From a53f04ff6671069650397f6154c6ecf01a1d6a19 Mon Sep 17 00:00:00 2001 From: lisenet Date: Wed, 10 Apr 2024 18:00:19 +0100 Subject: [PATCH] Bump K8s to 1.29 --- README.md | 4 +- VERSIONS.md | 14 +- kubernetes/calico/calico.yaml | 350 +++- kubernetes/istio/istio-kubernetes.yml | 2307 ++++++++++++++++++------- manifest.json | 2 +- terraform/provider.tf | 6 +- 6 files changed, 2022 insertions(+), 661 deletions(-) diff --git a/README.md b/README.md index 40e00b9..f8ab142 100644 --- a/README.md +++ b/README.md @@ -3,8 +3,8 @@ A repository to keep resources and configuration files used with my Kubernetes homelab. [![version](https://img.shields.io/github/manifest-json/v/lisenet/kubernetes-homelab?label=Kubernetes)](https://github.com/lisenet/kubernetes-homelab/blob/master/VERSIONS.md) -[![calico](https://img.shields.io/badge/Calico-3.26-blue)](https://github.com/lisenet/kubernetes-homelab/blob/master/VERSIONS.md) -[![istio](https://img.shields.io/badge/Istio-1.19-blue)](https://github.com/lisenet/kubernetes-homelab/blob/master/VERSIONS.md) +[![calico](https://img.shields.io/badge/Calico-3.27-blue)](https://github.com/lisenet/kubernetes-homelab/blob/master/VERSIONS.md) +[![istio](https://img.shields.io/badge/Istio-1.20-blue)](https://github.com/lisenet/kubernetes-homelab/blob/master/VERSIONS.md) [![operating system](https://img.shields.io/badge/Rocky-9-blue)](https://github.com/lisenet/kubernetes-homelab/blob/master/VERSIONS.md) [![license](https://img.shields.io/github/license/lisenet/kubernetes-homelab)](https://github.com/lisenet/kubernetes-homelab/blob/master/LICENSE) [![last commit](https://img.shields.io/github/last-commit/lisenet/kubernetes-homelab)](https://github.com/lisenet/kubernetes-homelab/commits/master) diff --git a/VERSIONS.md b/VERSIONS.md index 0c93cb8..1d23dda 100644 --- a/VERSIONS.md +++ b/VERSIONS.md @@ -5,17 +5,17 @@ Kubernetes development continues to grow at a rapid pace, and keeping up to date can be a challenge. Therefore it’s important to know which software versions can work together without breaking things. * Rocky Linux 9.2 -* Kubernetes 1.28.1 -* Calico CNI 3.26 +* Kubernetes 1.29.2 +* Calico CNI 3.27 * containerd 1.6.20 -* kubernetes-cni 1.1.1 -* Istio 1.19 +* kubernetes-cni 1.3.0 +* Istio 1.20 Other services (in alphabetical order): * Alertmanager 0.23.0 * Argo CD 2.3.2 -* CoreDNS 1.10.1 +* CoreDNS 1.11.1 * Democratic CSI 0.13.7 * Grafana 9.5.2 * Homeassistant 2023.7 @@ -34,9 +34,9 @@ Other services (in alphabetical order): * Velero 1.8.1 * x509-certificate-exporter 3.6.0 -[Calico 3.26](https://docs.tigera.io/calico/latest/getting-started/kubernetes/requirements#kubernetes-requirements) has been tested against the following Kubernetes versions: 1.24, 1.25, 1.26, 1.27. +[Calico 3.27](https://docs.tigera.io/calico/latest/getting-started/kubernetes/requirements#kubernetes-requirements) has been tested against the following Kubernetes versions: 1.27, 1.28, 1.29. -[Istio 1.19](https://istio.io/latest/docs/releases/supported-releases/#support-status-of-istio-releases) has been tested with these Kubernetes releases: 1.25, 1.26, 1.27, 1.28. +[Istio 1.20](https://istio.io/latest/docs/releases/supported-releases/#support-status-of-istio-releases) has been tested with these Kubernetes releases: 1.25, 1.26, 1.27, 1.28, 1.29. Kubernetes 1.21 updated the latest validated version of Docker to 20.10. As of [Kubernetes 1.24](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#dockershim-removed-from-kubelet), Docker runtime support using dockshim in the kubelet has been completely removed. diff --git a/kubernetes/calico/calico.yaml b/kubernetes/calico/calico.yaml index 59cf309..3998fd1 100644 --- a/kubernetes/calico/calico.yaml +++ b/kubernetes/calico/calico.yaml @@ -29,6 +29,13 @@ metadata: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-config.yaml # This ConfigMap is used to configure a self-hosted Calico installation. kind: ConfigMap @@ -273,6 +280,138 @@ status: # Source: calico/templates/kdd-crds.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: bgpfilters.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: BGPFilter + listKind: BGPFilterList + plural: bgpfilters + singular: bgpfilter + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BGPFilterSpec contains the IPv4 and IPv6 filter rules of + the BGP Filter. + properties: + exportV4: + description: The ordered set of IPv4 BGPFilter rules acting on exporting + routes to a peer. + items: + description: BGPFilterRuleV4 defines a BGP filter rule consisting + a single IPv4 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + interface: + type: string + matchOperator: + type: string + source: + type: string + required: + - action + type: object + type: array + exportV6: + description: The ordered set of IPv6 BGPFilter rules acting on exporting + routes to a peer. + items: + description: BGPFilterRuleV6 defines a BGP filter rule consisting + a single IPv6 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + interface: + type: string + matchOperator: + type: string + source: + type: string + required: + - action + type: object + type: array + importV4: + description: The ordered set of IPv4 BGPFilter rules acting on importing + routes from a peer. + items: + description: BGPFilterRuleV4 defines a BGP filter rule consisting + a single IPv4 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + interface: + type: string + matchOperator: + type: string + source: + type: string + required: + - action + type: object + type: array + importV6: + description: The ordered set of IPv6 BGPFilter rules acting on importing + routes from a peer. + items: + description: BGPFilterRuleV6 defines a BGP filter rule consisting + a single IPv6 CIDR block and a filter action for this CIDR. + properties: + action: + type: string + cidr: + type: string + interface: + type: string + matchOperator: + type: string + source: + type: string + required: + - action + type: object + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +# Source: calico/templates/kdd-crds.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition metadata: name: bgppeers.crd.projectcalico.org spec: @@ -308,6 +447,11 @@ spec: description: The AS Number of the peer. format: int32 type: integer + filters: + description: The ordered set of BGPFilters applied on this BGP peer. + items: + type: string + type: array keepOriginalNextHop: description: Option to keep the original nexthop field when routes are sent to a BGP Peer. Setting "true" configures the selected BGP @@ -846,14 +990,41 @@ spec: - Enable - Disable type: string + bpfCTLBLogFilter: + description: 'BPFCTLBLogFilter specifies, what is logged by connect + time load balancer when BPFLogLevel is debug. Currently has to be + specified as ''all'' when BPFLogFilters is set to see CTLB logs. + [Default: unset - means logs are emitted when BPFLogLevel id debug + and BPFLogFilters not set.]' + type: string + bpfConnectTimeLoadBalancing: + description: 'BPFConnectTimeLoadBalancing when in BPF mode, controls + whether Felix installs the connect-time load balancer. The connect-time + load balancer is required for the host to be able to reach Kubernetes + services and it improves the performance of pod-to-service connections.When + set to TCP, connect time load balancing is available only for services + with TCP ports. [Default: TCP]' + enum: + - TCP + - Enabled + - Disabled + type: string bpfConnectTimeLoadBalancingEnabled: description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode, controls whether Felix installs the connection-time load balancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services and it improves the performance of pod-to-service - connections. The only reason to disable it is for debugging purposes. [Default: + connections. The only reason to disable it is for debugging purposes. + This will be deprecated. Use BPFConnectTimeLoadBalancing [Default: true]' type: boolean + bpfDSROptoutCIDRs: + description: BPFDSROptoutCIDRs is a list of CIDRs which are excluded + from DSR. That is, clients in those CIDRs will accesses nodeports + as if BPFExternalServiceMode was set to Tunnel. + items: + type: string + type: array bpfDataIfacePattern: description: BPFDataIfacePattern is a regular expression that controls which interfaces Felix should attach BPF programs to in order to @@ -863,6 +1034,12 @@ spec: the cluster. It should not match the workload interfaces (usually named cali...). type: string + bpfDisableGROForIfaces: + description: BPFDisableGROForIfaces is a regular expression that controls + which interfaces Felix should disable the Generic Receive Offload + [GRO] option. It should not match the workload interfaces (usually + named cali...). + type: string bpfDisableUnprivileged: description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled sysctl to disable unprivileged use of BPF. This ensures that unprivileged @@ -877,7 +1054,8 @@ spec: description: 'BPFEnforceRPF enforce strict RPF on all host interfaces with BPF programs regardless of what is the per-interfaces or global setting. Possible values are Disabled, Strict or Loose. [Default: - Strict]' + Loose]' + pattern: ^(?i)(Disabled|Strict|Loose)?$ type: string bpfExtToServiceConnmark: description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit @@ -895,12 +1073,31 @@ spec: is sent directly from the remote node. In "DSR" mode, the remote node appears to use the IP of the ingress node; this requires a permissive L2 network. [Default: Tunnel]' + pattern: ^(?i)(Tunnel|DSR)?$ type: string + bpfForceTrackPacketsFromIfaces: + description: 'BPFForceTrackPacketsFromIfaces in BPF mode, forces traffic + from these interfaces to skip Calico''s iptables NOTRACK rule, allowing + traffic from those interfaces to be tracked by Linux conntrack. Should + only be used for interfaces that are not used for the Calico fabric. For + example, a docker bridge device for non-Calico-networked containers. + [Default: docker+]' + items: + type: string + type: array bpfHostConntrackBypass: description: 'BPFHostConntrackBypass Controls whether to bypass Linux conntrack in BPF mode for workloads and services. [Default: true - bypass Linux conntrack]' type: boolean + bpfHostNetworkedNATWithoutCTLB: + description: 'BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls + whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing + determines the CTLB behavior. [Default: Enabled]' + enum: + - Enabled + - Disabled + type: string bpfKubeProxyEndpointSlicesEnabled: description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls whether Felix's embedded kube-proxy accepts EndpointSlices or not. @@ -916,6 +1113,7 @@ spec: minimum time between updates to the dataplane for Felix''s embedded kube-proxy. Lower values give reduced set-up latency. Higher values reduce Felix CPU usage by batching up more work. [Default: 1s]' + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string bpfL3IfacePattern: description: BPFL3IfacePattern is a regular expression that allows @@ -925,11 +1123,22 @@ spec: as any interfaces that handle incoming traffic to nodeports and services from outside the cluster. type: string + bpfLogFilters: + additionalProperties: + type: string + description: "BPFLogFilters is a map of key=values where the value + is a pcap filter expression and the key is an interface name with + 'all' denoting all interfaces, 'weps' all workload endpoints and + 'heps' all host endpoints. \n When specified as an env var, it accepts + a comma-separated list of key=values. [Default: unset - means all + debug logs are emitted]" + type: object bpfLogLevel: description: 'BPFLogLevel controls the log level of the BPF programs when in BPF dataplane mode. One of "Off", "Info", or "Debug". The logs are emitted to the BPF trace pipe, accessible with the command `tc exec bpf debug`. [Default: Off].' + pattern: ^(?i)(Off|Info|Debug)?$ type: string bpfMapSizeConntrack: description: 'BPFMapSizeConntrack sets the size for the conntrack @@ -994,6 +1203,7 @@ spec: to append mode, be sure that the other rules in the chains signal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed. [Default: insert]' + pattern: ^(?i)(insert|append)?$ type: string dataplaneDriver: description: DataplaneDriver filename of the external dataplane driver @@ -1012,8 +1222,10 @@ spec: debugMemoryProfilePath: type: string debugSimulateCalcGraphHangAfter: + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string debugSimulateDataplaneHangAfter: + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string defaultEndpointToHostAction: description: 'DefaultEndpointToHostAction controls what happens to @@ -1028,6 +1240,7 @@ spec: endpoint egress policy. Use ACCEPT to unconditionally accept packets from workloads after processing workload endpoint egress policy. [Default: Drop]' + pattern: ^(?i)(Drop|Accept|Return)?