" -spec: - failurePolicy: Fail - matchConstraints: - resourceRules: - - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: ["*"] - operations: ["CREATE", "UPDATE"] - resources: ["*"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} - variables: - - name: isEnvoyFilter - expression: "object.kind == 'EnvoyFilter'" - - name: isWasmPlugin - expression: "object.kind == 'WasmPlugin'" - - name: isProxyConfig - expression: "object.kind == 'ProxyConfig'" - - name: isTelemetry - expression: "object.kind == 'Telemetry'" - validations: - - expression: "!variables.isEnvoyFilter" - - expression: "!variables.isWasmPlugin" - - expression: "!variables.isProxyConfig" - - expression: | - !( - variables.isTelemetry && ( - (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || - (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || - (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) - ) - ) ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingAdmissionPolicyBinding -metadata: - name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" -spec: - policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" - validationActions: [Deny] -{{- end }} diff --git a/resources/v1.22.3/charts/istiod/templates/validatingwebhookconfiguration.yaml b/resources/v1.22.3/charts/istiod/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index 1b44f7628..000000000 --- a/resources/v1.22.3/charts/istiod/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,63 +0,0 @@ -{{- if .Values.global.configValidation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} - labels: - app: istiod - release: {{ .Release.Name }} - istio: istiod - istio.io/rev: {{ .Values.revision | default "default" | quote }} -webhooks: - # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks - # are rejecting invalid configs on a per-revision basis. - - name: rev.validation.istio.io - clientConfig: - # Should change from base but cannot for API compat - {{- if .Values.base.validationURL }} - url: {{ .Values.base.validationURL }} - {{- else }} - service: - name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} - namespace: {{ .Values.global.istioNamespace }} - path: "/validate" - {{- end }} - {{- if .Values.base.validationCABundle }} - caBundle: "{{ .Values.base.validationCABundle }}" - {{- end }} - rules: - - operations: - - CREATE - - UPDATE - apiGroups: - - security.istio.io - - networking.istio.io - - telemetry.istio.io - - extensions.istio.io - apiVersions: - - "*" - resources: - - "*" - {{- if .Values.base.validationCABundle }} - # Disable webhook controller in Pilot to stop patching it - failurePolicy: Fail - {{- else }} - # Fail open until the validation webhook is ready. The webhook controller - # will update this to `Fail` and patch in the `caBundle` when the webhook - # endpoint is ready. - failurePolicy: Ignore - {{- end }} - sideEffects: None - admissionReviewVersions: ["v1beta1", "v1"] - objectSelector: - matchExpressions: - - key: istio.io/rev - operator: In - values: - {{- if (eq .Values.revision "") }} - - "default" - {{- else }} - - "{{ .Values.revision }}" - {{- end }} ---- -{{- end }} diff --git a/resources/v1.22.3/charts/istiod/templates/zzz_profile.yaml b/resources/v1.22.3/charts/istiod/templates/zzz_profile.yaml deleted file mode 100644 index 6359d435a..000000000 --- a/resources/v1.22.3/charts/istiod/templates/zzz_profile.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} -{{- $profile := dict }} -{{- with .Values.profile }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" $.Values.profile) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.22.3/charts/istiod/values.yaml b/resources/v1.22.3/charts/istiod/values.yaml deleted file mode 100644 index cde10002b..000000000 --- a/resources/v1.22.3/charts/istiod/values.yaml +++ /dev/null @@ -1,514 +0,0 @@ -defaults: - #.Values.pilot for discovery and mesh wide config - - ## Discovery Settings - pilot: - autoscaleEnabled: true - autoscaleMin: 1 - autoscaleMax: 5 - autoscaleBehavior: {} - replicaCount: 1 - rollingMaxSurge: 100% - rollingMaxUnavailable: 25% - - hub: "" - tag: "" - variant: "" - - # Can be a full hub/image:tag - image: pilot - traceSampling: 1.0 - - # Resources for a small pilot install - resources: - requests: - cpu: 500m - memory: 2048Mi - - # Set to `type: RuntimeDefault` to use the default profile if available. - seccompProfile: {} - - # Whether to use an existing CNI installation - cni: - enabled: false - provider: default - - # Additional container arguments - extraContainerArgs: [] - - env: {} - - # Settings related to the untaint controller - # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready - # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes - taint: - # Controls whether or not the untaint controller is active - enabled: false - # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod - namespace: "" - - affinity: {} - - tolerations: [] - - cpu: - targetAverageUtilization: 80 - memory: {} - # targetAverageUtilization: 80 - - # Additional volumeMounts to the istiod container - volumeMounts: [] - - # Additional volumes to the istiod pod - volumes: [] - - nodeSelector: {} - podAnnotations: {} - serviceAnnotations: {} - serviceAccountAnnotations: {} - - topologySpreadConstraints: [] - - # You can use jwksResolverExtraRootCA to provide a root certificate - # in PEM format. This will then be trusted by pilot when resolving - # JWKS