$ type: string deviceRouteProtocol: description: This defines the route protocol added to programmed device @@ -1046,6 +1259,7 @@ spec: disableConntrackInvalidCheck: type: boolean endpointReportingDelay: + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string endpointReportingEnabled: type: boolean @@ -1113,12 +1327,14 @@ spec: based on auto-detected platform capabilities. Values are specified in a comma separated list with no spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". "true" or "false" will force the feature, empty or omitted values are auto-detected. + pattern: ^([a-zA-Z0-9-_]+=(true|false|),)*([a-zA-Z0-9-_]+=(true|false|))?$ type: string featureGates: description: FeatureGates is used to enable or disable tech-preview Calico features. Values are specified in a comma separated list with no spaces, example; "BPFConnectTimeLoadBalancingWorkaround=enabled,XyZ=false". This is used to enable features that are not fully production ready. + pattern: ^([a-zA-Z0-9-_]+=([^=]+),)*([a-zA-Z0-9-_]+=([^=]+))?$ type: string floatingIPs: description: FloatingIPs configures whether or not Felix will program @@ -1142,7 +1358,7 @@ spec: type: integer healthTimeoutOverrides: description: HealthTimeoutOverrides allows the internal watchdog timeouts - of individual subcomponents to be overriden. This is useful for + of individual subcomponents to be overridden. This is useful for working around "false positive" liveness timeouts that can occur in particularly stressful workloads or if CPU is constrained. For a list of active subcomponents, see Felix's logs. @@ -1180,6 +1396,7 @@ spec: description: InterfaceRefreshInterval is the period at which Felix rescans local interfaces to verify their state. The rescan can be disabled by setting the interval to 0. + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string ipipEnabled: description: 'IPIPEnabled overrides whether Felix should configure @@ -1195,12 +1412,22 @@ spec: all iptables state to ensure that no other process has accidentally broken Calico''s rules. Set to 0 to disable iptables refresh. [Default: 90s]' + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string iptablesBackend: description: IptablesBackend specifies which backend of iptables will be used. The default is Auto. + pattern: ^(?i)(Auto|FelixConfiguration|FelixConfigurationList|Legacy|NFT)?$ type: string iptablesFilterAllowAction: + pattern: ^(?i)(Accept|Return)?$ + type: string + iptablesFilterDenyAction: + description: IptablesFilterDenyAction controls what happens to traffic + that is denied by network policy. By default Calico blocks traffic + with an iptables "DROP" action. If you want to use "REJECT" action + instead you can configure it in here. + pattern: ^(?i)(Drop|Reject)?$ type: string iptablesLockFilePath: description: 'IptablesLockFilePath is the location of the iptables @@ -1213,6 +1440,7 @@ spec: wait between attempts to acquire the iptables lock if it is not available. Lower values make Felix more responsive when the lock is contended, but use more CPU. [Default: 50ms]' + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string iptablesLockTimeout: description: 'IptablesLockTimeout is the time that Felix will wait @@ -1221,8 +1449,10 @@ spec: also take the lock. When running Felix inside a container, this requires the /run directory of the host to be mounted into the calico/node or calico/felix container. [Default: 0s disabled]' + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string iptablesMangleAllowAction: + pattern: ^(?i)(Accept|Return)?$ type: string iptablesMarkMask: description: 'IptablesMarkMask is the mask that Felix selects its @@ -1239,6 +1469,7 @@ spec: back in order to check the write was not clobbered by another process. This should only occur if another application on the system doesn''t respect the iptables lock. [Default: 1s]' + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string iptablesRefreshInterval: description: 'IptablesRefreshInterval is the period at which Felix @@ -1249,6 +1480,7 @@ spec: was fixed in kernel version 4.11. If you are using v4.11 or greater you may want to set this to, a higher value to reduce Felix CPU usage. [Default: 10s]' + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string ipv6Support: description: IPv6Support controls whether Felix enables support for @@ -1283,15 +1515,18 @@ spec: logSeverityFile: description: 'LogSeverityFile is the log severity above which logs are sent to the log file. [Default: Info]' + pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$ type: string logSeverityScreen: description: 'LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info]' + pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$ type: string logSeveritySys: description: 'LogSeveritySys is the log severity above which logs are sent to the syslog. Set to None for no logging to syslog. [Default: Info]' + pattern: ^(?i)(Debug|Info|Warning|Error|Fatal)?$ type: string maxIpsetSize: type: integer @@ -1330,6 +1565,7 @@ spec: pattern: ^.* x-kubernetes-int-or-string: true netlinkTimeout: + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string openstackRegion: description: 'OpenstackRegion is the name of the region that a particular @@ -1384,21 +1620,25 @@ spec: description: 'ReportingInterval is the interval at which Felix reports its status into the datastore or 0 to disable. Must be non-zero in OpenStack deployments. [Default: 30s]' + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string reportingTTL: description: 'ReportingTTL is the time-to-live setting for process-wide status reports. [Default: 90s]' + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string routeRefreshInterval: description: 'RouteRefreshInterval is the period at which Felix re-checks the routes in the dataplane to ensure that no other process has accidentally broken Calico''s rules. Set to 0 to disable route refresh. [Default: 90s]' + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string routeSource: description: 'RouteSource configures where Felix gets its routing information. - WorkloadIPs: use workload endpoints to construct routes. - CalicoIPAM: the default - use IPAM data to construct routes.' + pattern: ^(?i)(WorkloadIPs|CalicoIPAM)?$ type: string routeSyncDisabled: description: RouteSyncDisabled will disable all operations performed @@ -1438,6 +1678,7 @@ spec: packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled", in which case such routing loops continue to be allowed. [Default: Drop]' + pattern: ^(?i)(Drop|Reject|Disabled)?$ type: string sidecarAccelerationEnabled: description: 'SidecarAccelerationEnabled enables experimental sidecar @@ -1453,10 +1694,12 @@ spec: usageReportingInitialDelay: description: 'UsageReportingInitialDelay controls the minimum delay before Felix makes a report. [Default: 300s]' + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string usageReportingInterval: description: 'UsageReportingInterval controls the interval at which Felix makes reports. [Default: 86400s]' + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string useInternalDataplaneDriver: description: UseInternalDataplaneDriver, if true, Felix will use its @@ -1480,6 +1723,14 @@ spec: type: integer vxlanVNI: type: integer + windowsManageFirewallRules: + description: 'WindowsManageFirewallRules configures whether or not + Felix will program Windows Firewall rules. (to allow inbound access + to its own metrics ports) [Default: Disabled]' + enum: + - Enabled + - Disabled + type: string wireguardEnabled: description: 'WireguardEnabled controls whether Wireguard is enabled for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network). @@ -1505,6 +1756,7 @@ spec: wireguardKeepAlive: description: 'WireguardKeepAlive controls Wireguard PersistentKeepalive option. Set 0 to disable. [Default: 0]' + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string wireguardListeningPort: description: 'WireguardListeningPort controls the listening port used @@ -1531,6 +1783,7 @@ spec: the allowedSourcePrefixes annotation to send traffic with a source IP address that is not theirs. This is disabled by default. When set to "Any", pods can request any prefix. + pattern: ^(?i)(Disabled|Any)?$ type: string xdpEnabled: description: 'XDPEnabled enables XDP acceleration for suitable untracked @@ -1541,6 +1794,7 @@ spec: all XDP state to ensure that no other process has accidentally broken Calico''s BPF maps or attached programs. Set to 0 to disable XDP refresh. [Default: 90s]' + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string type: object type: object @@ -2355,6 +2609,19 @@ spec: with identical order will be applied in alphanumerical order based on the Policy "Name". type: number + performanceHints: + description: "PerformanceHints contains a list of hints to Calico's + policy engine to help process the policy more efficiently. Hints + never change the enforcement behaviour of the policy. \n Currently, + the only available hint is \"AssumeNeededOnEveryNode\". When that + hint is set on a policy, Felix will act as if the policy matches + a local endpoint even if it does not. This is useful for \"preloading\" + any large static policies that are known to be used on every node. + If the policy is _not_ used on a particular node then the work done + to preload the policy (and to maintain it) is wasted." + items: + type: string + type: array preDNAT: description: PreDNAT indicates to apply the rules in this policy before any DNAT. @@ -4014,6 +4281,19 @@ spec: with identical order will be applied in alphanumerical order based on the Policy "Name". type: number + performanceHints: + description: "PerformanceHints contains a list of hints to Calico's + policy engine to help process the policy more efficiently. Hints + never change the enforcement behaviour of the policy. \n Currently, + the only available hint is \"AssumeNeededOnEveryNode\". When that + hint is set on a policy, Felix will act as if the policy matches + a local endpoint even if it does not. This is useful for \"preloading\" + any large static policies that are known to be used on every node. + If the policy is _not_ used on a particular node then the work done + to preload the policy (and to maintain it) is wasted." + items: + type: string + type: array selector: description: "The selector is an expression used to pick pick out the endpoints that the policy should be applied to. \n Selector @@ -4212,7 +4492,7 @@ rules: resources: - serviceaccounts/token resourceNames: - - calico-node + - calico-cni-plugin verbs: - create # The CNI plugin needs to get pods, nodes, and namespaces. @@ -4229,7 +4509,7 @@ rules: resources: - endpointslices verbs: - - watch + - watch - list - apiGroups: [""] resources: @@ -4283,6 +4563,7 @@ rules: - globalfelixconfigs - felixconfigurations - bgppeers + - bgpfilters - globalbgpconfigs - bgpconfigurations - ippools @@ -4366,6 +4647,41 @@ rules: verbs: - get --- +# Source: calico/templates/calico-node-rbac.yaml +# CNI cluster role +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-cni-plugin +rules: + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + - clusterinformations + - ippools + - ipreservations + - ipamconfigs + verbs: + - get + - list + - create + - update + - delete +--- # Source: calico/templates/calico-kube-controllers-rbac.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -4394,6 +4710,20 @@ subjects: name: calico-node namespace: kube-system --- +# Source: calico/templates/calico-node-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subjects: +- kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system +--- # Source: calico/templates/calico-node.yaml # This manifest installs the calico-node container, as well # as the CNI plugins and network config on @@ -4440,7 +4770,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: docker.io/calico/cni:v3.25.0 + image: docker.io/calico/cni:v3.27.