URIs. - jwksResolverExtraRootCA: "" - - # This is used to set the source of configuration for - # the associated address in configSource, if nothing is specified - # the default MCP is assumed. - configSource: - subscribedResources: [] - - # The following is used to limit how long a sidecar can be connected - # to a pilot. It balances out load across pilot instances at the cost of - # increasing system churn. - keepaliveMaxServerConnectionAge: 30m - - # Additional labels to apply to the deployment. - deploymentLabels: {} - - ## Mesh config settings - - # Install the mesh config map, generated from values.yaml. - # If false, pilot wil use default values (by default) or user-supplied values. - configMap: true - - # Additional labels to apply on the pod level for monitoring and logging configuration. - podLabels: {} - - # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services - ipFamilyPolicy: "" - ipFamilies: [] - - sidecarInjectorWebhook: - # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or - # always skip the injection on pods that match that label selector, regardless of the global policy. - # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions - neverInjectSelector: [] - alwaysInjectSelector: [] - - # injectedAnnotations are additional annotations that will be added to the pod spec after injection - # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: - # - # annotations: - # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default - # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default - # - # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before - # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: - # injectedAnnotations: - # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default - # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default - injectedAnnotations: {} - - # This enables injection of sidecar in all namespaces, - # with the exception of namespaces with "istio-injection:disabled" annotation - # Only one environment should have this enabled. - enableNamespacesByDefault: false - - # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run - # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. - # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. - reinvocationPolicy: Never - - rewriteAppHTTPProbe: true - - # Templates defines a set of custom injection templates that can be used. For example, defining: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod - # being injected with the hello=world labels. - # This is intended for advanced configuration only; most users should use the built in template - templates: {} - - # Default templates specifies a set of default templates that are used in sidecar injection. - # By default, a template `sidecar` is always provided, which contains the template of default sidecar. - # To inject other additional templates, define it using the `templates` option, and add it to - # the default templates list. - # For example: - # - # templates: - # hello: | - # metadata: - # labels: - # hello: world - # - # defaultTemplates: ["sidecar", "hello"] - defaultTemplates: [] - istiodRemote: - # Sidecar injector mutating webhook configuration clientConfig.url value. - # For example: https://$remotePilotAddress:15017/inject - # The host should not refer to a service running in the cluster; use a service reference by specifying - # the clientConfig.service field instead. - injectionURL: "" - - # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. - # Override to pass env variables, for example: /inject/cluster/remote/net/network2 - injectionPath: "/inject" - - injectionCABundle: "" - telemetry: - enabled: true - v2: - # For Null VM case now. - # This also enables metadata exchange. - enabled: true - # Indicate if prometheus stats filter is enabled or not - prometheus: - enabled: true - # stackdriver filter settings. - stackdriver: - enabled: false - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # Revision tags are aliases to Istio control plane revisions - revisionTags: [] - - # For Helm compatibility. - ownerName: "" - - # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior - # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options - meshConfig: - enablePrometheusMerge: true - - experimental: - stableValidationPolicy: false - - global: - # Used to locate istiod. - istioNamespace: istio-system - # List of cert-signers to allow "approve" action in the istio cluster role - # - # certSigners: - # - clusterissuers.cert-manager.io/istio-ca - certSigners: [] - # enable pod disruption budget for the control plane, which is used to - # ensure Istio control plane components are gradually upgraded or recovered. - defaultPodDisruptionBudget: - enabled: true - # The values aren't mutable due to a current PodDisruptionBudget limitation - # minAvailable: 1 - - # A minimal set of requested resources to applied to all deployments so that - # Horizontal Pod Autoscaler will be able to function (if set). - # Each component can overwrite these default values by adding its own resources - # block in the relevant section below and setting the desired resources values. - defaultResources: - requests: - cpu: 10m - # memory: 128Mi - # limits: - # cpu: 100m - # memory: 128Mi - - # Default hub for Istio images. - # Releases are published to docker hub under 'istio' project. - # Dev builds from prow are on gcr.io - hub: docker.io/istio - # Default tag for Istio images. - tag: 1.22.3 - # Variant of the image to use. - # Currently supported are: [debug, distroless] - variant: "" - - # Specify image pull policy if default behavior isn't desired. - # Default behavior: latest images will be Always else IfNotPresent. - imagePullPolicy: "" - - # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace - # to use for pulling any images in pods that reference this ServiceAccount. - # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) - # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. - # Must be set for any cluster configured with private docker registry. - imagePullSecrets: [] - # - private-registry-key - - # Enabled by default in master for maximising testing. - istiod: - enableAnalysis: false - - # To output all istio components logs in json format by adding --log_as_json argument to each container argument - logAsJson: false - - # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: - # The control plane has different scopes depending on component, but can configure default log level across all components - # If empty, default scope and level will be used as configured in code - logging: - level: "default:info" - - omitSidecarInjectorConfigMap: false - - # Configure whether Operator manages webhook configurations. The current behavior - # of Istiod is to manage its own webhook configurations. - # When this option is set as true, Istio Operator, instead of webhooks, manages the - # webhook configurations. When this option is set as false, webhooks manage their - # own webhook configurations. - operatorManageWebhooks: false - - # Custom DNS config for the pod to resolve names of services in other - # clusters. Use this to add additional search domains, and other settings. - # see - # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config - # This does not apply to gateway pods as they typically need a different - # set of DNS settings than the normal application pods (e.g., in - # multicluster scenarios). - # NOTE: If using templates, follow the pattern in the commented example below. - #podDNSSearchNamespaces: - #- global - #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" - - # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and - # system-node-critical, it is better to configure this in order to make sure your Istio pods - # will not be killed because of low priority class. - # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - # for more detail. - priorityClassName: "" - - proxy: - image: proxyv2 - - # This controls the 'policy' in the sidecar injector. - autoInject: enabled - - # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value - # cluster domain. Default value is "cluster.local". - clusterDomain: "cluster.local" - - # Per Component log level for proxy, applies to gateways and sidecars. If a component level is - # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:error" - - # If set, newly injected sidecars will have core dumps enabled. - enableCoreDump: false - - # istio ingress capture allowlist - # examples: - # Redirect only selected ports: --includeInboundPorts="80,8080" - excludeInboundPorts: "" - includeInboundPorts: "*" - - # istio egress capture allowlist - # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly - # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" - # would only capture egress traffic on those two IP Ranges, all other outbound traffic would - # be allowed by the sidecar - includeIPRanges: "*" - excludeIPRanges: "" - includeOutboundPorts: "" - excludeOutboundPorts: "" - - # Log level for proxy, applies to gateways and sidecars. - # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: warning - - #If set to true, istio-proxy container will have privileged securityContext - privileged: false - - # The number of successive failed probes before indicating readiness failure. - readinessFailureThreshold: 4 - - # The initial delay for readiness probes in seconds. - readinessInitialDelaySeconds: 0 - - # The period between readiness probes. - readinessPeriodSeconds: 15 - - # Enables or disables a startup probe. - # For optimal startup times, changing this should be tied to the readiness probe values. - # - # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. - # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), - # and doesn't spam the readiness endpoint too much - # - # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. - # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. - startupProbe: - enabled: true - failureThreshold: 600 # 10 minutes - - # Resources for the sidecar. - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 2000m - memory: 1024Mi - - # Default port for Pilot agent health checks. A value of 0 will disable health checking. - statusPort: 15020 - - # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. - # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. - tracer: "none" - - proxy_init: - # Base name for the proxy_init container, used to configure iptables. - image: proxyv2 - - # configure remote pilot and istiod service and endpoint - remotePilotAddress: "" - - ############################################################################################## - # The following values are found in other charts. To effectively modify these values, make # - # make sure they are consistent across your