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: @@ -4468,7 +4798,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:v3.25.0 + image: docker.io/calico/cni:v3.27.0 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: @@ -4511,7 +4841,7 @@ spec: # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. - name: "mount-bpffs" - image: docker.io/calico/node:v3.25.0 + image: docker.io/calico/node:v3.27.0 imagePullPolicy: IfNotPresent command: ["calico-node", "-init", "-best-effort"] volumeMounts: @@ -4537,7 +4867,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:v3.25.0 + image: docker.io/calico/node:v3.27.0 imagePullPolicy: IfNotPresent envFrom: - configMapRef: @@ -4754,7 +5084,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:v3.25.0 + image: docker.io/calico/kube-controllers:v3.27.0 imagePullPolicy: IfNotPresent env: # Choose which controllers to run. diff --git a/kubernetes/istio/istio-kubernetes.yml b/kubernetes/istio/istio-kubernetes.yml index 5faebd2..54591d9 100644 --- a/kubernetes/istio/istio-kubernetes.yml +++ b/kubernetes/istio/istio-kubernetes.yml @@ -183,6 +183,8 @@ spec: items: type: string type: array + required: + - key type: object type: array type: object @@ -193,8 +195,26 @@ spec: matchLabels: additionalProperties: type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. type: object type: object + targetRef: + description: Optional. + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object type: object status: type: object @@ -365,6 +385,8 @@ spec: items: type: string type: array + required: + - key type: object type: array type: object @@ -375,8 +397,26 @@ spec: matchLabels: additionalProperties: type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. type: object type: object + targetRef: + description: Optional. + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object type: object status: type: object @@ -444,11 +484,15 @@ spec: description: The name of a service from the service registry. type: string subsets: + description: One or more named sets that represent individual versions + of a service. items: properties: labels: additionalProperties: type: string + description: Labels apply a filter over the endpoints of a service + in the service registry. type: object name: description: Name of the subset. @@ -470,6 +514,9 @@ spec: - UPGRADE type: string http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. format: int32 type: integer http2MaxRequests: @@ -487,6 +534,9 @@ spec: format: int32 type: integer maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. format: int32 type: integer useClientProtocol: @@ -518,8 +568,14 @@ spec: probes. type: string probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. type: integer time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. type: string type: object type: object @@ -531,84 +587,45 @@ spec: anyOf: - required: - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: + - required: - consistentHash - required: - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: + - required: - consistentHash properties: consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev properties: httpCookie: description: Hash based on HTTP cookie. @@ -622,6 +639,8 @@ spec: ttl: description: Lifetime of the cookie. type: string + required: + - name type: object httpHeaderName: description: Hash based on a specific HTTP header. @@ -646,6 +665,8 @@ spec: implements consistent hashing to backend hosts. properties: minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. type: integer type: object useSourceIp: @@ -686,6 +707,9 @@ spec: description: Originating region. type: string to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. type: string type: object type: array @@ -729,15 +753,22 @@ spec: nullable: true type: integer consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. format: int32 type: integer minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. format: int32 type: integer splitExternalLocalOriginErrors: @@ -764,6 +795,9 @@ spec: - UPGRADE type: string http1MaxPendingRequests: + description: Maximum number of requests that + will be queued while waiting for a ready + connection pool connection. format: int32 type: integer http2MaxRequests: @@ -781,6 +815,9 @@ spec: format: int32 type: integer maxRetries: + description: Maximum number of retries that + can be outstanding to all hosts in a cluster + at a given time. format: int32 type: integer useClientProtocol: @@ -813,8 +850,14 @@ spec: keep-alive probes. type: string probes: + description: Maximum number of keepalive + probes to send without response before + deciding the connection is dead. type: integer time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. type: string type: object type: object @@ -827,84 +870,45 @@ spec: anyOf: - required: - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: + - required: - consistentHash - required: - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: + - required: - consistentHash properties: consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev properties: httpCookie: description: Hash based on HTTP cookie. @@ -918,6 +922,8 @@ spec: ttl: description: Lifetime of the cookie. type: string + required: + - name type: object httpHeaderName: description: Hash based on a specific HTTP @@ -945,6 +951,8 @@ spec: hosts. properties: minimumRingSize: + description: The minimum number of virtual + nodes to use for the hash ring. type: integer type: object useSourceIp: @@ -985,6 +993,9 @@ spec: description: Originating region. type: string to: + description: Destination region the + traffic will fail over to when endpoints + in the 'from' region becomes unhealthy. type: string type: object type: array @@ -1029,6 +1040,8 @@ spec: nullable: true type: integer consecutiveLocalOriginFailures: + description: The number of consecutive locally + originated failures before ejection occurs. nullable: true type: integer interval: @@ -1036,9 +1049,15 @@ spec: analysis. type: string maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. format: int32 type: integer minHealthPercent: + description: Outlier detection will be enabled + as long as the associated load balancing pool + has at least min_health_percent hosts in healthy + mode. format: int32 type: integer splitExternalLocalOriginErrors: @@ -1047,6 +1066,9 @@ spec: type: boolean type: object port: + description: Specifies the number of a port on the + destination service on which this policy is being + applied. properties: number: type: integer @@ -1056,16 +1078,28 @@ spec: to the upstream service. properties: caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in + verifying a presented server certificate.' type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string credentialName: + description: The name of the secret that holds + the TLS certs for the client including the CA + certificates. type: string insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature + and SAN for the server certificate corresponding + to the host.' nullable: true type: boolean mode: + description: Indicates whether connections to + this port should be secured using TLS. enum: - DISABLE - SIMPLE @@ -1080,6 +1114,8 @@ spec: during TLS handshake. type: string subjectAltNames: + description: A list of alternate names to verify + the subject identity in the certificate. items: type: string type: array @@ -1091,16 +1127,27 @@ spec: upstream service. properties: caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. type: string insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' nullable: true type: boolean mode: + description: Indicates whether connections to this port + should be secured using TLS. enum: - DISABLE - SIMPLE @@ -1115,11 +1162,15 @@ spec: TLS handshake. type: string subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. items: type: string type: array type: object tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. properties: protocol: description: Specifies which protocol to use for tunneling @@ -1133,11 +1184,18 @@ spec: description: Specifies a port to which the downstream connection is tunneled. type: integer + required: + - targetHost + - targetPort type: object type: object + required: + - name type: object type: array trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection + pool sizes, outlier detection). properties: connectionPool: properties: @@ -1153,6 +1211,8 @@ spec: - UPGRADE type: string http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. format: int32 type: integer http2MaxRequests: @@ -1169,6 +1229,8 @@ spec: format: int32 type: integer maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. format: int32 type: integer useClientProtocol: @@ -1200,8 +1262,14 @@ spec: probes. type: string probes: + description: Maximum number of keepalive probes to + send without response before deciding the connection + is dead. type: integer time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. type: string type: object type: object @@ -1213,84 +1281,45 @@ spec: anyOf: - required: - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: + - required: - consistentHash - required: - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: + - required: - consistentHash properties: consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev properties: httpCookie: description: Hash based on HTTP cookie. @@ -1304,6 +1333,8 @@ spec: ttl: description: Lifetime of the cookie. type: string + required: + - name type: object httpHeaderName: description: Hash based on a specific HTTP header. @@ -1327,6 +1358,8 @@ spec: consistent hashing to backend hosts. properties: minimumRingSize: + description: The minimum number of virtual nodes to + use for the hash ring. type: integer type: object useSourceIp: @@ -1366,6 +1399,9 @@ spec: description: Originating region. type: string to: + description: Destination region the traffic will + fail over to when endpoints in the 'from' region + becomes unhealthy. type: string type: object type: array @@ -1408,15 +1444,22 @@ spec: nullable: true type: integer consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool + for the upstream service that can be ejected. format: int32 type: integer minHealthPercent: + description: Outlier detection will be enabled as long as + the associated load balancing pool has at least min_health_percent + hosts in healthy mode. format: int32 type: integer splitExternalLocalOriginErrors: @@ -1442,6 +1485,9 @@ spec: - UPGRADE type: string http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. format: int32 type: integer http2MaxRequests: @@ -1459,6 +1505,9 @@ spec: format: int32 type: integer maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. format: int32 type: integer useClientProtocol: @@ -1490,8 +1539,14 @@ spec: probes. type: string probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. type: integer time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. type: string type: object type: object @@ -1503,84 +1558,45 @@ spec: anyOf: - required: - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: + - required: - consistentHash - required: - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: + - required: - consistentHash properties: consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev properties: httpCookie: description: Hash based on HTTP cookie. @@ -1594,6 +1610,8 @@ spec: ttl: description: Lifetime of the cookie. type: string + required: + - name type: object httpHeaderName: description: Hash based on a specific HTTP header. @@ -1618,6 +1636,8 @@ spec: implements consistent hashing to backend hosts. properties: minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. type: integer type: object useSourceIp: @@ -1658,6 +1678,9 @@ spec: description: Originating region. type: string to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. type: string type: object type: array @@ -1701,15 +1724,22 @@ spec: nullable: true type: integer consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. format: int32 type: integer minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. format: int32 type: integer splitExternalLocalOriginErrors: @@ -1718,6 +1748,8 @@ spec: type: boolean type: object port: + description: Specifies the number of a port on the destination + service on which this policy is being applied. properties: number: type: integer @@ -1727,16 +1759,27 @@ spec: upstream service. properties: caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. type: string insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' nullable: true type: boolean mode: + description: Indicates whether connections to this port + should be secured using TLS. enum: - DISABLE - SIMPLE @@ -1751,6 +1794,8 @@ spec: TLS handshake. type: string subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. items: type: string type: array @@ -1762,16 +1807,26 @@ spec: service. properties: caCertificates: + description: 'OPTIONAL: The path to the file containing certificate + authority certificates to use in verifying a presented server + certificate.' type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string credentialName: + description: The name of the secret that holds the TLS certs + for the client including the CA certificates. type: string insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy + should skip verifying the CA signature and SAN for the server + certificate corresponding to the host.' nullable: true type: boolean mode: + description: Indicates whether connections to this port should + be secured using TLS. enum: - DISABLE - SIMPLE @@ -1786,11 +1841,15 @@ spec: handshake. type: string subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate. items: type: string type: array type: object tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. properties: protocol: description: Specifies which protocol to use for tunneling @@ -1804,15 +1863,24 @@ spec: description: Specifies a port to which the downstream connection is tunneled. type: integer + required: + - targetHost + - targetPort type: object type: object workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `DestinationRule` configuration should be applied. properties: matchLabels: additionalProperties: type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. type: object type: object + required: + - host type: object status: type: object @@ -1853,11 +1921,15 @@ spec: description: The name of a service from the service registry. type: string subsets: + description: One or more named sets that represent individual versions + of a service. items: properties: labels: additionalProperties: type: string + description: Labels apply a filter over the endpoints of a service + in the service registry. type: object name: description: Name of the subset. @@ -1879,6 +1951,9 @@ spec: - UPGRADE type: string http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. format: int32 type: integer http2MaxRequests: @@ -1896,6 +1971,9 @@ spec: format: int32 type: integer maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. format: int32 type: integer useClientProtocol: @@ -1927,8 +2005,14 @@ spec: probes. type: string probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. type: integer time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. type: string type: object type: object @@ -1940,84 +2024,45 @@ spec: anyOf: - required: - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: + - required: - consistentHash - required: - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: + - required: - consistentHash properties: consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev properties: httpCookie: description: Hash based on HTTP cookie. @@ -2031,6 +2076,8 @@ spec: ttl: description: Lifetime of the cookie. type: string + required: + - name type: object httpHeaderName: description: Hash based on a specific HTTP header. @@ -2055,6 +2102,8 @@ spec: implements consistent hashing to backend hosts. properties: minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. type: integer type: object useSourceIp: @@ -2095,6 +2144,9 @@ spec: description: Originating region. type: string to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. type: string type: object type: array @@ -2138,15 +2190,22 @@ spec: nullable: true type: integer consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. format: int32 type: integer minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. format: int32 type: integer splitExternalLocalOriginErrors: @@ -2173,6 +2232,9 @@ spec: - UPGRADE type: string http1MaxPendingRequests: + description: Maximum number of requests that + will be queued while waiting for a ready + connection pool connection. format: int32 type: integer http2MaxRequests: @@ -2190,6 +2252,9 @@ spec: format: int32 type: integer maxRetries: + description: Maximum number of retries that + can be outstanding to all hosts in a cluster + at a given time. format: int32 type: integer useClientProtocol: @@ -2222,8 +2287,14 @@ spec: keep-alive probes. type: string probes: + description: Maximum number of keepalive + probes to send without response before + deciding the connection is dead. type: integer time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. type: string type: object type: object @@ -2236,84 +2307,45 @@ spec: anyOf: - required: - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: + - required: - consistentHash - required: - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: + - required: - consistentHash properties: consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev properties: httpCookie: description: Hash based on HTTP cookie. @@ -2327,6 +2359,8 @@ spec: ttl: description: Lifetime of the cookie. type: string + required: + - name type: object httpHeaderName: description: Hash based on a specific HTTP @@ -2354,6 +2388,8 @@ spec: hosts. properties: minimumRingSize: + description: The minimum number of virtual + nodes to use for the hash ring. type: integer type: object useSourceIp: @@ -2394,6 +2430,9 @@ spec: description: Originating region. type: string to: + description: Destination region the + traffic will fail over to when endpoints + in the 'from' region becomes unhealthy. type: string type: object type: array @@ -2438,6 +2477,8 @@ spec: nullable: true type: integer consecutiveLocalOriginFailures: + description: The number of consecutive locally + originated failures before ejection occurs. nullable: true type: integer interval: @@ -2445,9 +2486,15 @@ spec: analysis. type: string maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. format: int32 type: integer minHealthPercent: + description: Outlier detection will be enabled + as long as the associated load balancing pool + has at least min_health_percent hosts in healthy + mode. format: int32 type: integer splitExternalLocalOriginErrors: @@ -2456,6 +2503,9 @@ spec: type: boolean type: object port: + description: Specifies the number of a port on the + destination service on which this policy is being + applied. properties: number: type: integer @@ -2465,16 +2515,28 @@ spec: to the upstream service. properties: caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in + verifying a presented server certificate.' type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string credentialName: + description: The name of the secret that holds + the TLS certs for the client including the CA + certificates. type: string insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature + and SAN for the server certificate corresponding + to the host.' nullable: true type: boolean mode: + description: Indicates whether connections to + this port should be secured using TLS. enum: - DISABLE - SIMPLE @@ -2489,6 +2551,8 @@ spec: during TLS handshake. type: string subjectAltNames: + description: A list of alternate names to verify + the subject identity in the certificate. items: type: string type: array @@ -2500,16 +2564,27 @@ spec: upstream service. properties: caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. type: string insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' nullable: true type: boolean mode: + description: Indicates whether connections to this port + should be secured using TLS. enum: - DISABLE - SIMPLE @@ -2524,11 +2599,15 @@ spec: TLS handshake. type: string subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. items: type: string type: array type: object tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. properties: protocol: description: Specifies which protocol to use for tunneling @@ -2542,11 +2621,18 @@ spec: description: Specifies a port to which the downstream connection is tunneled. type: integer + required: + - targetHost + - targetPort type: object type: object + required: + - name type: object type: array trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection + pool sizes, outlier detection). properties: connectionPool: properties: @@ -2562,6 +2648,8 @@ spec: - UPGRADE type: string http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. format: int32 type: integer http2MaxRequests: @@ -2578,6 +2666,8 @@ spec: format: int32 type: integer maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. format: int32 type: integer useClientProtocol: @@ -2609,8 +2699,14 @@ spec: probes. type: string probes: + description: Maximum number of keepalive probes to + send without response before deciding the connection + is dead. type: integer time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. type: string type: object type: object @@ -2622,84 +2718,45 @@ spec: anyOf: - required: - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: + - required: - consistentHash - required: - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: + - required: - consistentHash properties: consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev properties: httpCookie: description: Hash based on HTTP cookie. @@ -2713,6 +2770,8 @@ spec: ttl: description: Lifetime of the cookie. type: string + required: + - name type: object httpHeaderName: description: Hash based on a specific HTTP header. @@ -2736,6 +2795,8 @@ spec: consistent hashing to backend hosts. properties: minimumRingSize: + description: The minimum number of virtual nodes to + use for the hash ring. type: integer type: object useSourceIp: @@ -2775,6 +2836,9 @@ spec: description: Originating region. type: string to: + description: Destination region the traffic will + fail over to when endpoints in the 'from' region + becomes unhealthy. type: string type: object type: array @@ -2817,15 +2881,22 @@ spec: nullable: true type: integer consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool + for the upstream service that can be ejected. format: int32 type: integer minHealthPercent: + description: Outlier detection will be enabled as long as + the associated load balancing pool has at least min_health_percent + hosts in healthy mode. format: int32 type: integer splitExternalLocalOriginErrors: @@ -2851,6 +2922,9 @@ spec: - UPGRADE type: string http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. format: int32 type: integer http2MaxRequests: @@ -2868,6 +2942,9 @@ spec: format: int32 type: integer maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. format: int32 type: integer useClientProtocol: @@ -2897,99 +2974,66 @@ spec: interval: description: The time duration between keep-alive probes. - type: string - probes: - type: integer - time: - type: string - type: object - type: object - type: object - loadBalancer: - description: Settings controlling the load balancer algorithms. - oneOf: - - not: - anyOf: - - required: - - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: + type: string + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: - consistentHash - required: - simple - - properties: - consistentHash: - allOf: - - oneOf: - - not: - anyOf: - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - required: - - httpHeaderName - - required: - - httpCookie - - required: - - useSourceIp - - required: - - httpQueryParameterName - - oneOf: - - not: - anyOf: - - required: - - ringHash - - required: - - maglev - - required: - - ringHash - - required: - - maglev - properties: - minimumRingSize: {} - required: + - required: - consistentHash properties: consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev properties: httpCookie: description: Hash based on HTTP cookie. @@ -3003,6 +3047,8 @@ spec: ttl: description: Lifetime of the cookie. type: string + required: + - name type: object httpHeaderName: description: Hash based on a specific HTTP header. @@ -3027,6 +3073,8 @@ spec: implements consistent hashing to backend hosts. properties: minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. type: integer type: object useSourceIp: @@ -3067,6 +3115,9 @@ spec: description: Originating region. type: string to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. type: string type: object type: array @@ -3110,15 +3161,22 @@ spec: nullable: true type: integer consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. nullable: true type: integer interval: description: Time interval between ejection sweep analysis. type: string maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. format: int32 type: integer minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + min_health_percent hosts in healthy mode. format: int32 type: integer splitExternalLocalOriginErrors: @@ -3127,6 +3185,8 @@ spec: type: boolean type: object port: + description: Specifies the number of a port on the destination + service on which this policy is being applied. properties: number: type: integer @@ -3136,16 +3196,27 @@ spec: upstream service. properties: caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. type: string insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' nullable: true type: boolean mode: + description: Indicates whether connections to this port + should be secured using TLS. enum: - DISABLE - SIMPLE @@ -3160,6 +3231,8 @@ spec: TLS handshake. type: string subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. items: type: string type: array @@ -3171,16 +3244,26 @@ spec: service. properties: caCertificates: + description: 'OPTIONAL: The path to the file containing certificate + authority certificates to use in verifying a presented server + certificate.' type: string clientCertificate: description: REQUIRED if mode is `MUTUAL`. type: string credentialName: + description: The name of the secret that holds the TLS certs + for the client including the CA certificates. type: string insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy + should skip verifying the CA signature and SAN for the server + certificate corresponding to the host.' nullable: true type: boolean mode: + description: Indicates whether connections to this port should + be secured using TLS. enum: - DISABLE - SIMPLE @@ -3195,11 +3278,15 @@ spec: handshake. type: string subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate. items: type: string type: array type: object tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. properties: protocol: description: Specifies which protocol to use for tunneling @@ -3213,15 +3300,24 @@ spec: description: Specifies a port to which the downstream connection is tunneled. type: integer + required: + - targetHost + - targetPort type: object type: object workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `DestinationRule` configuration should be applied. properties: matchLabels: additionalProperties: type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. type: object type: object + required: + - host type: object status: type: object @@ -3269,6 +3365,8 @@ spec: items: properties: applyTo: + description: Specifies where in the Envoy configuration, the + patch should be applied. enum: - INVALID - LISTENER @@ -3349,6 +3447,8 @@ spec: description: The filter name to match on. type: string subFilter: + description: The next level filter within this + filter to match upon. properties: name: description: The filter name to match on. @@ -3375,6 +3475,8 @@ spec: portName: type: string portNumber: + description: The service port/gateway port to which + traffic is being sent/received. type: integer type: object proxy: @@ -3383,14 +3485,21 @@ spec: metadata: additionalProperties: type: string + description: Match on the node metadata supplied by + a proxy when connecting to Istio Pilot. type: object proxyVersion: + description: A regular expression in golang regex format + (RE2) that can be used to select proxies using a specific + version of istio proxy. type: string type: object routeConfiguration: description: Match on envoy HTTP route configuration attributes. properties: gateway: + description: The Istio gateway config's namespace/name + for which this route configuration was generated. type: string name: description: Route configuration name to match on. @@ -3399,10 +3508,20 @@ spec: description: Applicable only for GATEWAY context. type: string portNumber: + description: The service port number or gateway server + port number for which this route configuration was + generated. type: integer vhost: + description: Match a specific virtual host in a route + configuration and apply the patch to the virtual host. properties: name: + description: The VirtualHosts objects generated + by Istio are named as host:port, where the host + typically corresponds to the VirtualService's + host field or the hostname of a service in the + registry. type: string route: description: Match a specific route within the virtual @@ -3418,6 +3537,8 @@ spec: - DIRECT_RESPONSE type: string name: + description: The Route objects generated by + default are named as default. type: string type: object type: object @@ -3459,10 +3580,14 @@ spec: format: int32 type: integer workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this patch configuration should be applied. properties: labels: additionalProperties: type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. type: object type: object type: object @@ -3512,12 +3637,16 @@ spec: selector: additionalProperties: type: string + description: One or more labels that indicate a specific set of pods/VMs + on which this gateway configuration should be applied. type: object servers: description: A list of server specifications. items: properties: bind: + description: The ip or the Unix domain socket to which the listener + should be bound to. type: string defaultEndpoint: type: string @@ -3531,6 +3660,8 @@ spec: unique across all servers. type: string port: + description: The Port on which the proxy should listen for incoming + connections. properties: name: description: Label assigned to the port. @@ -3543,6 +3674,10 @@ spec: type: string targetPort: type: integer + required: + - number + - protocol + - name type: object tls: description: Set of TLS related options that govern the server's @@ -3558,8 +3693,14 @@ spec: type: string type: array credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. type: string httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. type: boolean maxProtocolVersion: description: 'Optional: Maximum TLS protocol version.' @@ -3580,6 +3721,8 @@ spec: - TLSV1_3 type: string mode: + description: 'Optional: Indicates whether connections to + this port should be secured using TLS.' enum: - PASSTHROUGH - SIMPLE @@ -3595,18 +3738,27 @@ spec: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. type: string subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. items: type: string type: array verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. items: type: string type: array verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. items: type: string type: array type: object + required: + - port + - hosts type: object type: array type: object @@ -3629,12 +3781,16 @@ spec: selector: additionalProperties: type: string + description: One or more labels that indicate a specific set of pods/VMs + on which this gateway configuration should be applied. type: object servers: description: A list of server specifications. items: properties: bind: + description: The ip or the Unix domain socket to which the listener + should be bound to. type: string defaultEndpoint: type: string @@ -3648,6 +3804,8 @@ spec: unique across all servers. type: string port: + description: The Port on which the proxy should listen for incoming + connections. properties: name: description: Label assigned to the port. @@ -3660,6 +3818,10 @@ spec: type: string targetPort: type: integer + required: + - number + - protocol + - name type: object tls: description: Set of TLS related options that govern the server's @@ -3675,8 +3837,14 @@ spec: type: string type: array credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. type: string httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. type: boolean maxProtocolVersion: description: 'Optional: Maximum TLS protocol version.' @@ -3697,6 +3865,8 @@ spec: - TLSV1_3 type: string mode: + description: 'Optional: Indicates whether connections to + this port should be secured using TLS.' enum: - PASSTHROUGH - SIMPLE @@ -3712,18 +3882,27 @@ spec: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. type: string subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. items: type: string type: array verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. items: type: string type: array verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. items: type: string type: array type: object + required: + - port + - hosts type: object type: array type: object @@ -3829,8 +4008,8 @@ spec: openAPIV3Schema: properties: spec: - description: PeerAuthentication defines how traffic will be tunneled (or - not) to the sidecar. + description: 'Peer authentication configuration for workloads. See more + details at: https://istio.io/docs/reference/config/security/peer_authentication.html' properties: mtls: description: Mutual TLS settings for workload. @@ -3865,6 +4044,8 @@ spec: matchLabels: additionalProperties: type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. type: object type: object type: object @@ -3931,6 +4112,8 @@ spec: matchLabels: additionalProperties: type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. type: object type: object type: object @@ -3975,8 +4158,8 @@ spec: openAPIV3Schema: properties: spec: - description: RequestAuthentication defines what request authentication - methods are supported by a workload. + description: 'Request authentication configuration for workloads. See + more details at: https://istio.io/docs/reference/config/security/request_authentication.html' properties: jwtRules: description: Define the list of JWTs that can be validated at the @@ -3984,6 +4167,8 @@ spec: items: properties: audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) + that are allowed to access. items: type: string type: array @@ -4002,6 +4187,8 @@ spec: description: The prefix that should be stripped before decoding the token. type: string + required: + - name type: object type: array fromParams: @@ -4017,8 +4204,12 @@ spec: of the JWT. type: string jwks_uri: + description: URL of the provider's public key set to validate + signature of the JWT. type: string jwksUri: + description: URL of the provider's public key set to validate + signature of the JWT. type: string outputClaimToHeaders: description: This field specifies a list of operations to copy @@ -4034,7 +4225,11 @@ spec: type: object type: array outputPayloadToHeader: + description: This field specifies the header name to output + a successfully verified JWT payload to the backend. type: string + required: + - issuer type: object type: array selector: @@ -4043,8 +4238,26 @@ spec: matchLabels: additionalProperties: type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. type: object type: object + targetRef: + description: Optional. + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object type: object status: type: object @@ -4059,8 +4272,8 @@ spec: openAPIV3Schema: properties: spec: - description: RequestAuthentication defines what request authentication - methods are supported by a workload. + description: 'Request authentication configuration for workloads. See + more details at: https://istio.io/docs/reference/config/security/request_authentication.html' properties: jwtRules: description: Define the list of JWTs that can be validated at the @@ -4068,6 +4281,8 @@ spec: items: properties: audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) + that are allowed to access. items: type: string type: array @@ -4086,6 +4301,8 @@ spec: description: The prefix that should be stripped before decoding the token. type: string + required: + - name type: object type: array fromParams: @@ -4101,8 +4318,12 @@ spec: of the JWT. type: string jwks_uri: + description: URL of the provider's public key set to validate + signature of the JWT. type: string jwksUri: + description: URL of the provider's public key set to validate + signature of the JWT. type: string outputClaimToHeaders: description: This field specifies a list of operations to copy @@ -4118,7 +4339,11 @@ spec: type: object type: array outputPayloadToHeader: + description: This field specifies the header name to output + a successfully verified JWT payload to the backend. type: string + required: + - issuer type: object type: array selector: @@ -4127,8 +4352,26 @@ spec: matchLabels: additionalProperties: type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. type: object type: object + targetRef: + description: Optional. + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object type: object status: type: object @@ -4205,6 +4448,8 @@ spec: items: properties: address: + description: Address associated with the network endpoint without + the port. type: string labels: additionalProperties: @@ -4215,6 +4460,8 @@ spec: description: The locality associated with the endpoint. type: string network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. type: string ports: additionalProperties: @@ -4222,6 +4469,8 @@ spec: description: Set of ports associated with the endpoint. type: object serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. type: string weight: description: The load balancing weight associated with the endpoint. @@ -4239,6 +4488,8 @@ spec: type: string type: array location: + description: Specify whether the service should be considered external + to the mesh or part of the mesh. enum: - MESH_EXTERNAL - MESH_INTERNAL @@ -4257,7 +4508,12 @@ spec: description: The protocol exposed on the port. type: string targetPort: + description: The port number on the endpoint where the traffic + will be received. type: integer + required: + - number + - name type: object type: array resolution: @@ -4269,6 +4525,8 @@ spec: - DNS_ROUND_ROBIN type: string subjectAltNames: + description: If specified, the proxy will verify that the server certificate's + subject alternate name matches one of the specified values. items: type: string type: array @@ -4278,8 +4536,12 @@ spec: labels: additionalProperties: type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. type: object type: object + required: + - hosts type: object status: type: object @@ -4329,6 +4591,8 @@ spec: items: properties: address: + description: Address associated with the network endpoint without + the port. type: string labels: additionalProperties: @@ -4339,6 +4603,8 @@ spec: description: The locality associated with the endpoint. type: string network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. type: string ports: additionalProperties: @@ -4346,6 +4612,8 @@ spec: description: Set of ports associated with the endpoint. type: object serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. type: string weight: description: The load balancing weight associated with the endpoint. @@ -4363,6 +4631,8 @@ spec: type: string type: array location: + description: Specify whether the service should be considered external + to the mesh or part of the mesh. enum: - MESH_EXTERNAL - MESH_INTERNAL @@ -4381,7 +4651,12 @@ spec: description: The protocol exposed on the port. type: string targetPort: + description: The port number on the endpoint where the traffic + will be received. type: integer + required: + - number + - name type: object type: array resolution: @@ -4393,6 +4668,8 @@ spec: - DNS_ROUND_ROBIN type: string subjectAltNames: + description: If specified, the proxy will verify that the server certificate's + subject alternate name matches one of the specified values. items: type: string type: array @@ -4402,8 +4679,12 @@ spec: labels: additionalProperties: type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. type: object type: object + required: + - hosts type: object status: type: object @@ -4447,17 +4728,27 @@ spec: See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' properties: egress: + description: Egress specifies the