Istio helm charts # - ############################################################################################## - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - # If not set explicitly, default to the Istio discovery address. - caAddress: "" - - # Configure a remote cluster data plane controlled by an external istiod. - # When set to true, istiod is not deployed locally and only a subset of the other - # discovery charts are enabled. - externalIstiod: false - - # Configure a remote cluster as the config cluster for an external istiod. - configCluster: false - - # configValidation enables the validation webhook for Istio configuration. - configValidation: true - - # Mesh ID means Mesh Identifier. It should be unique within the scope where - # meshes will interact with each other, but it is not required to be - # globally/universally unique. For example, if any of the following are true, - # then two meshes must have different Mesh IDs: - # - Meshes will have their telemetry aggregated in one place - # - Meshes will be federated together - # - Policy will be written referencing one mesh from the other - # - # If an administrator expects that any of these conditions may become true in - # the future, they should ensure their meshes have different Mesh IDs - # assigned. - # - # Within a multicluster mesh, each cluster must be (manually or auto) - # configured to have the same Mesh ID value. If an existing cluster 'joins' a - # multicluster mesh, it will need to be migrated to the new mesh ID. Details - # of migration TBD, and it may be a disruptive operation to change the Mesh - # ID post-install. - # - # If the mesh admin does not specify a value, Istio will use the value of the - # mesh's Trust Domain. The best practice is to select a proper Trust Domain - # value. - meshID: "" - - # Configure the mesh networks to be used by the Split Horizon EDS. - # - # The following example defines two networks with different endpoints association methods. - # For `network1` all endpoints that their IP belongs to the provided CIDR range will be - # mapped to network1. The gateway for this network example is specified by its public IP - # address and port. - # The second network, `network2`, in this example is defined differently with all endpoints - # retrieved through the specified Multi-Cluster registry being mapped to network2. The - # gateway is also defined differently with the name of the gateway service on the remote - # cluster. The public IP for the gateway will be determined from that remote service (only - # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, - # it still need to be configured manually). - # - # meshNetworks: - # network1: - # endpoints: - # - fromCidr: "192.168.0.1/24" - # gateways: - # - address: 1.1.1.1 - # port: 80 - # network2: - # endpoints: - # - fromRegistry: reg1 - # gateways: - # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local - # port: 443 - # - meshNetworks: {} - - # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - mountMtlsCerts: false - - multiCluster: - # Set to true to connect two kubernetes clusters via their respective - # ingressgateway services when pods in each cluster cannot directly - # talk to one another. All clusters should be using Istio mTLS and must - # have a shared root CA for this model to work. - enabled: false - # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection - # to properly label proxies - clusterName: "" - - # Network defines the network this cluster belong to. This name - # corresponds to the networks in the map of mesh networks. - network: "" - - # Configure the certificate provider for control plane communication. - # Currently, two providers are supported: "kubernetes" and "istiod". - # As some platforms may not have kubernetes signing APIs, - # Istiod is the default - pilotCertProvider: istiod - - sds: - # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the - # JWT is intended for the CA. - token: - aud: istio-ca - - sts: - # The service port used by Security Token Service (STS) server to handle token exchange requests. - # Setting this port to a non-zero value enables STS server. - servicePort: 0 - - # The name of the CA for workload certificates. - # For example, when caName=GkeWorkloadCertificate, GKE workload certificates - # will be used as the certificates for workloads. - # The default value is "" and when caName="", the CA will be configured by other - # mechanisms (e.g., environmental variable CA_PROVIDER). - caName: "" - - # whether to use autoscaling/v2 template for HPA settings - # for internal usage only, not to be configured by users. - autoscalingv2API: true - - base: - # For istioctl usage to disable istio config crds in base - enableIstioConfigCRDs: true - - # `istio_cni` has been deprecated and will be removed in a future release. use `pilot.cni` instead - istio_cni: - # `chained` has been deprecated and will be removed in a future release. use `provider` instead - chained: true - provider: default - - # Gateway Settings - gateways: - # Define the security context for the pod. - # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. - # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. - securityContext: {} diff --git a/resources/v1.22.3/charts/ztunnel/Chart.yaml b/resources/v1.22.3/charts/ztunnel/Chart.yaml deleted file mode 100644 index 8bc58b9bd..000000000 --- a/resources/v1.22.3/charts/ztunnel/Chart.