configuration of the sidecar for + processing outbound traffic from the attached workload instance + to other services in the mesh. items: properties: bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket + to which the listener should be bound to. type: string captureMode: + description: When the bind address is an IP, the captureMode + option dictates how traffic to the listener is expected to + be captured (or not). enum: - DEFAULT - IPTABLES - NONE type: string hosts: + description: One or more service hosts exposed by the listener + in `namespace/dnsName` format. items: type: string type: array @@ -4476,9 +4767,88 @@ spec: targetPort: type: integer type: object + required: + - hosts type: object type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy + will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a + destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to + enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send + without response before deciding the connection is dead. + type: integer + time: + description: The time duration a connection needs to be + idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object ingress: + description: Ingress specifies the configuration of the sidecar for + processing inbound traffic to the attached workload instance. items: properties: bind: @@ -4486,12 +4856,96 @@ spec: be bound. type: string captureMode: + description: The captureMode option dictates how traffic to + the listener is expected to be captured (or not). enum: - DEFAULT - IPTABLES - NONE type: string + connectionPool: + description: Settings controlling the volume of connections + Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be + upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be + queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a + destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be + preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + description: Maximum number of keepalive probes + to send without response before deciding the connection + is dead. + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + type: object + type: object + type: object defaultEndpoint: + description: The IP endpoint or Unix domain socket to which + traffic should be forwarded to. type: string port: description: The port associated with the listener. @@ -4509,6 +4963,9 @@ spec: type: integer type: object tls: + description: Set of TLS related options that will enable TLS + termination on the sidecar for requests originating from outside + the mesh. properties: caCertificates: description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. @@ -4520,8 +4977,14 @@ spec: type: string type: array credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. type: string httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. type: boolean maxProtocolVersion: description: 'Optional: Maximum TLS protocol version.' @@ -4542,6 +5005,8 @@ spec: - TLSV1_3 type: string mode: + description: 'Optional: Indicates whether connections to + this port should be secured using TLS.' enum: - PASSTHROUGH - SIMPLE @@ -4557,18 +5022,26 @@ spec: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. type: string subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. items: type: string type: array verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. items: type: string type: array verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. items: type: string type: array type: object + required: + - port type: object type: array outboundTrafficPolicy: @@ -4589,6 +5062,8 @@ spec: subset: description: The name of a subset within the service. type: string + required: + - host type: object mode: enum: @@ -4597,10 +5072,14 @@ spec: type: string type: object workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `Sidecar` configuration should be applied. properties: labels: additionalProperties: type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. type: object type: object type: object @@ -4621,17 +5100,27 @@ spec: See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' properties: egress: + description: Egress specifies the configuration of the sidecar for + processing outbound traffic from the attached workload instance + to other services in the mesh. items: properties: bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket + to which the listener should be bound to. type: string captureMode: + description: When the bind address is an IP, the captureMode + option dictates how traffic to the listener is expected to + be captured (or not). enum: - DEFAULT - IPTABLES - NONE type: string hosts: + description: One or more service hosts exposed by the listener + in `namespace/dnsName` format. items: type: string type: array @@ -4650,9 +5139,88 @@ spec: targetPort: type: integer type: object + required: + - hosts type: object type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy + will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a + destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to + enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + probes: + description: Maximum number of keepalive probes to send + without response before deciding the connection is dead. + type: integer + time: + description: The time duration a connection needs to be + idle before keep-alive probes start being sent. + type: string + type: object + type: object + type: object ingress: + description: Ingress specifies the configuration of the sidecar for + processing inbound traffic to the attached workload instance. items: properties: bind: @@ -4660,12 +5228,96 @@ spec: be bound. type: string captureMode: + description: The captureMode option dictates how traffic to + the listener is expected to be captured (or not). enum: - DEFAULT - IPTABLES - NONE type: string + connectionPool: + description: Settings controlling the volume of connections + Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be + upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be + queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a + destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be + preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + description: Maximum number of keepalive probes + to send without response before deciding the connection + is dead. + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + type: object + type: object + type: object defaultEndpoint: + description: The IP endpoint or Unix domain socket to which + traffic should be forwarded to. type: string port: description: The port associated with the listener. @@ -4683,6 +5335,9 @@ spec: type: integer type: object tls: + description: Set of TLS related options that will enable TLS + termination on the sidecar for requests originating from outside + the mesh. properties: caCertificates: description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. @@ -4694,8 +5349,14 @@ spec: type: string type: array credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. type: string httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. type: boolean maxProtocolVersion: description: 'Optional: Maximum TLS protocol version.' @@ -4716,6 +5377,8 @@ spec: - TLSV1_3 type: string mode: + description: 'Optional: Indicates whether connections to + this port should be secured using TLS.' enum: - PASSTHROUGH - SIMPLE @@ -4731,18 +5394,26 @@ spec: description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. type: string subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. items: type: string type: array verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. items: type: string type: array verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. items: type: string type: array type: object + required: + - port type: object type: array outboundTrafficPolicy: @@ -4763,6 +5434,8 @@ spec: subset: description: The name of a subset within the service. type: string + required: + - host type: object mode: enum: @@ -4771,10 +5444,14 @@ spec: type: string type: object workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `Sidecar` configuration should be applied. properties: labels: additionalProperties: type: string + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. type: object type: object type: object @@ -4852,6 +5529,9 @@ spec: conditions. properties: mode: + description: This determines whether or not to apply the + access logging configuration based on the direction of + traffic relative to the proxied workload. enum: - CLIENT_AND_SERVER - CLIENT @@ -4865,6 +5545,8 @@ spec: name: description: Required. type: string + required: + - name type: object type: array type: object @@ -4915,6 +5597,8 @@ spec: - GRPC_RESPONSE_MESSAGES type: string mode: + description: 'Controls which mode of metrics generation + is selected: CLIENT and/or SERVER.' enum: - CLIENT_AND_SERVER - CLIENT @@ -4947,6 +5631,8 @@ spec: name: description: Required. type: string + required: + - name type: object type: array reportingInterval: @@ -4960,8 +5646,26 @@ spec: matchLabels: additionalProperties: type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. type: object type: object + targetRef: + description: Optional. + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object tracing: description: Optional. items: @@ -4997,6 +5701,8 @@ spec: type: string type: object header: + description: RequestHeader adds the value of an header + from the request to each span. properties: defaultValue: description: Optional. @@ -5025,6 +5731,9 @@ spec: description: Allows tailoring of behavior to specific conditions. properties: mode: + description: This determines whether or not to apply the + tracing configuration based on the direction of traffic + relative to the proxied workload. enum: - CLIENT_AND_SERVER - CLIENT @@ -5038,9 +5747,13 @@ spec: name: description: Required. type: string + required: + - name type: object type: array randomSamplingPercentage: + description: Controls the rate at which traffic will be selected + for tracing if no prior sampling decision has been made. nullable: true type: number useRequestIdForTraceSampling: @@ -5134,9 +5847,13 @@ spec: description: Cross-Origin Resource Sharing policy (CORS). properties: allowCredentials: + description: Indicates whether the caller is allowed to + send the actual request (not the preflight) using credentials. nullable: true type: boolean allowHeaders: + description: List of HTTP headers that can be used when + requesting the resource. items: type: string type: array @@ -5147,8 +5864,6 @@ spec: type: string type: array allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. items: type: string type: array @@ -5181,13 +5896,19 @@ spec: type: object type: array exposeHeaders: + description: A list of HTTP headers that the browsers are + allowed to access. items: type: string type: array maxAge: + description: Specifies how long the results of a preflight + request can be cached. type: string type: object delegate: + description: Delegate is used to specify the particular VirtualService + which can be used to define delegate HTTPRoute. properties: name: description: Name specifies the name of the delegate VirtualService. @@ -5225,12 +5946,17 @@ spec: status: description: Specifies the HTTP response status to be returned. type: integer + required: + - status type: object fault: description: Fault injection policy to apply on HTTP traffic at the client side. properties: abort: + description: Abort Http request attempts and return error + codes back to downstream service, giving the impression + that the upstream service is faulty. oneOf: - not: anyOf: @@ -5267,6 +5993,9 @@ spec: type: object type: object delay: + description: Delay requests before forwarding, emulating + various failures such as network issues, overloaded upstream + service, etc. oneOf: - not: anyOf: @@ -5334,9 +6063,15 @@ spec: type: object type: object match: + description: Match conditions to be satisfied for the rule to + be activated. items: properties: authority: + description: 'HTTP Authority values are case-sensitive + and formatted as follows: - `exact: "value"` for exact + string match - `prefix: "value"` for prefix-based match + - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: @@ -5393,12 +6128,18 @@ spec: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). type: string type: object + description: The header keys must be lowercase and use + hyphen as the separator, e.g. type: object ignoreUriCase: description: Flag to specify whether the URI matching should be case-insensitive. type: boolean method: + description: 'HTTP Method values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: @@ -5459,6 +6200,10 @@ spec: description: Query parameters for matching. type: object scheme: + description: 'URI Scheme values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: @@ -5486,6 +6231,9 @@ spec: sourceLabels: additionalProperties: type: string + description: One or more labels that constrain the applicability + of a rule to source (client) workloads with the given + labels. type: object sourceNamespace: description: Source namespace constraining the applicability @@ -5496,6 +6244,10 @@ spec: statistics for this route. type: string uri: + description: 'URI to match values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: @@ -5552,6 +6304,8 @@ spec: type: object type: array mirror: + description: Mirror HTTP traffic to a another destination in + addition to forwarding the requests to the intended destination. properties: host: description: The name of a service from the service registry. @@ -5566,15 +6320,13 @@ spec: subset: description: The name of a subset within the service. type: string + required: + - host type: object mirror_percent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. nullable: true type: integer mirrorPercent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. nullable: true type: integer mirrorPercentage: @@ -5586,9 +6338,13 @@ spec: type: number type: object mirrors: + description: Specifies the destinations to mirror HTTP traffic + in addition to the original destination. items: properties: destination: + description: Destination specifies the target of the mirror + operation. properties: host: description: The name of a service from the service @@ -5604,13 +6360,19 @@ spec: subset: description: The name of a subset within the service. type: string + required: + - host type: object percentage: + description: Percentage of the traffic to be mirrored + by the `destination` field. properties: value: format: double type: number type: object + required: + - destination type: object type: array name: @@ -5632,8 +6394,13 @@ spec: - derivePort properties: authority: + description: On a redirect, overwrite the Authority/Host + portion of the URL with this value. type: string derivePort: + description: 'On a redirect, dynamically set the port: * + FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP + and 443 for HTTPS.' enum: - FROM_PROTOCOL_DEFAULT - FROM_REQUEST_PORT @@ -5643,12 +6410,16 @@ spec: the URL with this value. type: integer redirectCode: + description: On a redirect, Specifies the HTTP status code + to use in the redirect response. type: integer scheme: description: On a redirect, overwrite the scheme portion of the URL with this value. type: string uri: + description: On a redirect, overwrite the Path portion of + the URL with this value. type: string type: object retries: @@ -5681,6 +6452,8 @@ spec: value. type: string uri: + description: rewrite the path (or the prefix) portion of + the URI with this value. type: string uriRegexRewrite: description: rewrite the path portion of the URI with the @@ -5701,6 +6474,9 @@ spec: items: properties: destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. properties: host: description: The name of a service from the service @@ -5716,6 +6492,8 @@ spec: subset: description: The name of a subset within the service. type: string + required: + - host type: object headers: properties: @@ -5755,6 +6533,8 @@ spec: of traffic to be forwarded to the destination. format: int32 type: integer + required: + - destination type: object type: array timeout: @@ -5767,6 +6547,8 @@ spec: items: properties: match: + description: Match conditions to be satisfied for the rule to + be activated. items: properties: destinationSubnets: @@ -5788,14 +6570,14 @@ spec: sourceLabels: additionalProperties: type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. type: string sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. type: string type: object type: array @@ -5805,6 +6587,9 @@ spec: items: properties: destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. properties: host: description: The name of a service from the service @@ -5820,20 +6605,28 @@ spec: subset: description: The name of a subset within the service. type: string + required: + - host type: object weight: description: Weight specifies the relative proportion of traffic to be forwarded to the destination. format: int32 type: integer + required: + - destination type: object type: array type: object type: array tls: + description: An ordered list of route rule for non-terminated TLS + & HTTPS traffic. items: properties: match: + description: Match conditions to be satisfied for the rule to + be activated. items: properties: destinationSubnets: @@ -5860,11 +6653,15 @@ spec: sourceLabels: additionalProperties: type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. type: string + required: + - sniHosts type: object type: array route: @@ -5873,6 +6670,9 @@ spec: items: properties: destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. properties: host: description: The name of a service from the service @@ -5888,14 +6688,20 @@ spec: subset: description: The name of a subset within the service. type: string + required: + - host type: object weight: description: Weight specifies the relative proportion of traffic to be forwarded to the destination. format: int32 type: integer + required: + - destination type: object type: array + required: + - match type: object type: array type: object @@ -5957,9 +6763,13 @@ spec: description: Cross-Origin Resource Sharing policy (CORS). properties: allowCredentials: + description: Indicates whether the caller is allowed to + send the actual request (not the preflight) using credentials. nullable: true type: boolean allowHeaders: + description: List of HTTP headers that can be used when + requesting the resource. items: type: string type: array @@ -5970,8 +6780,6 @@ spec: type: string type: array allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. items: type: string type: array @@ -6004,13 +6812,19 @@ spec: type: object type: array exposeHeaders: + description: A list of HTTP headers that the browsers are + allowed to access. items: type: string type: array maxAge: + description: Specifies how long the results of a preflight + request can be cached. type: string type: object delegate: + description: Delegate is used to specify the particular VirtualService + which can be used to define delegate HTTPRoute. properties: name: description: Name specifies the name of the delegate VirtualService. @@ -6048,12 +6862,17 @@ spec: status: description: Specifies the HTTP response status to be returned. type: integer + required: + - status type: object fault: description: Fault injection policy to apply on HTTP traffic at the client side. properties: abort: + description: Abort Http request attempts and return error + codes back to downstream service, giving the impression + that the upstream service is faulty. oneOf: - not: anyOf: @@ -6090,6 +6909,9 @@ spec: type: object type: object delay: + description: Delay requests before forwarding, emulating + various failures such as network issues, overloaded upstream + service, etc. oneOf: - not: anyOf: @@ -6157,9 +6979,15 @@ spec: type: object type: object match: + description: Match conditions to be satisfied for the rule to + be activated. items: properties: authority: + description: 'HTTP Authority values are case-sensitive + and formatted as follows: - `exact: "value"` for exact + string match - `prefix: "value"` for prefix-based match + - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: @@ -6216,12 +7044,18 @@ spec: description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). type: string type: object + description: The header keys must be lowercase and use + hyphen as the separator, e.g. type: object ignoreUriCase: description: Flag to specify whether the URI matching should be case-insensitive. type: boolean method: + description: 'HTTP Method values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: @@ -6282,6 +7116,10 @@ spec: description: Query parameters for matching. type: object scheme: + description: 'URI Scheme values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: @@ -6309,6 +7147,9 @@ spec: sourceLabels: additionalProperties: type: string + description: One or more labels that constrain the applicability + of a rule to source (client) workloads with the given + labels. type: object sourceNamespace: description: Source namespace constraining the applicability @@ -6319,6 +7160,10 @@ spec: statistics for this route. type: string uri: + description: 'URI to match values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: @@ -6375,6 +7220,8 @@ spec: type: object type: array mirror: + description: Mirror HTTP traffic to a another destination in + addition to forwarding the requests to the intended destination. properties: host: description: The name of a service from the service registry. @@ -6389,15 +7236,13 @@ spec: subset: description: The name of a subset within the service. type: string + required: + - host type: object mirror_percent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. nullable: true type: integer mirrorPercent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. nullable: true type: integer mirrorPercentage: @@ -6409,9 +7254,13 @@ spec: type: number type: object mirrors: + description: Specifies the destinations to mirror HTTP traffic + in addition to the original destination. items: properties: destination: + description: Destination specifies the target of the mirror + operation. properties: host: description: The name of a service from the service @@ -6427,13 +7276,19 @@ spec: subset: description: The name of a subset within the service. type: string + required: + - host type: object percentage: + description: Percentage of the traffic to be mirrored + by the `destination` field. properties: value: format: double type: number type: object + required: + - destination type: object type: array name: @@ -6455,8 +7310,13 @@ spec: - derivePort properties: authority: + description: On a redirect, overwrite the Authority/Host + portion of the URL with this value. type: string derivePort: + description: 'On a redirect, dynamically set the port: * + FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP + and 443 for HTTPS.' enum: - FROM_PROTOCOL_DEFAULT - FROM_REQUEST_PORT @@ -6466,12 +7326,16 @@ spec: the URL with this value. type: integer redirectCode: + description: On a redirect, Specifies the HTTP status code + to use in the redirect response. type: integer scheme: description: On a redirect, overwrite the scheme portion of the URL with this value. type: string uri: + description: On a redirect, overwrite the Path portion of + the URL with this value. type: string type: object retries: @@ -6504,6 +7368,8 @@ spec: value. type: string uri: + description: rewrite the path (or the prefix) portion of + the URI with this value. type: string uriRegexRewrite: description: rewrite the path portion of the URI with the @@ -6524,6 +7390,9 @@ spec: items: properties: destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. properties: host: description: The name of a service from the service @@ -6539,6 +7408,8 @@ spec: subset: description: The name of a subset within the service. type: string + required: + - host type: object headers: properties: @@ -6578,6 +7449,8 @@ spec: of traffic to be forwarded to the destination. format: int32 type: integer + required: + - destination type: object type: array timeout: @@ -6590,6 +7463,8 @@ spec: items: properties: match: + description: Match conditions to be satisfied for the rule to + be activated. items: properties: destinationSubnets: @@ -6611,14 +7486,14 @@ spec: sourceLabels: additionalProperties: type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. type: string sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. type: string type: object type: array @@ -6628,6 +7503,9 @@ spec: items: properties: destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. properties: host: description: The name of a service from the service @@ -6643,20 +7521,28 @@ spec: subset: description: The name of a subset within the service. type: string + required: + - host type: object weight: description: Weight specifies the relative proportion of traffic to be forwarded to the destination. format: int32 type: integer + required: + - destination type: object type: array type: object type: array tls: + description: An ordered list of route rule for non-terminated TLS + & HTTPS traffic. items: properties: match: + description: Match conditions to be satisfied for the rule to + be activated. items: properties: destinationSubnets: @@ -6683,11 +7569,15 @@ spec: sourceLabels: additionalProperties: type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. type: object sourceNamespace: description: Source namespace constraining the applicability of a rule to workloads in that namespace. type: string + required: + - sniHosts type: object type: array route: @@ -6696,6 +7586,9 @@ spec: items: properties: destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. properties: host: description: The name of a service from the service @@ -6711,14 +7604,20 @@ spec: subset: description: The name of a subset within the service. type: string + required: + - host type: object weight: description: Weight specifies the relative proportion of traffic to be forwarded to the destination. format: int32 type: integer + required: + - destination type: object type: array + required: + - match type: object type: array type: object @@ -6780,6 +7679,8 @@ spec: - FAIL_OPEN