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -appVersion: 1.22.3 -description: Helm chart for istio ztunnel components -icon: https://istio.io/latest/favicons/android-192x192.png -keywords: -- istio-ztunnel -- istio -name: ztunnel -sources: -- https://github.com/istio/istio -version: 1.22.3 diff --git a/resources/v1.22.3/charts/ztunnel/README.md b/resources/v1.22.3/charts/ztunnel/README.md deleted file mode 100644 index ffe0b94fe..000000000 --- a/resources/v1.22.3/charts/ztunnel/README.md +++ /dev/null @@ -1,50 +0,0 @@ -# Istio Ztunnel Helm Chart - -This chart installs an Istio ztunnel. - -## Setup Repo Info - -```console -helm repo add istio https://istio-release.storage.googleapis.com/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Installing the Chart - -To install the chart: - -```console -helm install ztunnel istio/ztunnel -``` - -## Uninstalling the Chart - -To uninstall/delete the chart: - -```console -helm delete ztunnel -``` - -## Configuration - -To view support configuration options and documentation, run: - -```console -helm show values istio/ztunnel -``` - -### Profiles - -Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. -These can be set with `--set profile=`. -For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. - -For consistency, the same profiles are used across each chart, even if they do not impact a given chart. - -Explicitly set values have highest priority, then profile settings, then chart defaults. - -As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. -When configuring the chart, you should not include this. -That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-ambient.yaml b/resources/v1.22.3/charts/ztunnel/files/profile-ambient.yaml deleted file mode 100644 index 7b2c18c17..000000000 --- a/resources/v1.22.3/charts/ztunnel/files/profile-ambient.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - variant: distroless -pilot: - env: - PILOT_ENABLE_AMBIENT: "true" - CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" -cni: - ambient: - enabled: true - -# Ztunnel doesn't use a namespace, so everything here is mostly for ztunnel -variant: distroless diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-compatibility-version-1.20.yaml b/resources/v1.22.3/charts/ztunnel/files/profile-compatibility-version-1.20.yaml deleted file mode 100644 index 480718f1c..000000000 --- a/resources/v1.22.3/charts/ztunnel/files/profile-compatibility-version-1.20.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.21 behavioral changes - ENABLE_EXTERNAL_NAME_ALIAS: "false" - PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHING: "true" - VERIFY_CERTIFICATE_AT_CLIENT: "false" - ENABLE_AUTO_SNI: "false" - - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" - -meshConfig: - # 1.22 behavioral changes - defaultConfig: - proxyMetadata: - ISTIO_DELTA_XDS: "false" - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-compatibility-version-1.21.yaml b/resources/v1.22.3/charts/ztunnel/files/profile-compatibility-version-1.21.yaml deleted file mode 100644 index 808d224ed..000000000 --- a/resources/v1.22.3/charts/ztunnel/files/profile-compatibility-version-1.21.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -pilot: - env: - # 1.22 behavioral changes - ENABLE_ENHANCED_RESOURCE_SCOPING: "false" - ENABLE_RESOLUTION_NONE_TARGET_PORT: "false" -meshConfig: - # 1.22 behavioral changes - proxyMetadata: - ISTIO_DELTA_XDS: "false" - defaultConfig: - tracing: - zipkin: - address: zipkin.istio-system:9411 diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-demo.yaml b/resources/v1.22.3/charts/ztunnel/files/profile-demo.yaml deleted file mode 100644 index 83b9d6b66..000000000 --- a/resources/v1.22.3/charts/ztunnel/files/profile-demo.yaml +++ /dev/null @@ -1,73 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The demo profile enables a variety of things to try out Istio in non-production environments. -# * Lower resource utilization. -# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. -# * More ports enabled on the ingress, which is used in some tasks. -meshConfig: - accessLogFile: /dev/stdout - extensionProviders: - - name: otel - envoyOtelAls: - service: opentelemetry-collector.observability.svc.cluster.local - port: 4317 - - name: skywalking - skywalking: - service: tracing.istio-system.svc.cluster.local - port: 11800 - - name: otel-tracing - opentelemetry: - port: 4317 - service: opentelemetry-collector.observability.svc.cluster.local - -global: - proxy: - resources: - requests: - cpu: 10m - memory: 40Mi - -pilot: - autoscaleEnabled: false - traceSampling: 100 - resources: - requests: - cpu: 10m - memory: 100Mi - -gateways: - istio-egressgateway: - autoscaleEnabled: false - resources: - requests: - cpu: 10m - memory: 40Mi - istio-ingressgateway: - autoscaleEnabled: false - ports: - ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. - # Note that AWS ELB will by default perform health checks on the first port - # on this list. Setting this to the health check port will ensure that health - # checks always work. https://github.com/istio/istio/issues/12503 - - port: 15021 - targetPort: 15021 - name: status-port - - port: 80 - targetPort: 8080 - name: http2 - - port: 443 - targetPort: 8443 - name: https - - port: 31400 - targetPort: 31400 - name: tcp - # This is the port where sni routing happens - - port: 15443 - targetPort: 15443 - name: tls - resources: - requests: - cpu: 10m - memory: 40Mi \ No newline at end of file diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-openshift-ambient.yaml b/resources/v1.22.3/charts/ztunnel/files/profile-openshift-ambient.yaml deleted file mode 100644 index 0908fd145..000000000 --- a/resources/v1.22.3/charts/ztunnel/files/profile-openshift-ambient.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -meshConfig: - defaultConfig: - proxyMetadata: - ISTIO_META_ENABLE_HBONE: "true" -global: - platform: openshift -cni: - ambient: - enabled: true - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -pilot: - cni: - enabled: true - provider: "multus" - variant: distroless - env: - PILOT_ENABLE_AMBIENT: "true" - # Allow sidecars/ingress to send/receive HBONE. This is required for interop. - PILOT_ENABLE_SENDING_HBONE: "true" - PILOT_ENABLE_SIDECAR_LISTENING_HBONE: "true" - CA_TRUSTED_NODE_ACCOUNTS: "istio-system/ztunnel,kube-system/ztunnel" -platform: openshift -variant: distroless -seLinuxOptions: - type: spc_t \ No newline at end of file diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-openshift.yaml b/resources/v1.22.3/charts/ztunnel/files/profile-openshift.yaml deleted file mode 100644 index 18f61b88f..000000000 --- a/resources/v1.22.3/charts/ztunnel/files/profile-openshift.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The OpenShift profile provides a basic set of settings to run Istio on OpenShift -# CNI must be installed. -cni: - cniBinDir: /var/lib/cni/bin - cniConfDir: /etc/cni/multus/net.d - chained: false - cniConfFileName: "istio-cni.conf" - logLevel: info - provider: "multus" -global: - platform: openshift -pilot: - cni: - enabled: true - provider: "multus" -platform: openshift diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-preview.yaml b/resources/v1.22.3/charts/ztunnel/files/profile-preview.yaml deleted file mode 100644 index 181d7bda2..000000000 --- a/resources/v1.22.3/charts/ztunnel/files/profile-preview.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -meshConfig: - defaultConfig: - proxyMetadata: - # Enable Istio agent to handle DNS requests for known hosts - # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf - ISTIO_META_DNS_CAPTURE: "true" diff --git a/resources/v1.22.3/charts/ztunnel/files/profile-stable.yaml b/resources/v1.22.3/charts/ztunnel/files/profile-stable.yaml deleted file mode 100644 index 358282e69..000000000 --- a/resources/v1.22.3/charts/ztunnel/files/profile-stable.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# WARNING: DO NOT EDIT, THIS FILE IS A COPY. -# The original version of this file is located at /manifests/helm-profiles directory. -# If you want to make a change in this file, edit the original one and run "make gen". - -# The stable profile deploys admission control to ensure that only stable resources and fields are used -# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE -experimental: - stableValidationPolicy: true diff --git a/resources/v1.22.3/charts/ztunnel/templates/NOTES.txt b/resources/v1.22.3/charts/ztunnel/templates/NOTES.txt deleted file mode 100644 index 244f59db0..000000000 --- a/resources/v1.22.3/charts/ztunnel/templates/NOTES.txt +++ /dev/null @@ -1,5 +0,0 @@ -ztunnel successfully installed! - -To learn more about the release, try: - $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} - $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/resources/v1.22.3/charts/ztunnel/templates/daemonset.yaml b/resources/v1.22.3/charts/ztunnel/templates/daemonset.yaml deleted file mode 100644 index 5d600d3cc..000000000 --- a/resources/v1.22.3/charts/ztunnel/templates/daemonset.yaml +++ /dev/null @@ -1,165 +0,0 @@ -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: ztunnel - namespace: {{ .Release.Namespace }} - labels: - {{- .Values.labels | toYaml | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} -spec: - updateStrategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - selector: - matchLabels: - app: ztunnel - template: - metadata: - labels: - sidecar.istio.io/inject: "false" - istio.io/dataplane-mode: none - app: ztunnel -{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} - annotations: - sidecar.istio.io/inject: "false" -{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} - spec: - nodeSelector: - kubernetes.io/os: linux - serviceAccountName: ztunnel - tolerations: - - effect: NoSchedule - operator: Exists - - key: CriticalAddonsOnly - operator: Exists - - effect: NoExecute - operator: Exists - containers: - - name: istio-proxy -{{- if contains "/" .Values.image }} - image: "{{ .Values.image }}" -{{- else }} - image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" -{{- end }} - ports: - - containerPort: 15020 - name: ztunnel-stats - protocol: TCP - resources: -{{- if .Values.resources }} -{{ toYaml .Values.resources | trim | indent 10 }} -{{- end }} -{{- with .Values.imagePullPolicy }} - imagePullPolicy: {{ . }} -{{- end }} - securityContext: - allowPrivilegeEscalation: false - privileged: false - capabilities: - drop: - - ALL - add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html - - NET_ADMIN # Required for TPROXY and setsockopt - - SYS_ADMIN # Required for `setns` - doing things in other netns - - NET_RAW # Required for RAW/PACKET sockets, TPROXY - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: false - runAsUser: 0 -{{- if .Values.seLinuxOptions }} - seLinuxOptions: -{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} -{{- end }} - readinessProbe: - httpGet: - port: 15021 - path: /healthz/ready - args: - - proxy - - ztunnel - env: - - name: CA_ADDRESS - {{- if .Values.caAddress }} - value: {{ .Values.caAddress }} - {{- else }} - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - {{- end }} - - name: XDS_ADDRESS - value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 - - name: RUST_LOG - value: {{ .Values.logLevel | quote }} - - name: ISTIO_META_CLUSTER_ID - value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} - - name: INPOD_ENABLED - value: "true" - - name: ISTIO_META_DNS_PROXY_ADDR - value: "127.0.0.1:15053" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: INSTANCE_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} - {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} - - name: {{ $key }} - value: "{{ $value }}" - {{- end }} - {{- end }} - {{- with .Values.env }} - {{- range $key, $val := . }} - - name: {{ $key }} - value: "{{ $val }}" - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /var/run/ztunnel - name: cni-ztunnel-sock-dir - - mountPath: /tmp - name: tmp - {{- with .Values.volumeMounts }} - {{- toYaml . | nindent 8 }} - {{- end }} - priorityClassName: system-node-critical - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} - volumes: - - name: istio-token - projected: - sources: - - serviceAccountToken: - path: istio-token - expirationSeconds: 43200 - audience: istio-ca - - name: istiod-ca-cert - configMap: - name: istio-ca-root-cert - - name: cni-ztunnel-sock-dir - hostPath: - path: /var/run/ztunnel - type: DirectoryOrCreate # ideally this would be a socket, but ztunnel may not have started yet. - # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one - - name: tmp - emptyDir: {} - {{- with .Values.volumes }} - {{- toYaml . | nindent 6}} - {{- end }} diff --git a/resources/v1.22.3/charts/ztunnel/templates/rbac.yaml b/resources/v1.22.3/charts/ztunnel/templates/rbac.yaml deleted file mode 100644 index 9583b200e..000000000 --- a/resources/v1.22.3/charts/ztunnel/templates/rbac.yaml +++ /dev/null @@ -1,51 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount - {{- with .Values.imagePullSecrets }} -imagePullSecrets: - {{- range . }} - - name: {{ . }} - {{- end }} - {{- end }} -metadata: - name: ztunnel - namespace: {{ .Release.Namespace }} - labels: - {{- .Values.labels | toYaml | nindent 4}} - annotations: - {{- .Values.annotations | toYaml | nindent 4 }} ---- -{{- if (eq .Values.platform "openshift") }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ztunnel - labels: - app: ztunnel - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} -rules: -- apiGroups: ["security.openshift.io"] - resources: ["securitycontextconstraints"] - resourceNames: ["privileged"] - verbs: ["use"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ztunnel - labels: - app: ztunnel - release: {{ .Release.Name }} - istio.io/rev: {{ .Values.revision | default "default" }} - install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ztunnel -subjects: -- kind: ServiceAccount - name: ztunnel - namespace: {{ .Release.Namespace }} -{{- end }} ---- \ No newline at end of file diff --git a/resources/v1.22.3/charts/ztunnel/templates/zzz_profile.yaml b/resources/v1.22.3/charts/ztunnel/templates/zzz_profile.yaml deleted file mode 100644 index 6359d435a..000000000 --- a/resources/v1.22.3/charts/ztunnel/templates/zzz_profile.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{/* -WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. -The original version of this file is located at /manifests directory. -If you want to make a change in this file, edit the original one and run "make gen". - -Complex logic ahead... -We have three sets of values, in order of precedence (last wins): -1. The builtin values.yaml defaults -2. The profile the user selects -3. Users input (-f or --set) - -Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). - -However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). -We can then merge the profile onto the defaults, then the user settings onto that. -Finally, we can set all of that under .Values so the chart behaves without awareness. -*/}} -{{- $defaults := $.Values.defaults }} -{{- $_ := unset $.Values "defaults" }} -{{- $profile := dict }} -{{- with .Values.profile }} -{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} -{{- $profile = (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown profile" $.Values.profile) }} -{{- end }} -{{- end }} -{{- with .Values.compatibilityVersion }} -{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} -{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} -{{- else }} -{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} -{{- end }} -{{- end }} -{{- if $profile }} -{{- $a := mustMergeOverwrite $defaults $profile }} -{{- end }} -{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} diff --git a/resources/v1.22.3/charts/ztunnel/values.yaml b/resources/v1.22.3/charts/ztunnel/values.yaml deleted file mode 100644 index 1e51bdb60..000000000 --- a/resources/v1.22.3/charts/ztunnel/values.yaml +++ /dev/null @@ -1,87 +0,0 @@ -defaults: - # Hub to pull from. Image will be `Hub/Image:Tag-Variant` - hub: docker.io/istio - # Tag to pull from. Image will be `Hub/Image:Tag-Variant` - tag: 1.22.3 - # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. - variant: "" - - # Image name to pull from. Image will be `Hub/Image:Tag-Variant` - # If Image contains a "/", it will replace the entire `image` in the pod. - image: ztunnel - - # Labels to apply to all top level resources - labels: {} - # Annotations to apply to all top level resources - annotations: {} - - # Additional volumeMounts to the ztunnel container - volumeMounts: [] - - # Additional volumes to the ztunnel pod - volumes: [] - - # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). - podAnnotations: - prometheus.io/port: "15020" - prometheus.io/scrape: "true" - - # Additional labels to apply on the pod level - podLabels: {} - - # Pod resource configuration - resources: - requests: - cpu: 200m - # Ztunnel memory scales with the size of the cluster and traffic load - # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. - memory: 512Mi - - # List of secret names to add to the service account as image pull secrets - imagePullSecrets: [] - - # A `key: value` mapping of environment variables to add to the pod - env: {} - - # Override for the pod imagePullPolicy - imagePullPolicy: "" - - # Settings for multicluster - multiCluster: - # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent - # with Istiod configuration. - clusterName: "" - - # meshConfig defines runtime configuration of components. - # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other - # components. - # TODO: https://github.com/istio/istio/issues/43248 - meshConfig: - defaultConfig: - proxyMetadata: {} - - # This value defines: - # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) - # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) - # Default K8S value is 30 seconds - terminationGracePeriodSeconds: 30 - - # Revision is set as 'version' label and part of the resource names when installing multiple control planes. - revision: "" - - # The customized CA address to retrieve certificates for the pods in the cluster. - # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - caAddress: "" - - # Used to locate istiod. - istioNamespace: istio-system - - # Configuration log level of ztunnel binary, default is info. - # Valid values are: trace, debug, info, warn, error - logLevel: info - - # Set to `type: RuntimeDefault` to use the default profile if available. - seLinuxOptions: {} - # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead - #seLinuxOptions: - # type: spc_t diff --git a/resources/v1.22.3/profiles/ambient.yaml b/resources/v1.22.3/profiles/ambient.yaml deleted file mode 100644 index ddaaa4415..000000000 --- a/resources/v1.22.3/profiles/ambient.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1alpha1 -kind: Istio -spec: - values: - profile: ambient diff --git a/resources/v1.22.3/profiles/default.yaml b/resources/v1.22.3/profiles/default.yaml deleted file mode 100644 index 1f44cc310..000000000 --- a/resources/v1.22.3/profiles/default.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: sailoperator.io/v1alpha1 -kind: Istio -spec: - # Most default values come from the helm chart's values.yaml - # Below are the things that differ - values: - defaultRevision: "" - global: - istioNamespace: istio-system - configValidation: true diff --git a/resources/v1.22.3/profiles/demo.yaml b/resources/v1.22.3/profiles/demo.yaml deleted file mode 100644 index fad37e4c2..000000000 --- a/resources/v1.22.3/profiles/demo.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1alpha1 -kind: Istio -spec: - values: - profile: demo diff --git a/resources/v1.22.3/profiles/empty.yaml b/resources/v1.22.3/profiles/empty.yaml deleted file mode 100644 index 01052de7f..000000000 --- a/resources/v1.22.3/profiles/empty.yaml +++ /dev/null @@ -1,5 +0,0 @@ -# The empty profile has everything disabled -# This is useful as a base for custom user configuration -apiVersion: sailoperator.io/v1alpha1 -kind: Istio -spec: {} diff --git a/resources/v1.22.3/profiles/openshift-ambient.yaml b/resources/v1.22.3/profiles/openshift-ambient.yaml deleted file mode 100644 index a30b2099b..000000000 --- a/resources/v1.22.3/profiles/openshift-ambient.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1alpha1 -kind: Istio -spec: - values: - profile: openshift-ambient diff --git a/resources/v1.22.3/profiles/openshift.yaml b/resources/v1.22.3/profiles/openshift.yaml deleted file mode 100644 index a75886e87..000000000 --- a/resources/v1.22.3/profiles/openshift.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1alpha1 -kind: Istio -spec: - values: - profile: openshift diff --git a/resources/v1.22.3/profiles/preview.yaml b/resources/v1.22.3/profiles/preview.yaml deleted file mode 100644 index 485687d6a..000000000 --- a/resources/v1.22.3/profiles/preview.yaml +++ /dev/null @@ -1,8 +0,0 @@ -# The preview profile contains features that are experimental. -# This is intended to explore new features coming to Istio. -# Stability, security, and performance are not guaranteed - use at your own risk. -apiVersion: sailoperator.io/v1alpha1 -kind: Istio -spec: - values: - profile: preview diff --git a/resources/v1.22.3/profiles/stable.yaml b/resources/v1.22.3/profiles/stable.yaml deleted file mode 100644 index 594344792..000000000 --- a/resources/v1.22.3/profiles/stable.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: sailoperator.io/v1alpha1 -kind: Istio -spec: - values: - profile: stable