type: string imagePullPolicy: + description: The pull behaviour to be applied when fetching Wasm module + by either OCI image or http/https. enum: - UNSPECIFIED_POLICY - IfNotPresent @@ -6787,6 +7688,8 @@ spec: type: string imagePullSecret: description: Credentials to use for OCI image pulling. + maxLength: 253 + minLength: 1 type: string match: description: Specifies the criteria to determine which traffic is @@ -6807,9 +7710,16 @@ spec: items: properties: number: + maximum: 65535 + minimum: 1 type: integer + required: + - number type: object type: array + x-kubernetes-list-map-keys: + - number + x-kubernetes-list-type: map type: object type: array phase: @@ -6826,25 +7736,64 @@ spec: type: object x-kubernetes-preserve-unknown-fields: true pluginName: + description: The plugin name to be used in the Envoy configuration + (used to be called `rootID`). + maxLength: 256 + minLength: 1 type: string priority: description: Determines ordering of `WasmPlugins` in the same `phase`. nullable: true type: integer selector: + description: Criteria used to select the specific set of pods/VMs + on which this plugin configuration should be applied. properties: matchLabels: additionalProperties: type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. type: object type: object sha256: description: SHA256 checksum that will be used to verify Wasm module or OCI container. + pattern: (^$|^[a-f0-9]{64}$) + type: string + targetRef: + description: Optional. + properties: + group: + description: group is the group of the target resource. + type: string + kind: + description: kind is kind of the target resource. + type: string + name: + description: name is the name of the target resource. + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + type: object + type: + description: Specifies the type of Wasm Extension to be used. + enum: + - UNSPECIFIED_PLUGIN_TYPE + - HTTP + - NETWORK type: string url: description: URL of a Wasm module or OCI container. + minLength: 1 type: string + x-kubernetes-validations: + - message: url must have schema one of [http, https, file, oci] + rule: 'isURL(self) ? (url(self).getScheme() in ['''', ''http'', + ''https'', ''oci'', ''file'']) : (isURL(''http://'' + self) && + url(''http://'' +self).getScheme() in ['''', ''http'', ''https'', + ''oci'', ''file''])' verificationKey: type: string vmConfig: @@ -6856,22 +7805,41 @@ spec: items: properties: name: + description: Name of the environment variable. + maxLength: 256 + minLength: 1 type: string value: description: Value for the environment variable. + maxLength: 2048 type: string valueFrom: + description: Source for the environment variable's value. enum: - INLINE - HOST type: string + required: + - name type: object + x-kubernetes-validations: + - message: value may only be set when valueFrom is INLINE + rule: '(has(self.valueFrom) ? self.valueFrom : '''') != ''HOST'' + || !has(self.value)' + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map type: object + required: + - url type: object status: type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: true @@ -6926,6 +7894,8 @@ spec: more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' properties: address: + description: Address associated with the network endpoint without + the port. type: string labels: additionalProperties: @@ -6936,6 +7906,8 @@ spec: description: The locality associated with the endpoint. type: string network: + description: Network enables Istio to group endpoints resident in + the same L3 domain/network. type: string ports: additionalProperties: @@ -6943,6 +7915,8 @@ spec: description: Set of ports associated with the endpoint. type: object serviceAccount: + description: The service account associated with the workload if a + sidecar is present in the workload. type: string weight: description: The load balancing weight associated with the endpoint. @@ -6978,6 +7952,8 @@ spec: more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' properties: address: + description: Address associated with the network endpoint without + the port. type: string labels: additionalProperties: @@ -6988,6 +7964,8 @@ spec: description: The locality associated with the endpoint. type: string network: + description: Network enables Istio to group endpoints resident in + the same L3 domain/network. type: string ports: additionalProperties: @@ -6995,6 +7973,8 @@ spec: description: Set of ports associated with the endpoint. type: object serviceAccount: + description: The service account associated with the workload if a + sidecar is present in the workload. type: string weight: description: The load balancing weight associated with the endpoint. @@ -7097,6 +8077,8 @@ spec: format: int32 type: integer httpGet: + description: '`httpGet` is performed to a given endpoint and the + status/able to connect determines health.' properties: host: description: Host name to connect to, defaults to the pod @@ -7120,6 +8102,8 @@ spec: type: integer scheme: type: string + required: + - port type: object initialDelaySeconds: description: Number of seconds after the container has started @@ -7142,6 +8126,8 @@ spec: type: string port: type: integer + required: + - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. @@ -7153,6 +8139,8 @@ spec: resources that belong to this `WorkloadGroup`. properties: address: + description: Address associated with the network endpoint without + the port. type: string labels: additionalProperties: @@ -7163,6 +8151,8 @@ spec: description: The locality associated with the endpoint. type: string network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. type: string ports: additionalProperties: @@ -7170,11 +8160,15 @@ spec: description: Set of ports associated with the endpoint. type: object serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. type: string weight: description: The load balancing weight associated with the endpoint. type: integer type: object + required: + - template type: object status: type: object @@ -7198,6 +8192,10 @@ spec: openAPIV3Schema: properties: spec: + description: '`WorkloadGroup` enables specifying the properties of a single + workload for bootstrap and provides a template for `WorkloadEntry`, + similar to how `Deployment` specifies properties of workloads via `Pod` + templates.' properties: metadata: description: Metadata that will be used for all corresponding `WorkloadEntries`. @@ -7246,6 +8244,8 @@ spec: format: int32 type: integer httpGet: + description: '`httpGet` is performed to a given endpoint and the + status/able to connect determines health.' properties: host: description: Host name to connect to, defaults to the pod @@ -7269,6 +8269,8 @@ spec: type: integer scheme: type: string + required: + - port type: object initialDelaySeconds: description: Number of seconds after the container has started @@ -7291,6 +8293,8 @@ spec: type: string port: type: integer + required: + - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. @@ -7302,6 +8306,8 @@ spec: resources that belong to this `WorkloadGroup`. properties: address: + description: Address associated with the network endpoint without + the port. type: string labels: additionalProperties: @@ -7312,6 +8318,8 @@ spec: description: The locality associated with the endpoint. type: string network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. type: string ports: additionalProperties: @@ -7319,11 +8327,15 @@ spec: description: Set of ports associated with the endpoint. type: object serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. type: string weight: description: The load balancing weight associated with the endpoint. type: integer type: object + required: + - template type: object status: type: object @@ -7927,7 +8939,7 @@ data: - "-z" - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} - "-u" - - "1337" + - {{ .ProxyUID | default "1337" | quote }} - "-m" - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" - "-i" @@ -7994,8 +9006,8 @@ data: runAsUser: 0 {{- else }} readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsUser: 1337 + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsUser: {{ .ProxyUID | default "1337" }} runAsNonRoot: true {{- end }} {{ end -}} @@ -8178,11 +9190,17 @@ data: {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} - {{ if $nativeSidecar }} + {{ if .Values.global.proxy.startupProbe.enabled }} startupProbe: - {{ else }} - readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 0 + periodSeconds: 1 + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} {{ end }} + readinessProbe: httpGet: path: /healthz/ready port: 15021 @@ -8201,7 +9219,7 @@ data: - ALL privileged: true readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: 1337 + runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: false runAsUser: 0 {{- else }} @@ -8220,13 +9238,13 @@ data: - ALL privileged: {{ .Values.global.proxy.privileged }} readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - runAsGroup: 1337 + runAsGroup: {{ .ProxyGID | default "1337" }} {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} runAsNonRoot: false runAsUser: 0 {{- else -}} runAsNonRoot: true - runAsUser: 1337 + runAsUser: {{ .ProxyUID | default "1337" }} {{- end }} {{- end }} resources: @@ -8409,6 +9427,9 @@ data: lifecycle: {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} {{- end }} + securityContext: + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} env: - name: JWT_POLICY value: {{ .Values.global.jwtPolicy }} @@ -9051,7 +10072,11 @@ data: - containerPort: 15090 protocol: TCP name: http-envoy-prom - image: {{.ProxyImage}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} args: - proxy @@ -9125,6 +10150,11 @@ data: resource: limits.cpu - name: ISTIO_META_CLUSTER_ID value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + {{- $network := valueOrDefault (index .Labels `topology.istio.io/network`) .Values.global.network }} + {{- if $network }} + - name: ISTIO_META_NETWORK + value: "{{ $network }}" + {{- end }} - name: ISTIO_META_INTERCEPTION_MODE value: REDIRECT - name: ISTIO_META_WORKLOAD_NAME @@ -9306,7 +10336,11 @@ data: serviceAccountName: {{.ServiceAccount | quote}} containers: - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} image: "{{ .ProxyImage }}" + {{- end }} {{- if .Values.global.proxy.resources }} resources: {{- toYaml .Values.global.proxy.resources | nindent 10 }} @@ -9321,8 +10355,8 @@ data: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true - runAsUser: 1337 - runAsGroup: 1337 + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true {{- else }} capabilities: @@ -9635,9 +10669,9 @@ data: "includeOutboundPorts": "", "logLevel": "warning", "privileged": false, - "readinessFailureThreshold": 30, - "readinessInitialDelaySeconds": 1, - "readinessPeriodSeconds": 2, + "readinessFailureThreshold": 4, + "readinessInitialDelaySeconds": 0, + "readinessPeriodSeconds": 15, "resources": { "limits": { "cpu": "2000m", @@ -9648,6 +10682,10 @@ data: "memory": "128Mi" } }, + "startupProbe": { + "enabled": true, + "failureThreshold": 600 + }, "statusPort": 15020, "tracer": "zipkin" }, @@ -9663,7 +10701,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.19.0", + "tag": "1.20.2", "tracer": { "datadog": {}, "lightstep": {}, @@ -9979,7 +11017,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.19.0 + image: docker.io/istio/proxyv2:1.20.2 name: istio-proxy ports: - containerPort: 10001 @@ -10044,7 +11082,6 @@ spec: name: ingressgateway-ca-certs readOnly: true securityContext: - fsGroup: 1337 runAsGroup: 1337 runAsNonRoot: true runAsUser: 1337 @@ -10163,8 +11200,6 @@ spec: value: /var/run/secrets/remote/config - name: PILOT_TRACE_SAMPLING value: "1" - - name: ISTIOD_ADDR - value: istiod.istio-system.svc:15012 - name: PILOT_ENABLE_ANALYSIS value: "false" - name: CLUSTER_ID @@ -10179,7 +11214,7 @@ spec: resource: limits.cpu - name: PLATFORM value: "" - image: docker.io/istio/pilot:1.19.0 + image: docker.io/istio/pilot:1.20.2 name: discovery ports: - containerPort: 8080 @@ -10205,9 +11240,7 @@ spec: drop: - ALL readOnlyRootFilesystem: true - runAsGroup: 1337 runAsNonRoot: true - runAsUser: 1337 volumeMounts: - mountPath: /var/run/secrets/tokens name: istio-token @@ -10226,8 +11259,6 @@ spec: - mountPath: /var/run/secrets/istiod/ca name: istio-csr-ca-configmap readOnly: true - securityContext: - fsGroup: 1337 serviceAccountName: istiod volumes: - emptyDir: diff --git a/manifest.json b/manifest.json index d8f8c3f..cdfa99e 100644 --- a/manifest.json +++ b/manifest.json @@ -1,6 +1,6 @@ { "name": "Kubernetes homelab", - "version": "1.28.1", + "version": "1.29.2", "author": "Lisenet", "homepage_url": "https://github.com/lisenet/kubernetes-homelab" } diff --git a/terraform/provider.tf b/terraform/provider.tf index b7e017b..d02a757 100644 --- a/terraform/provider.tf +++ b/terraform/provider.tf @@ -2,15 +2,15 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "4.0" + version = "5.37.0" } helm = { source = "hashicorp/helm" - version = "2.10.1" + version = "2.12.1" } kubernetes = { source = "hashicorp/kubernetes" - version = "2.21.1" + version = "2.26.0" } kubectl = { source = "gavinbunney/kubectl"